https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Security


Thinkstock

Data breach

A cybersecurity researcher forecasts the state of IoT in 2018

While many enterprise companies struggle to understand or even precisely define what IoT is, the growing number of connected devices is setting the stage for a significant security breach in 2018, warns a senior cybersecurity researcher.
  • Written by Brian Buntz
  • 6th December 2017

Deral Heiland is not the biggest fan of the term “Internet of Things.” He may be the IoT research lead at cybersecurity firm Rapid7, but Heiland says, all too often, the phrase “Internet of Things” conjures up fuzzy associations of consumer-facing connected gadgets that obscure the security risk the technology can pose to enterprise companies.

As a case in point, the cybersecurity researcher points to a webcast he participated in earlier this year with the IT GRC Forum, which asked its audience of governance, risk management and compliance if their organization had IoT devices on their networks? Nearly half — 48 percent — of attendees responded with “no.”

But the thing is, IoT technology, or “Internet Embedded Technology” as Heiland prefers to call it, is nearly everywhere — from the smart TVs that are ubiquitous in boardrooms, to the multifunction printers churning out documents throughout the day. Teleconferencing systems, security cameras, wireless lighting controls and HVAC systems also fall under this umbrella. So in reality, the number of companies that can honestly report they have no IoT devices on their network is near zero.

We asked Heiland to come up with cybersecurity predictions for 2018. In his analysis, which follows the first heading below, he warns the widespread deployment of connected embedded technology — and the lack of awareness of it — could lead to a significant security incident in the coming year. The cybersecurity researcher also touches on the question of privacy, providing examples of potentially obtrusive device vulnerabilities.

Insecure IET devices could enable a major breach in 2018

With the ever-expanding influx of Internet Embedded Technology (IET) within our businesses, such as printers, conferencing solutions, building security technology, HVAC, automated lighting and other various consumer-based IoT technologies, I would not be surprised if we see these technologies take center stage in a major breach in 2018. Currently, no large breaches have been centered directly around IET. 

I see two ways these technologies could play a role in a breach. One way is indirect, where a business has been previously compromised and the IET is then compromised as a secondary phase and used to hide the malicious actors’ presence as an advanced persistent threat (APT) on the network. Unfortunately, these technologies are not monitored and are often overlooked when it comes to a healthy security environment, making it very practical for them to be used as an APT. The second way I see IET being used for a breach is direct, as many IET solutions have some form of direct access, including IP exposure to the Internet, WiFi capabilities and radio frequency (RF) functions (Zigbee, Z-Wave, Bluetooth, BLE, etc.). I see malicious actors using these communication services to compromise the IET devices to gain a foothold on business networks. With this, these individuals can then silently hide on corporate networks, be able to launch direct attacks against other critical systems and conduct an exfiltration of data off the networks in a stealthy way by taking advantage of the lack of IET monitoring.

[IoT World demonstrates how the next generation of IoT will converge to unlock the intelligence of things in the industrial, enterprise and consumer realms. Get your ticket now.]

With a growing voice-activated and controlled IET market, I expect to see more complex and impactful security exploits targeting the voice control services within these technologies. Currently, products such as the Amazon Echo and other Alexa devices prevent the opening or turning on of security-related devices, such as door locks or garage door openers. However, if a product has multiple uses, such as on/off switch capability that can also be used for garage doors, this may not apply. It’s important to consider all manufacturers trying to enter the voice control market, and determine whether they are following the same due diligence. With all of this in mind, I expect to see a number of interesting voice-control vulnerabilities in 2018. 

Moreover, as attack vectors against embedded technology continue to mature, I expect we will start to see more issues in 2018 related to the hardware. These issues include vulnerabilities specific to the chipsets deployed on embedded devices. The impact around such vulnerabilities will bring to light the growing need for better supply chain tracking. Currently, if there is a serious vulnerability discovered within a specific chipset, we cannot effectively track down the devices in the wild with those chips installed. To add more confusion, chips are now traded as commodities. This means that when a typical device manufacturer is building a product, they will tend to use the least expensive chips available that meet their product need during the manufacture run. Once these are used up, the next option is to then purchase the next block of chips based on what is the least expensive at that time, which may not be the same chips as first run.

Internet embedded devices: a stalker’s dream come true?

One topic the industry should have studied thoroughly, but has not, is privacy. We continue to see growth in the markets around internet-embedded video camera technology such as robotic vacuums, security systems, smart TVs and smart toys. We also continue to deploy such technology into our homes without considering the privacy implications. Typically, I see no issue with the deployment of security cameras around the parameter of the home, but I do find deployment in interior living spaces a potential privacy risk. Combining that with discovered vulnerability and exploitation brings about and a serious issue.

Examples of privacy-eroding exploits include:

  • An inexpensive web camera with a backdoor account, vulnerabilities to botnet attacks and more.
  • A cloud-accessible camera vulnerable to a denial of service attack. The camera can fail to record when a person enters into a house.
  • And a hacked home robo-vacuum that can spy on family members.

In 2018, we should demand good patching hygiene from IET vendors

Another important lesson we have learned this year is the importance around the ability to remotely deploy security patches to IET. Like all software, firmware is going to have bugs and vulnerabilities, and it’s important to have a reliable and secure method to update that firmware. So, at a minimum, we should expect and demand that capability from all IET manufacturers. For example, this year the National Telecommunication & Information Administration (NTIA) conducted a Multistakeholder Process related to Internet of Things (IoT) Security Upgradability and Patching. This process’ goal was to help with the identifying the need for a secure lifecycle approach to IoT devices, in which IoT technology support security upgrades through increased awareness and understanding by consumers and manufacturers. A few of the valued documentation created out of this process are: 

  • Communicating IoT Device Security Update Capability to Improve Transparency for Consumers
  • Voluntary Framework for Enhancing Update Process Security
  • Catalog of Existing IoT Security Standards Version 0.01
  • Incentives and Barriers to Adoption of IoT Update Capabilities
Tags: Article Security Technologies

Related


  • IoT Security Firm to Acquire Medical Security Startup
    Claroty is set to acquire Medigate to grow its foothold in securing the Internet of Medical Things
  • Ransomware Attack Could Impact Paychecks
    The Kronos ransomware attack affected the company’s private cloud service over the weekend, knocking it offline just before the holidays
  • Image shows an abstract digital big data concept.
    BotenaGo Malware Targets Millions of IoT Devices
    AT&T Alien Labs identified the malware that has left millions of IoT devices exposed.
  • IoT Startup Raises $10M
    Platform aims to bolster network security with automated device configurations and visibility.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • IoT Device Security at the Edge Poses Unique Challenges
  • Zero-Trust Security for IoT: Establishing Rigorous Device Defenses
  • AI Ups the Ante for IoT Cybersecurity
  • Protecting Your Network Against Ripple20 Vulnerabilities

Roundups

View all

IoT Product Roundup: PTC, Nokia, Arm and More

19th May 2022

IoT Deals, Partnerships Roundup: Intel, Nauto, Helium and more

14th May 2022

IoT Product Roundup: Amazon, Synaptics, Urban Control and More

27th April 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Latest Videos

View all
Dylan Kennedy of EMQ

Embedded IoT World 2022: Dylan Kennedy of EMQ

Dylan Kennedy, EMQ’s VP of global operations, sat down with Chuck Martin at Embedded IoT World 2022.

Embedded IoT World 2022: Omdia’s Sang Oh Talks Vehicle Chip Shortage

Omdia’s automotive semiconductor analyst sits down with Chuck Martin at this year’s event

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Rethinking the Database in the IoT Era

18th May 2022

Jumpstarting Industrial IoT solutions with an edge data management platform

12th May 2022

AI led Digital Transformation of Manufacturing: Time is NOW

9th December 2021

Special Reports

View all

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

IoT Security Best Practices for Industry and Enterprise

20th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

Swiss-startup Airyacht is developing an eponymously named vehicle that it says will take the luxury-yacht experienc… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

@Tesla’s #Autopilot being investigated once again following fatal crash in Newport Beach, California. iotworldtoday.com/2022/05/23/tes…

23rd May 2022
IoTWorldToday, IoTWorldSeries

A new Kansas law will enable #driverless deliveries from @Walmart and its partner @Gatik_AI. #AVs… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

Access a world of opportunity in 2022 with @IoTWorldToday ➡️ Now is time to unlock ROI, by accessing a global com… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

3D Home Printer to Build 72 Residences for National Homebuilder dlvr.it/SQhWSF https://t.co/XJOs70DqzH

19th May 2022
IoTWorldToday, IoTWorldSeries

Microsoft Ramping up Cybersecurity Service Offerings dlvr.it/SQhPR0 https://t.co/nYzaDRnyVY

19th May 2022
IoTWorldToday, IoTWorldSeries

IoT Product Roundup: PTC, Nokia, Arm and More dlvr.it/SQhNNF https://t.co/ZApdw3RHdu

19th May 2022
IoTWorldToday, IoTWorldSeries

Britain’s postal service has plans to run a fleet of autonomous #drones to make rural postal deliveries easier.… twitter.com/i/web/status/1…

19th May 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X