They are already here. And they might already have outnumbered us. Their proliferation is breath-taking, with an estimated population reaching 125 billion in the next 10 years. IoT devices are the poster boys of a societal digital transformation, poised to revolutionise the way we live, play and work.
But, are we really in control of this exponential explosion of Internet connected machines? And, what does this massive machine-to-machine network mean from a security perspective? What are the associated threats and resulting risks of IoT devices, encompassing everything from wearables to the industrial control systems behind power grids?
New malware threats
The last five years have been a playground for a new generation of malware software targeting both embedded devices and IoTs. Slowly, the world is waking up to the consequences of prioritising time-to-market and cost over any security consideration when developing connected or “Smart” devices. Smart meters, smart homes, smart anything, can all be less smart than their names suggest, and they are vulnerable. The mean time required to compromise a vulnerable IoT device on the Internet is now down to around five minutes and within 24 hours threat actors can launch targeted attacks aimed at compromising specific devices.
Many of these vulnerable IoT devices are online 24 hours a day, 7 days a week and have significant bandwidth available. This makes them not only attractive targets for conscription into Distributed Denial of Service (DDoS) botnets, but also innocent stepping stones for the compromise of internal networks through their backend connectivity. In every element of the threat landscape, from ransomware to cryptomining, there is potential for IoT devices to be used as a gateway both in home and enterprise networks.
Without a doubt, everyone faces an unprecedented technical challenge when it comes to managing IoT risk: Internet-facing IoTs represent only 5% of the total number of devices out there; the other 95%, pose a complex risk and IT service management problem due to their inherent nature:
- The IoT market is fragmented, with multiple standards at play requiring different tools for network monitoring and operations.
- IoT devices have a small, if not very small, hardware footprint with minimal computing power, putting them out of reach of traditional agent-based endpoint security management tools.
- IoT devices contain numerous software stacks with proprietary technologies and formats, as well as open source software, making their maintenance somewhat daunting, if not impossible.
- Engineering and security investments are overlooked by IoT manufacturers due to intense competition and market urgency. As a result, devices often come with hardcoded usernames and passwords, unnecessary services enabled and remotely exploitable vulnerabilities for which patches are rarely made available.
Even when a software fix or new firmware is released for a device its deployment is often not practical. For example, where is the device? Can it be updated remotely? Does it require physical access and custom-made cables for upgrade?
5G looms ahead
As 5G becomes a reality, billions of humans and trillions of machines will gain access to enhanced mobile broadband for a wide range of applications from mission critical medical surgeries, to emergency services and augmented/virtual reality. And, to make matters worse, all the above issues are exacerbated by the long shelf life of devices. Obsolete and insecure IoT devices are here to stay and will haunt us for years to come.
With the sheer number of IoT devices out there that pose a risk either individually or collectively, identification, supervision and asset management capabilities will become even more critical.
Inferring the identity (what it is) and function (what it does) of an IoT device by monitoring network traffic is fast becoming, from an operational perspective, a necessity for all network operators. This will allow them to assess their level of risk and the nature of that risk, so that it can be managed appropriately. But, this is no easy task. The visibility needed across a network is both broad and deep.
ISPs seek help
Internet Service Providers are already seeking assistance from their trusted partners to provide them with the visibility and monitoring capabilities they need across their evolving service infrastructure. Equipped with an ability to identify the type and location of IoT devices on their networks, operators will be able to defend both themselves and their customers from threats.
The Internet of Things has the potential to radically change our lives. IoT devices are driving radical technological and cultural changes, transforming our current IT landscape. Ultra-fast transfer rates, enhanced user experience, augmented and virtual realities are among the numerous applications consumers have been eagerly waiting for their smarter future.
But, as IoT starts fuelling innovation in key sensitive industries such as healthcare, transportation and public utilities – bringing in its wake the fourth industrial revolution – the networks of tomorrow will require effective security oversight of IoT devices, to address both the availability and reliability of new services, and the privacy and safety of consumers.