More than two-thirds of the Internet of things (IOT), which is already here, can be hacked. While this is an issue most commentators shrug off because not all devices allow access to valuable information, others say hardware provides an entry point into a core network, and the security threats are already here.
Recently, HP played around with IOT devices, and found 70% of the most commonly used of these gadgets contain serious vulnerabilities. Its study, Internet of Things State of the Union Study, uncovered privacy concerns, insufficient authorisation, a lack of transport encryption, insecure Web interfaces, and inadequate software protection.
Liron Segev, MD of Swift Consulting, points out that getting into any one device gives a hacker access into the broader network, which opens up an array of possibilities when it comes to swiping information.
Lack of knowledge
HP says its study was driven by a lack of information that focused on the complete picture of IOT security. HP is not alone in finding vulnerabilities. A May research paper (From the aether to the Ethernet – attacking the Internet using broadcast digital television) published by Columbia University students Yossef Oren and Angelos Keromtis, found combining broadband with broadcast capabilities results in an insecure system that can be exploited on a large scale.
Their paper notes attacks on DVB systems that allow broadcast streams to include embedded HTML content need minimal budget and infrastructure, and are hard to detect. It adds the HTML TV system is “already in very wide deployment in Europe, and has recently been adopted as part of the American digital television standard”. SA is in the process of migrating to digital TV using the base DVB standard, although this process has stalled.
In addition, reports Reuters, Chrysler and Nissan are reviewing a report by cyber security experts that rates their vehicles among the three “most hackable” cars on the market, along with a General Motors model.
Some people have even taken to hacking IOT devices, withblogger Ross Mason turning hacking into a hobby. He has already hacked Google Glass and Raspberry Pi, among other more seemingly innocuous items, such as light bulbs. The number of hackable devices will grow by the day, with Cisco predicting50 billion gadgets will be connected to the IOT by 2020.
However, John Eigelaar, director at Keystone Electronic, says the implications of a device being hacked are, generally, minute, unless the device contains vital information or serves an important purpose, such as a smart meter that can be made to turn off power, or information gleaned via a hacked TV that allows people to reverse-engineer a victim. “It is an issue that devices can be hacked, but the severity [of the attack] must be seen in conjunction with the hackability.”
World Wide Worx MD Arthur Goldstuck notes, while there is a danger in security vulnerability, the trivial should not be overplayed. He says just because something is possible, does not mean it is probable, as very few hackers will waste time attacking basic devices. The biggest danger is a loss of confidence in a company if there is a breach and it is not seen to take it seriously, he adds.
Earl Perkins, research VP at Gartner, notes devices that have consumer-centric uses that are non-threatening represent low-risk concerns. “I do worry about the high-risk, high-impact devices and the uneven security approaches providers take for them, and we believe that concern is legitimate.”
Perkins says there are at least four areas of attack: the device and associated hardware and software, the network which the device uses, the gateway from the device world to the services world, and the service itself. He says, as one moves outwards from the service to the endpoint, the threat grows, although there are exceptions to this rule. “If I have sensors that participate in providing critical data to air traffic controllers and I lose enough of those sensors, the lives of people in the air and on the ground might be at risk.”
However, says Perkins, companies developing products and services for IOT devices need to be aware “they’re letting a genie back out of the bottle if they aren’t careful”. He notes the security threats are real now. “We avoid trying to sound like Chicken Little because our clients have heard it many times before, but the pace and spread of this technology is definitely concerning, and the rush to make money will almost assuredly exceed security common sense.”
Segev notes that if hackers gain access to devices, “it is another hole in the dam wall that allows someone to attack” the core network. Adding devices to a network gives hackers a reason to go after the hardware, he notes.
Eigelaar says systems and devices are coming in now with embedded device configuration, which will aid security. He notes technology is now moving in a direction where security can be implemented as the risk of hacking becomes more of a concern.