Internet of Things: an open door to cyber criminals?
Written by Peter Walker
A lack of warnings from manufacturers, risk control from companies and oversight from the government is creating a cyber security nightmare around devices connected to the Internet of Things (IoT), according to one expert.
A recent Trustwave survey showed 64 per cent of organisations have deployed some level of IoT technology, with another 20 per cent planning to do so within the next 12 months. The proliferation of such connected devices worries Ian Kilpatrick, executive vice president for cyber security at Nuvias Group.
“This is an astonishing fact when you consider the lack of basic security on these devices, or any established security standards,” he commented. “The influx of connected devices onto a company’s network literally creates tens, or even hundreds of new unsecured entry points for cybercriminals, but many companies are turning a blind eye to this, swayed by the potential benefits that IoT can bring their business.”
In March, the UK government published a report advocating a “fundamental shift in approach”, moving the burden away from consumers having to secure their devices and instead ensuring strong security is built into consumer IoT products by design.
Recommendations included ensuring that IoT devices do not contain default passwords; defining and implementing vulnerability disclosure policy; ensuring software for devices is regularly updated; and a proposal for a voluntary labelling scheme.
The central proposal was a draft Code of Practice aimed primarily at manufacturers of IoT products and associated services, intended to stimulate dialogue with industry, international partners and academic institutions. However, Kilpatrick pointed out this government action stopped short from any actual requirements on manufacturers to build in security measures or provide warnings to consumers and companies.
“Any device or sensor with an IP address connected to a corporate network is an entry point for hackers and other cybercriminals,” he explained. “Of particular concern is that many IoT devices are not designed to be secured or updated after deployment, meaning any vulnerabilities discovered post-deployment cannot be protected against in the device.”
Kilpatrick continued that IT professionals are more used to securing computers and other devices, but they will now be expected to become experts in things like smart lighting, heating and air conditioning systems.
“It’s crazy to think that devices with the potential to enable so much damage to homes, businesses and even entire cities often lack basic security design, implementation and testing - because device manufacturers are pushing through their products to get them to market as quickly as possible and cash in on the current buzz around IoT,” he added.
Mike Lemberger, head of product and solutions at Visa, argued that while there are legitimate concerns around IoT security, measures are in place to keep consumers and companies safe. For instance, the Visa Ready program allows developers to ensure their solutions meet Visa’s security standards across a range of payment areas, including mPOS, biometrics, IoT, tokenisation, transit and business solutions.
“With demand expected to increase for devices embedded with payment capabilities, we’ve built a global network of Visa Ready partners to offer digital payment token services to ensure that regardless of form, any IoT device can become a more secure place for commerce,” he explained.
Tokens effectively remove personal account details from the payment process. They can be used on a number of devices - phones, tablets, cars - all pointing back to the same account, without compromising security, by assigning a set of digits that can be specific to a device or merchant.
“If a device carrying a token is lost or stolen, the token associated with a given payment service can be easily and promptly disabled,” said Lemberger. “This can happen without the need to cancel and re-issue the underlying Visa card, or any other tokens associated with the cardholder’s account that have not been compromised.”