By 2020, there will be an estimated 30 – 50 billion devices connected to the internet; each with the ability to collect and communicate huge amounts of data instantaneously. Not satisfied with merely tracking, devices will soon be able analyze, plan, predict and make intelligent choices independent of human interaction.
The IoT (Internet of Things) comprises a huge network of devices embedded in our homes, workplaces and ourselves – devices that are actually constantly collecting, analyzing and transmitting data. It’s probably little surprise that security often features low on the list of requirements.
We are all aware that our personal devices can be hacked and broken into, what is worrying is how easy it all is – particularly into many cheap IoT products that don't have adequate security (HP found that 100% of IoT devices they studied actually had vulnerabilities). Because of this, IoT devices are widely regarded as a serious cyber-security problem, and potentially for critical governmental departments.
The rise of the botnet:
While the dramatic header could seem like the latest action adventure for John Connor, is actually what happens when a large network of Internet-connected devices have been hijacked and are being controlled remotely. The poor security – on the whole – in IoT products makes is super easy for them to be hacked and leveraged in a botnet attack.
With the right malware, hackers can use botnets to perform DDoS attacks (Distributed Denial of Service). Targets include some of the world’s largest online institutions including Netflix, Twitter, Spotify and PayPal who have all fallen victim to DDoS attacks in the last few years. Malware can use thousands of devices to flood servers with traffic causing them to crash. Managing this is troublesome with sophisticated hackers on laptops, but when attacks are coming from Grandma’s Smart TV, Mum’s scale and Scruffy’s smart collar, it takes on a new dynamic.
The Mirai attack exploited IoT devices such as CCTV camera and routers in this way. If this attack was pushed against critical national infrastructure the results could be catastrophic.
Governments have tried responding to these issues by pressuring business to make their products more secure, without really enforcing any regulation. However policy changes will fall short as long as there are people willing to buy the products, and there is little incentive for companies to heighten security inside them.
IoT has some very real practical uses within critical elements of the government, and it seems an interconnected future with everything linked is not out the question. And there is much to gain from the greater freedoms and efficiencies IoT can provide. Interconnected departments and agencies can work closer together, breaking down barriers and allowing for better public experiences and cost reductions.
Issues arise as that every connection is a point to access and can become a vulnerability if not properly protected due to lack of encryption, poor coding or insecure interfaces. And this vulnerability is shared to all devices in the network, anything could cause a potential breach.
Sharing too much.
The other issue is we are frequently unaware of what our devices are sharing even if they are not infected with Malware. Straya, a fitness app that posts and shares peoples running habits has unwittingly revealed the habits of military personnel and locations of secret bases including those in Iraq and Syria.
Straya posted a global street map, to help users find the most popular streets to run, which although useful and practical in New York, when soldiers were stationed in Iraq and Afghanistan, all it did was mark out their running paths around their base, leaving them open to attack when they are at their most vulnerable.
The fast-moving nature for tech is not suited for cumbersome legislation processes. Especially with IoT, a relatively new technology, already influencing large portions of our life we need a regulatory system that can match these dynamics. We will also need reliable, mandatory standards implemented by the government to which all IoT devices are matched.
The IoT Cybersecurity Act of 2017 was meant to fulfill such a role when purchasing devices for the government. But even this just scrapes the surface, ensuring that devices are patched and free from known threats, but what about 0-day threats or currently unknown ones? If Mark Zuckerberg’s (News - Alert) testimony taught us anything, it is that many of the elected officials don’t have a very sophisticated grasp of technology – can they be relied upon to protect us?
And you can bet your bottom dollar the moment there is an inclination of regulation that lobbyists will start getting paid. After all Silicon Valley has stood in good stead so far, has it not?