Brought to you by Sophos
The Internet of Things (IoT) is rapidly expanding its universe by giving objects and devices the ability to connect and transfer data automatically over a network.
From home thermostats, smart TVs to baby monitors and kettles, the possibility of adding devices to the network seems infinite. How much attention was given to security on these everyday objects, however, remains a burning question.
IoT can be both a blessing and a curse in most cases. A webcam that is set up to provide surveillance at home can be breached by cyber criminals and used by them to watch out for users, instead of the other way round.
What about a doorbell that gives you automatic activation and notification on your mobile phone, and a CCTV camera and intercom to talk to when there is someone at the door, even if you are miles away? What could possibly go wrong?
Well, it can serve as an IoT bait for attackers to sniff out passwords or keys to unsecured Wi-Fi networks. The possibility of breaching these interconnected devices can seem infinite as well, unfortunately, according to Chester Wisniewski, principal research scientist at cyber security firm Sophos.
Security should be treated as a first-class problem for any connected device, says the keynote speaker at the upcoming Cloud Expo Asia 2016 in Singapore on October 12, in this month’s Q&A.
Q: Will a connected kettle of a fridge really pose a threat to our home networks in future? Do they need software patches in future to prevent malware attacks?
A: These devices certainly can cause trouble, often in unimaginable ways. One risk is certainly to your home’s network, but these devices can be commandeered by criminals to attack others as well.
Many of these devices are able to be tricked into disclosing your Wi-Fi passwords, enabling microphones and video cameras to remotely monitor you and other privacy impacting activities.
Anything that has network connectivity via Wi-Fi, Ethernet or mobile data will need to be actively maintained and receive updates to be secure.
The difficult part is that many of the companies producing IoT devices are competing on price and are not releasing fixes, even after vulnerabilities have been made publicly available.
Q: How much of the worry about IoT security is down to fear, uncertainty and doubt, and how much of it is well-placed?
A: There is no shortage of companies trying to take advantage of the insecurity of IoT, but that shouldn’t convince us that there isn’t a problem.
We have been working to secure general-purpose operating systems for more than 30 years, and yet we still require frequent fixes.
It is no surprise that these low-cost computers that also control our lights, climate and fire safety are hackable.
The issue for most people is usually “Who would want to control my lights?” or “Why would someone change the temperature in my home?”. These questions make sense, but you must understand that this isn’t just about your lights, this is a powerful computer that can be used to monitor or steal your information.
Q: Will it be too expensive and cumbersome to secure supposedly low-cost, low-power devices in a smart nation rollout, for example?
A: A massive rollout of smart devices can be managed well, but it will take significant upfront planning.
Governments and regulatory agencies can demand that vendors meet basic security requirements to participate in large-scale technology deployments.
No product will be perfectly secure, but requiring that products be updatable or open source can go a long way to addressing problems as they are discovered.
Q: When Wi-Fi was first out, vendors also rushed to market without security in mind. Should we expect IoT to be deployed first, secured later?
A: That has already happened. Now we need to figure out how to phase out the millions of insecure devices that can’t be fixed.
Wi-Fi was easier as we moved to newer, faster and better technology that naturally moved the old insecure standards to the junkyard. With smart lights and other IoT devices, there isn’t necessarily any reason to move on. There is less of a natural obsolescence.
An LED light has a 20-year lifespan. How do we convince consumers to buy a new one that is more secure? What do we do about the products that are abandoned by companies no longer in business?
These are the questions we need to be constantly asking ourselves in order for us to keep staying within the safety zone.
Catch the action at the Sophos booth at the Cloud Expo Asia 2016 show in Singapore.