IT professionals have to treat internet of things (IoT) vulnerabilities as they would vulnerabilities in databases or web applications. Any flaw can bring unwelcome attention, for those making affected products and those using them. Any flaw may prove useful to compromise other systems on the network. When everything is connected, security is only as strong as the weakest node on the network.
The Internet Crime Complaint Center (IC3), a partnership between the FBI, the National White Collar Crime Center, and the Bureau of Justice Assistance, issued a warning in September 2015 about the risks posed by internet of things (IoT) devices.
"As more businesses and homeowners use web-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet also increases the target space for malicious cyber actors," the IC3 alert said. "The FBI is warning companies and the general public to be aware of IoT vulnerabilities cybercriminals could exploit, and offers some tips on mitigating those cyber threats."
From a statistical standpoint, the warning may seem premature, because IoT devices haven't been implicated in major breaches. As Verizon noted in its 2016 Data Breach Investigations Report (DBIR):
For those looking for proclamations about this being the year that mobile attacks bring us to our knees or that the Internet of Things (IoT) is coming to kill us all, you will be disappointed. We still do not have significant real-world data on these technologies as the vector of attack on organizations.
We do have real-world proofs-of-concept. Cyber-security researchers Charlie Miller and Chris Valasek last year remotely hacked a moving Jeep Cherokee and sent it into ditch. The pair have more recently demonstrated hijacking a moving Jeep is still possible, though this time they were inside the vehicle.
Also last year, security researcher Maxim Rupp identified two vulnerabilities in Honeywell's Midas gas detector, a device used in semiconductor processing and industrial manufacturing. Researchers have identified many other holes in IoT security.
The potential impact of these flaws may prompt fears. The idea that a hacker might cause you to crash your car is frightening. There's not much money in pursuing that sort of exploitation, and hackers tend to be motivated by the desire for financial gain. According to Verizon's 2016 DBIR, 89% of breaches had a financial or espionage motive.
Yet, those working in information technology have to treat IoT vulnerabilities as they would vulnerabilities in databases or web applications. Any flaw can bring unwelcome attention for those making affected products and those using them. Any flaw may prove useful to compromise other systems on the network.
When everything is connected, security is only as strong as the weakest node on the network. A compromised home router, for example, could betray credentials necessary to penetrate workplace systems.
Pen Test Partners, a company offering penetration testing and security services, offers best practices for IoT device-makers, app developers, and IoT supply chain partners to consider. So do Microsoft and the Federal Trade Commission. whiteCryption has some recommendations too.
Anyone dealing with IoT software or hardware would also do well to review the OWASP Top 10 IoT Vulnerabilities.
What follow are 10 tips IT professionals should consider when designing and implementing internet-connected devices.