We’ve all seen the beautiful television commercials from GE or IBM for refrigerators that can order their own milk or ovens controlled by a smartphone. Each of us has been drawn into the imagination and convenience of this concept that’s being called the Internet of Things (IoT) – but has anyone noticed that these industry conversations and marketing activities never bring security into the conversation? The truth of the matter is that IoT hasn’t been created with security in mind, which means that we’re putting ourselves and our private information at risk the more we expand the Internet’s scope and types of endpoints connecting to it.
The companies promoting this wonderful concept are not security-focused businesses; even those that do deal with security haven’t yet figured out the difference between building security devices and what it truly means to be secure. As appealing as it is to think about networking everyday appliances such as thermostats, printers, or coffee makers, in its current state the IoT is the equivalent of driving on the freeway without brakes. Without security at its core, crashes are going to happen and they are going to be painful.
Yes, these technologies offer incredible advantages, but it’s important to evaluate the risk they represent as well. Because many of these new capabilities aren’t governed by a security standard, they open the door to potential vulnerabilities around data loss, privacy, DDoS attacks and other cybercrime. The IoT includes everything from computer games and GPS devices to fax machines, home thermostats, security alarms and more – and each device offers hackers new access points into networks that house personal or private information.
Let’s say you install a smart thermostat in your home. Because you control it via your cellphone, you can adjust the temperature when you’re out; still other devices can turn on outdoor security lights or activate your alarm system. While all of this is convenient, a hacker could analyze the aggregated data to determine your typical work hours so he knows exactly when to break in. A refrigerator that notices you’re out of eggs and buys them online could be an attractive target for a cybercriminal looking for stored cardholder data.
You might compare these devices to your laptop or tablet and reason that they handle essentially the same kind of personal data. Here’s the difference: unlike your laptop, the typical IoT device isn’t built with security in mind. Often there’s no way to audit or modify it from an OS/firmware perspective or configure security settings. Global appliance companies like GE, Whirlpool or Panasonic, service providers, or networking infrastructure companies typically lack the in-house security expertise needed to control the potential attack surface or audit device security. And that makes the Internet’s widening reach a bigger security challenge.
Playing it Safe
It’s clear that we need a new security framework implemented across the board when it comes to the IoT. Manufacturers must be able to ensure their devices can store and transmit data securely, while consumers and device owners must understand the risks and the best practices to follow. Likewise, service providers and infrastructure vendors – including those making networking equipment, servers and firewalls – must build security directly into their products rather than ignoring it. And, bolt-on, after-market security options are like putting a Band-Aid on an amputation. They simply won’t offer the level of protection that’s needed.
Whether you bring these devices into your office or home, you need to think first about the risk involved and the level of functionality you truly need. When you deploy them, make sure you know who each device can “talk” to and firewall off all unnecessary connections. Consider disallowing incoming requests or configuring the device so it can only communicate with certain IP addresses. You can also choose to keep the device disconnected from the Internet, or set it up so it can communicate with the Internet only and nothing else on your network, like an isolated VLAN.
It’s obvious that we’re entering a future where ongoing technical advances will offer new conveniences while demanding new protections. As an industry – from infrastructure providers to service providers – the term “while demanding new protections” must be addressed beyond marketing, on Web sites or in keynotes. Developing a thorough security approach is the best way to ensure we can enjoy these advances while minimizing their risks – and the time to start is now.