Robots put the spotlight on IoT security

The recent hack of a teleoperated surgical robot, controlled remotely by a human, highlights the worrying security vulnerabilities that advanced technologies in the world of the Internet of Things (IoT) opens up.

The hack was carried out by the University of Washington  to show that, despite the many benefits remote-controlled surgical robots bring - particularly in remote environments, emergency response and war zones for example - they can be very easily taken over by dangerous and destructive forces.

The hack shows how communication between the surgeon and the robot can be maliciously interrupted. It is a frightening thought that the so called ‘E-stop’ or emergency stop mechanism can be overridden by hackers. The ‘E-stop’ immediately stops the robot if it gets an order from the remote surgeon it doesn’t understand.  Overruling the ‘E-stop’ could put lives in grave danger during a remote procedure.

Safety by design
The researchers made hijacking the surgical robot look so easy.  It starts to raise questions about how secure our connected ecosystem is.  Last month, for example, hosting service OVH was hit by the single largest DDOS attack ever recorded.  More than 150,000 connected devices, including cameras and DVRs, were taken over, choking OVH with one terabyte of information per second.  A second attack, this time on Dyn’s DNS service, also used compromised Internet of Things (IoT) devices, disrupting consumer sites including Twitter and Sony’s Playstation network.

These will not be the last attacks we will see of their kind.  Others will come, bigger and more sophisticated.  We need to use encryption, authentication and other technologies to bolster defenses in this cyber war. But, there will be some IoT manufacturers who see security as a pain point - a long, complicated and expensive process that stands in the way of innovation.

This is becoming a big problem. Orange Business has carried out penetration testing on a host of different devices, such as smart monitors and meters, and found that in the majority the passwords are not encrypted, so anyone can read the data in the memory. 

Safety has got to be at the heart of every project if we are to nurture trust in IoT.  Cybersecurity needs to be seen not as a disruptor, but as contributing value to innovation. 

Focus on data
IoT devices can generate a lot of sensitive data – such as a person’s biometric ID or health records. A secure IoT means securing this data when it is “at rest” in the device and “in motion” over networks to the cloud (again, “at rest”). Every part of this journey is vulnerable to attack.

In addition, enterprises should not underestimate human error when it comes to securing data. This should be on the security planning agenda, which should also include employee security awareness training. Such programs help to keep the enterprise’s security policy up front in people’s minds.  It also acts as an update to threats coming down the pipeline, which will increase the more connected we get.

Security by design
This is what we need to do. We need to design software and hardware from the ground up to be secure. We then need to motivate developers, designers, infrastructure architects and project managers to take this on board. 

It is possible to develop rapid and relatively reliable solutions by using a security by design approach that will not hobble the product’s time-to-market schedule.  Why do I use the world relatively? Because we never talk about 100 per cent reliability when it comes to cybersecurity.

Early this year, Orange Business transferred its security talent to Orange Cyberdefense, which has a key focus on IoT. We recognize that the challenge isn’t just about securing IoT objects and data, it is also about changing the mindset of the people that security touches, from product inception to deployment and beyond. That’s why an important part of our work will be educational - providing training in security by design and putting specialists out in the field at the early stages of product development.

We saw more than 150,000 IoT devices involved in the OVH hack.  In the not too distant future, we will have twenty-five billion devices connected to the internet, as IoT becomes an important part of our lives.  There has to be a digital transformation of security, as in other business models, and proper security guards must be put in place.  To sum it up, security in IoT has got to be mandatory.

Understand how Orange Business can help with your IoT by clicking here

Read more about the scope and volume of security threats in this blog

Glenn Le Santo
Glenn Le Santo

Editor in Chief, International, at Orange Business. I'm in charge of our International website and the English language blogs at Orange Business. In my spare time I'm literally captain of my own ship, spending my time on the wonderful rivers and canals of England.