The security of the Internet of Things

Posted On 05 Mar 2015
Comment: Off

Internet of Things 10Luis Corrons, Technical Director of PandaLabs at Panda Security looks at the dangers of linking technology such as IP cameras to the Internet.

Wikipedia Definition: The Internet of Things (IoT) is the network of physical objects or “things” embedded with electronics, software, sensors and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator and/or other connected devices. Each thing is uniquely identifiable through its embedded computing system but is able to interoperate within the existing Internet infrastructure.

According to Gartner, the Internet of Things installed base will grow to 26 billion units in 2020. However, other studies suggest even higher figures, up to 50 billion. The fact is that today there are more than two Internet-connected devices for every person in the world.

Until a few years ago, only computers had Internet access. Since the birth of the smartphone, however, the number of connected devices has been growing at an exponential rate and now includes tablets, printers, TVs, IP cameras, etc. But this is just the beginning. In a few years, the number and variety of Internet-connected devices will be huge, from light bulbs and door locks, to cars, wearable devices, etc. Even today it is possible to purchase Internet-connected refrigerators that allow you to do your shopping online from the comfort of your home.

In this scenario, what does security have to do with the Internet of Things? Everything.

Every system that is connected to a network is susceptible to attacks from any user connected to the same network. And if that network is the Internet, then almost anyone could try to hack any connected device. In the computer world, where attacks have been occurring for decades, there are two main techniques to compromise targeted systems:

  • Social Engineering
  • Vulnerabilities

The first one involves tricking the victim into breaking normal security procedures without their knowledge. The second one consists of exploiting software flaws that could allow attackers to access (and often control) systems. On many occasions attackers use mixed methods, where an attack uses social engineering techniques in order to exploit a vulnerability.

Let’s take IP cameras. These devices are hardly ‘touched’ once they are installed. As long as they work, they are mostly ignored by users

If there is something that differentiates the Internet of Things from the old concept of Internet-connected computers and smartphones is the fact that most IoT devices are hardly ever manipulated by end users directly. Let’s take IP cameras, wireless printers or routers for example… These devices are hardly ‘touched’ once they are installed. As long as they work, they are mostly ignored by users. On one hand this is positive, as it prevents social engineers from succeeding, but on the other it means that the software installed on these devices will rarely if ever be updated. And if it is not updated, then any vulnerability will never be fixed, despite the security patches released by manufacturers. A real nightmare.

Under these circumstances the best solution is for manufacturers to implement auto-update systems that patch devices without requiring user interaction.