The proliferation of connected consumer electronics, IoT and “smart devices” has left us vulnerable in ways we’ve only begun to imagine.
We’ve already seen examples of how connected but unsecured “smart” devices can be used in massive distributed denial-of-service (DDoS) attacks. And while information security is not a very mature discipline, I’m puzzled and frustrated that, as a society, we’ve allowed ourselves to end up in this position.
Now, the stakes are higher. We’ve exposed our critical infrastructure, including our water, electrical grid, financial, and communications systems to the internet, and with it, a zombie army of baby monitors, DVRs, security cameras, and other connected consumer devices, referred to as botnets, with deep and wide-ranging implications for our security.
So far, the impact of even the largest security events has been relatively small, contained to perhaps a business, a region, or maybe an industry or government. Even the largest hacks, in which millions of people’s information were exposed, have not led to widespread chaos or the significant breakdown of society. Yet.
These risks are not necessarily new, but the ease and opportunity to do large-scale damage have grown exponentially. As history has shown, when there are opportunities to exploit the vulnerable, it’s not a question of if, but of when.
I’m not alone when I say that we’re facing incidents that are potentially life-threatening and directly attributable to IoT devices. When you consider the number of humans, devices, and homes with internet access, it adds up to a huge amount of potential firepower for attackers. Consider:
- The average global connection speed was 5.1Mbps in 2015, according to Akamai.
- Gartner projects there will be 8.4 billion connected “things” in use this year and, and by 2020, we could reach 20.4 billion.
- With the total human population estimated to be 7 billion in 2020, according to Our World In Data, that means there will be roughly 2.6 devices per person.
- The potential for abuse is known by every attack organization, from criminal gangs to nation states to organized criminals to hacktivists, as well as those just looking to be mischievous.
- Insider threats, and even accidental actions by well-meaning people, can lead to severe consequences and add new levels of risk.
Though progress has been made to secure these devices, they are still inherently insecure. Even when they are secured, they may be connected to unsecured networks. These devices will connect to or replace almost anything with a plug and will be accessible – and exploitable – from anywhere in the world.
How Smart are Cheap IoT Devices?
While “cheaper” is a compelling market driver, its potential consequences are often under-considered. Take smart meters, for example. Today there are over 100 million electrical smart meters deployed around the world. Imagine poorly secured meters being compromised and the resulting damage to homes and property from manipulation of supply, or disablement of alarms. It doesn’t take a criminal genius to recognize opportunities for a new type of ransomware, as hackers demand payment to turn the power back on. Or even state-sponsored hackers looking to cause blackouts across large geographical regions.
All of these risks are real. The internet has expanded to almost the entire planet – with available capacity and enormous speeds, even in hostile or remote places – and we accept the associated risks in exchange for convenience.
In security, we often say that it takes a major event before we take security seriously. Of course, by then, it’s too late. Money has been lost, reputations damaged, and sometimes far worse. We need to change our practices. Every time a new technology is introduced, its potential risks need full assessment, and all of the right people need to sign off on pushing forward.
New standards and frameworks can help with the needed assessment and mitigation, but only if they are adopted and used effectively. Suppliers should be incentivized to follow these standards, and be held accountable for device security.
We are gaining a better understanding every day of the scope of financial and social consequences that not making security an essential component of any technology represents. What will it take for us to act?
I would love to hear your thoughts on this topic.
John Germain, V.P. & CISO at Duck Creek Technologies