It’s mid-December and many are readying themselves for the holidays and New Year. With this preparation comes a look forward at what the 2016 will have in store for their family or company. While I look forward with the same anticipation, I also contemplate the future of the information security space and the problem that is arising in securing the infrastructure of residences and organizations across the country
IoT Deployment Growth
As we move into 2016, more IoT components will be visible in devices such as watches, home electronics, automobiles, and buildings. As the chart in Figure 1 shows, there are already 10 billion IoT devices deployed with growth escalating into 2017 and projected to grow.
According to a new International Data Corporation (IDC) Spending Guide, “worldwide spending on the Internet of Things (IoT) will grow at a 17.0% compound annual growth rate (CAGR) from $698.6 billion in 2015 to nearly $1.3 trillion in 2019.” Given this and other similar predictions, it will eventually become almost impossible to buy any type of electronic device that will not have IoT aspects built into it, even a child’s toy
Insecure from the Start?
What many consumers and businesses do not realize is that the majority of IoT devices are sold using a default username and password (or with no username and password at all) that cannot be changed as the information is hard-coded into the firmware of the device. As a result, if a hacker finds a vulnerability in a particular device, there is a high likelihood that other like devices are vulnerable to the same newly discovered attack. Unfortunately, these devices do not provide the capability for consumers or businesses to alter their settings and change the username and/or password so that each device becomes unique, much like you would see with a wireless access point after it has been properly configured and deployed. Even this seemingly trivial alteration of the device would work to reduce the overall attack surface and provide protection to other interconnected systems.
Why Change Isn’t Happening
The problem with changing the username and/or password is that many manufacturers are reluctant to allow the consumer (whether a person or business) to change settings within the device for fear that it will become unusable or that they will gain greater access into the system than the manufacturing company is comfortable with. There is also the fact that many of these same manufacturers have copyright or Digital Rights Management (DRM) protections which prevent the owner of the device from changing settings unless they want to become involved in some type of legal row.
Oh, and Your IoT Device Is Talking About You
The other issue associated with IoT devices is the amount of data that they share about the “user”. This could be a thermostat that shares how you manage the temperature of your business offices to the refrigerator that shares what you need to buy from the grocery store. Looked at individually, the amount of data that is shared is small, however the more devices in use by the household or business, the more data shared with disparate sources. All of this data sharing allows organizations or, even worse, individuals with nefarious intent, to build a profile of you or your company that could potentially be used in some type of identity theft or hacking event.
So assuming you decide to purchase a device that has IoT components included. How do you protect yourself becoming another statistic? Simply put, the best way to protect yourself, whether the device is for your home or your business, is to be an informed consumer and look at the risk versus reward of having a system with IoT properties.
Ask or research questions like…
- Has the manufacturer “hardened” the device to make it more secure?
- Can you change the default username and/or password on the device?
- What other systems will the device communicate with on your network?
- Will the device share information with the manufacturer that you would like to, or must, keep confidential?
In short, just like you would research any new product you’re looking to purchase, from a car to a new firewall, make sure that you understand how the system will perform and whether you can tolerate how it will operate once it is deployed into your home or office.
Internet of Things Market Statistics – 2015
Who Will Own the Internet of Things? (Hint: Not the Users)
7 Reasons Why the Internet of Things Is Doomed
Internet of Things Spending Forecast to Reach Nearly $1.3 Trillion in 2019