Nov 19, 2017Imagine: You're sitting at home on a conference call for work and, unbeknownst to you, hackers have gained access to the files you're sharing on the call. How did they do this, you ask? It's really quite simple: through your smart-home Internet of Things devices. Because IoT devices like smart fridges, garage doors, home alarms, baby monitors and even toasters are connected to the same wireless network used to host your conference call, hackers can hijack those vulnerable, unsecure devices and gain full access to everything happening on your network. Soon enough, you might discover that they've gained access to your organization's customer data, business plans and internal financial reports.
IoT devices are inherently insecure and there are a myriad of real-world examples of this very kind of occurrence. Take the massive distributed denial of service (DDoS) attack on the Internet traffic company Dyn in 2016. The attack affected major Internet platforms and services such as Airbnb, Amazon, Box and PayPal, to name a few. It was later discovered that the attack targeted more than 100,000 Internet-connected devices such as IP cameras, printers, residential gateways and baby monitors to install Mirai malware. The Mirai malware then overwhelmed Dyn-hosted sites with traffic so that they were forced to deny service to users.
Think about the ramifications Dyn suffered following the attack—it incurred the immense costs of temporarily shutting down its hosting services to solve the issue and its reputation as a secure DNS was slashed. This is only one example of the potentially dramatic effect unprotected and unmonitored IoT devices can have on entire enterprise networks. But why are IoT devices so vulnerable?
According to UCLA computer science professor Leonard Kleinrock, "These devices were designed to minimize the processing load and memory usage. They usually don't have the additional processing power needed to carry out the extra load for security protection." While the lightweight infrastructure of the IoT makes for fast and easy deployment on a wireless network (in most cases), their infrastructure may be too scant to include security mechanisms and access controls. Therefore, Kleinrock warns, consumers should be wary of the "security hygiene" of IoT devices.
Another major threat inherent in IoT device deployment is that there is a general lack of awareness of the potential security threats posed by these devices. While regulation authorities—like the Federal Trade Commission in the United States and the Alliance for Internet of Things Innovation in the European Union—work to rapidly draft security protocols to govern the manufacture of IoT devices, consumer and enterprise awareness of the risks is non-existent to weak, at best.
Gartner predicts that 20.8 billion IoT devices will be in use by 2020. As the scope of the Internet of Things in the home and enterprise rapidly expands, there is no better time than the present to implement IoT security measures. One of the best ways to make sure IoT devices don't have access to the rest of the network is to isolate or segment that network.
This can be a complex process that stands in opposition to the easy deployment of IoT devices. Therefore, analyst research bodies like Gartner recommend deploying technologies and security protocols for the discovery of IoT devices, authenticating users accessing such devices and controlling the devices' integration with other areas of the network.
How would you feel if your child's baby monitor was hacked? Now think about how you would feel if that same baby monitor put not only your family at risk, but your entire business as well. It's time to start thinking about how to mitigate IoT device risk by gaining visibility, control and, most importantly, awareness of vulnerable areas on your network.
Ofer Amitai is the CEO and co-founder of Portnox, where he is responsible for day-to-day operations and setting the company's strategic direction. He has more than 20 years' experience in network security, during which time he established the first IT security team in the Israeli Air Force, managed the security division at Xpert Integrated Systems and served as Microsoft's regional director of security. Ofer is a proven innovator and thought leader in network security. He holds a B.Sc. degree in computer science.
