Blogs
Who’s in your fridge? IoT and your organization’s cybersecurity
Imagine that it’s 6:30 AM, and you just woke up. You yawn, rub your eyes, and stumble to the kitchen. You turn on the coffee machine. You open your new smart refrigerator to get cream.
But you’re not the only one accessing your refrigerator.
Unbeknownst to you, cybercriminals have compromised your refrigerator and added its processing power to a botnet. While you drink your coffee, your refrigerator is helping to launch a DDos attack on a major domain provider. Huge swaths of the internet go dark with each sip.
I know–it sounds unrealistic. Ludicrous, even.
Yet three years ago, hackers were already linking smart refrigerators, televisions, webcams, and routers into botnets hundreds of thousands strong. In 2014, criminals used over 100,000 refrigerators and smart TVs to distribute malicious emails. And a 2016 attack on Dyn, domain provider for brands like Amazon and Twitter, hijacked millions of household objects to temporarily cripple large portions of the internet.
The Internet of Things (IoT) is rapidly changing the technological landscape. The authors of EY’s 2018 Information Security Survey offer a succinct definition: IoT is a “network of connected and interconnected devices that actively and constantly interact.”1
Think about your own tech ecosystem. If you own any of the following, you interact with the IoT:
- A web-enabled automobile
- A personal fitness tracker
- A voice assistant such as Google Home or Amazon Alexa
- Any smart home technology, including internet-connected thermostats, door locks, Bluetooth speakers, security systems, or kitchen appliances
- Smart televisions or web-enabled gaming consoles
IoT promises a paradigm shift in the way we approach computing. It holds the potential for small revolutions in medicine, manufacturing, media, infrastructure, politics, and many other areas of society.
Many of these revolutions have already begun. ‘Wearables’ heighten performance and save lives. Automobile plugins reward you for safe driving. Integrated IoT enables manufacturers to perform more efficiently and effectively than ever before. Voice assistants give every user the benefit of a personal secretary. Smart homes allow owners to monitor, lock, and energy-optimize their houses from a distance.
Yet utopia remains out of reach. As with most technologies, adoption of IoT has outstripped consideration of its impacts.
This is dangerous for individuals. For businesses, it is potentially catastrophic.
Many executives would say that they prioritize cybersecurity. Gartner projects that by the end of 2018, global cybersecurity spending will have topped $96 billion. Research firm Markets and Markets anticipates annual security spending of $248.26 billion by 2023.
Yet much of this spending fails to address IoT. A separate Gartner report predicts that global cybersecurity spending on IoT will reach a mere $1.5 billion by the end of 2018 and $3.1 billion by 2021. Gartner attributes much of this to a lack of clear strategy or priorities; according to research director Ruggero Contu, “coordination via common architecture or a consistent security strategy is all but absent” at most businesses.
Harvard fellow Bruce Schneier explains that unlike traditional computers, IoT devices sell based on their object-function. The market rewards a smart home company for making a better thermostat, not for issuing security patches to last year’s model. As a result, very few IoT devices can even receive security patches, and most go from purchase to obsolescence with factory-set passwords intact.
This will not change easily, Schneier warns:
The market can’t fix this because neither the buyer nor the seller cares…There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it like invisible pollution.
New tools help attackers take advantage of this ‘externality.’ The search engine Shodan can identify anything connected to the internet. Objects indexed on Shodan include “web cams, water treatment facilities, yachts, medical devices traffic lights, wind turbines, license plate readers, smart TVs, refrigerators” and more.
Suppose that an attacker wanted to extract sensitive information from your company. How would he do it? Cybersecurity expert Gary Eastwood suggests one possible strategy. In Eastwood’s scenario, the attacker begins by identifying the unsecured Fitbit one of your employees wears to work. He then compromises that employee’s home network and thereby the connected Fitbit. When the employee arrives at work, the Fitbit connects to your network, and the attacker can siphon data at will.
Let’s recap. The Internet of Things consists of structurally unsound devices, detectable via dedicated search engines and frequently unknown to network administrators. IoT devices expand your organization’s attack surface and enable a host of new attack strategies.
Next week, I will present the recommendations of security experts on how to secure your IoT ecosystem. For now, I’d advise that you begin with the following:
- Ensure that you have a cybersecurity response plan and team in place
- Identify all devices connecting to your network on a regular basis
- Define and enforce policies regarding IoT devices. If necessary, instruct employees to leave wearables offline or at home.
- Evaluate the smart objects in your office. Consider reverting to non-IoT models or isolating smart objects on a separate network.
- Only purchase IoT devices that come from established tech brands and can be patched
[1] EY, Global Information Security Survey 2017-2018.