Hacked cars just the beginning of IoT security threats
The Internet of Things (IoT) has moved beyond the hype cycle. Gartner estimates that this year, there will be 6.4 billion connected things, with 5.5 million new things being connected every day. The scale and speed of adoption of wearables, smart home appliances and connected cards is staggering. And very lucrative. Gartner estimates that total services spending will amount to $235 billion this year.
The flipside is that IoT offers hackers a lot more devices and places to attack.
How will IoT change the way hackers attack?
With more enterprise buying into the IoT and consumers adding more and more devices to the network, this means by default that more valuable data will be traveling over the network.
2015 saw whole new ways of attacking newly-connected devices. For example, the connected car is one of the IoT’s flagship initiatives, with Gartner predicting a quarter of a billion connected vehicles by 2020. However, in 2015 two security researchers conducted a test to see if they could remotely hack into an SUV driving at 70mph – they did, successfully, taking control of the car’s air conditioning, stereo, transmission and even brakes. A concerning prospect.
In terms of corporate and personal data, in 2016 and beyond it looks likely that IoT attackers will continue to go after hacks using computing infrastructure. This method allows them to hide behind legitimate network resources and remain hard to detect. Wearable devices are big targets here, and can be hacked into using social engineering tactics, often mimicking device log-in screens, to gather user credentials and passwords and con the user into installing malware on the device.
Mobiles – ostensibly phones and tablets – are set to remain the biggest target for hacking and security breaches though. They are the most common data collection points on the network, most people now store a fair degree of personal information on their smartphone or tablets and with many devices also being taken into the workplace and accessing the corporate network – whether under a strong bring your own device (BYOD) policy or not – and carrying plenty of sensitive corporate data too. And of course the attackers know this.
Similarly, smart city initiatives offer great benefits to consumers and companies in terms of agility, flexibility and efficiency, but networking a city’s critical network infrastructure also carries the same IoT threats. Connecting up a power grid to the internet makes it a target for attacks too, and attackers are already attempting to insert malware into power grid systems around the world – the chaotic results from a successful attack are only too easy to imagine. As the IoT becomes increasingly prevalent in everyday life, attacks on enterprises through them are likely to increase significantly. Gartner estimates that by 2020 more than 25 per cent of identified attacks on enterprises will involve IoT – yet IoT will account for under 10 per cent of IT security budgets. So the threat and the warning are certainly there.
How to mitigate new threats
As ever with IT security, constant vigilance and forward planning are at the heart of a best practice approach to staying on top of threats – only the techniques change, not the philosophy.
Because data is constantly in motion in the IoT, traveling through multiple networks and different data centers, that philosophy has to center around securing data when it is on its journey – not just when it has reached the device. Mobile devices themselves also more from network to network, entering networked environments on an ad hoc basis, so it is important that this data is secured at all times. So having secure interfaces in place is vital to keeping data as safe as possible.
Another potential technique which may become prevalent is machine learning. This helps with prediction of security threats, possibly overtaking prevention as the best method of keeping attacks to a minimum. Pre-empting areas where hackers may attempt attacks can help organizations keep data and systems safer.
In terms of forward planning, if your IT and business strategies are likely to include IoT, you will need to focus on security. By 2020, more than half of major new business processes and systems will incorporate some element of the IoT. And at the same time, IDC predicts that by 2018, 66 percent of networks will have had an IoT security breach and that by 2020, 10 percent of all cyberattacks will target IoT systems. Threat modelling techniques can identify and track potential threats and areas of possible risk based on existing device authentication methods and prevent attacks before they have chance to happen.
Focus on the devices, not just the network
Though it has been named the ‘Internet of Things’, ultimately it is about connected machines. The sheer proliferation of devices should mean organizations put in place identity assurance requirements, based on type of application, sensitivity of the data it accesses or manages and how likely it might be as a point of unauthorized access, or hack. Metrics and analytics can help define levels of authentication strength and assurance requirements to make each specific device as secure as possible.
Mutual authentication techniques, where both parties involved in any communication to authenticate to each other, will be useful where the data is more sensitive. These methods of discovery, provisioning, authentication and data protection, according to Gartner, will account for half of all IoT security spend through to 2020.
The IoT is very much here to stay. With all of these devices linked up and carrying so much sensitive data, the race is now on to make sure organizations have the appropriate security mechanisms in place for the network of tomorrow.