Can you differentiate between your actual and perceived security? These metrics can give you a hand.
The “Internet of Things” (or “IoT”) is a blanket term that encompasses embedded devices that are connected online. There’s a slew of devices that fit within this category, ranging from consumer applications (like “smart” refrigerators and home automation systems), to industrial applications (like predictive maintenance and safety monitoring), to many others.
“Yes” and “no” questions won’t help you better understand your vendors’ (or your own) cybersecurity posture—but these 12 actionable metrics will.
And while internet-connected applications have existed for quite some time, the IoT is gaining much more traction today as IoT devices become smaller, more affordable, and widely adopted in many applications. But with this “age of IoT” comes many challenges—one of which is cybersecurity.
Below, we’ll give an introduction to how cybersecurity works with the Internet of Things and two recent examples of IoT cybersecurity issues that have been exploited.
IoT Cybersecurity: A Primer
Download: A Guide To 12 Cybersecurity Metrics Your Vendors (And You) Should Be Watching
Download: A Guide To 12 Cybersecurity Metrics Your Vendors (And You) Should Be Watching
Ten to fifteen years ago, manufacturers would have simply built an appliance or hardware application and thought only of how they would handle any hardware issues that arose during use. Today, that isn’t the case. Many new applications (for example, refrigerators) are connected to the internet, which means the fridge manufacturers have to consider the implications that the addition of software includes.
Not only does the manufacturer now have to take on the additional burden of customer support for their connected devices, but they also have to consider IoT cybersecurity protection. This includes, for example, patching vulnerabilities or bugs when they’re discovered. If the manufacturers don’t stay up on these best practices, hackers have the unique advantage of being able to manipulate the devices after exploiting these vulnerabilities.
Security is particularly critical for manufacturers to keep in mind because of the design of IoT applications. There are a few reasons for this. First, manufacturers often don’t provide enough detailed documentation on how consumers can protect the IoT application. Also, most consumers understand the need to protect the computing systems they interact with regularly—like their computers and smartphones—but don’t consider the implications of protecting a simple internet-connected device. For example, this recent NPR article discusses how quickly IoT devices become targets for both hackers and bots. Andrew McGill—a reporter for The Atlantic—set up an experiment to see how quickly a hacker or bot would attempt to breach his IoT-connected toaster. The first breach attempt took place a mere 41 minutes after he connected the device to the internet.
IoT Security Breaches In The News
Hacking A Jeep
In July 2015, a Wired article that detailed how two remote hackers created a “digital crash-test” to exploit software vulnerabilities in a Jeep Cherokee spread quickly around the internet. The two hackers were able to remotely take control of the “dashboard functions, steering, brakes, and transmission” from a laptop that could potentially be hundreds, if not thousands, of miles away. The same two hackers had been able to expose software vulnerabilities in a Ford Escape and a Toyota Prius in 2013.
In light of these discoveries, Jeep issued a recall. This is particularly noteworthy as recalls aren’t necessary for software issues—and are mostly used for issues with hardware like airbags, seatbelts, and ignition problems. Now that most new vehicles are connected to the internet, their software should be able to be updated “over the air”—but this concept is quite foreign to manufacturers.
DDoS Attack On Dyn
In late October 2016, the IoT was at the center of another big attack. This time, IoT devices were used to perform a distributed denial of services (DDoS) attack on DNS provider Dyn. Dyn was flooded with so much traffic from the DDoS attack that they couldn’t manage legitimate IP requests, causing popular websites like Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify to go offline during the attack.
The botnet that attacked Dyn is known as Mirai. Mirai is notable in that it actually doesn’t take advantage of specific, discovered vulnerabilities in IoT devices. Instead, the Mirai worm crawled the internet and looked for IoT devices that were still using old user credentials. If a device was exposed, Mirai could use the device’s IP to hit Dyn repeatedly with IP requests.
In Conclusion
With such a wide range of IoT technologies, networks, manufacturers, and devices on the market today, it’s particularly difficult for consumers to find out how to protect their IoT-enabled applications. As more consumers demand action from manufacturers—like advanced documentation and more regular security updates—the manufacturers will be further incentivized to prioritize cybersecurity.
Get the Weekly Cybersecurity Newsletter
Subscribe to get security news and industry ratings updates in your inbox.