Internet of Things – Security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/internet-of-things-security-76474/

Introduction
In a recent article we discussed the growth of wirelessly interconnected
devices and the transformative impact it will have for business and more
broadly on our lives. In that article we broadly highlighted some of the
key issues businesses will need to consider and navigate to realise the
benefits which people anticipate will be achieved as the 'Internet of
Things' gathers momentum.

The purpose of this article is to consider in more detail the challenge of
security in a world of increased device connectivity.

Security in an IoT world
Businesses are striving to introduce wireless internet connected devices to
achieve productivity gains in manufacturing, distribution, improved
customer insights etc. In doing so, however, they are not adequately
considering the security ramifications associated with the introduction of
such devices.

The most fundamental problem with internet connected devices is that they
increase the vulnerability of a system by creating more avenues for hackers
to exploit. Various security weaknesses in internet connected devices have
already been exposed from cars having their brakes disabled to webcams
being hijacked and fingerprints being stolen from phones with fingerprint
sensors. A study of 10 popular IoT devices in July 2014 in areas like TVs,
home thermostats, door locks etc identified 250 vulnerabilities including
insecure firmware and poorly protected access credentials.

Indeed one of the impediments to the growth of IoT devices is the current
lack of interoperability. Currently device manufacturers are not developing
the devices to common standards. This creates challenges in enabling IoT
systems to communicate and integrate data. Unfortunately, by improving
interoperability we simultaneously increase the capacity for the
unscrupulous to hack those systems. As IoT devices become more standardised
to enhance interoperability, hackers become more familiar with the manner
in which IoT devices operate increasing their ability to break those
systems.

Compounding this issue is the capacity of IoT devices' hardware to actually
provide appropriate security. Often such devices are intended to be cheap
and disposable. Security requires higher processing power which in turn
increases the cost of the processors incorporated in IoT devices. For
example, the processors currently available in wearable fitness devices are
arguably incapable of providing the processing power necessary to run
quality security measures. Furthermore, in a disposable world, because it
is not financially viable vendors are often unwilling to update old
products. This means those devices are not protected from new and evolving
threats.

Issues to Understand
As most people understand, there is no guarantee that any IT infrastructure
can be made completely secure. Systems are constantly subjected to attacks
to identify and exploit vulnerabilities. Furthermore, because security
measures introduced are often reactive they are frequently redundant at the
time of their introduction as hackers identify new ways to penetrate
systems.

So in an increasingly IoT connected world what are some of the questions
businesses need to be asking in relation to IoT devices or systems they're
using or intending to use?

Security Measures – What are the security measures incorporated into the
devices (if any)? Are their security measures current or measures that have
demonstrated vulnerabilities?
Vulnerability Testing – Are the devices subjected to penetration or
vulnerability testing? Will the business or a third party contracted by the
business engage in periodic vulnerability or penetration testing to
pre-emptively determine if the devices or their associated systems are
susceptible to security breach using evolving hacking techniques? Proactive
vulnerability testing diminishes the likelihood that business will only
find out about a breach after the fact.
Monitoring – To what extent are the devices or systems monitored for
unauthorised intrusion or manipulation? Indeed are the devices capable of
being monitored for unauthorised intrusion or manipulation?
Capacity to Patch – Do the devices have the ability to easily adapt to
changing security threats? Can they be updated or modified remotely to
augment or mend their existing security protections? Does the business have
a mechanism for notifying customers of potential vulnerabilities in devices
already sold?
Data – What type of data is collected? How is data collected by the devices
being transmitted and stored? For example is it encrypted? Is it being
stored in Australia or overseas? Who has access to the data and in what
form? What can those parties do with the data once it's accessed? How
sensitive is the data? Is it the subject of regulatory obligations and what
are the consequences of breaching those obligations?
Third Party Providers – Are various third parties or one third party
responsible for the provision, installation, monitoring and maintenance of
the devices? How is responsibility for the IoT devices between multiple
vendors being managed by the business? How are these being managed through
a business's contractual arrangements?
Worst Case Scenario Planning – To what extent does the business have a
strategy to respond to breaches of security? How will it eliminate the
breach, continue to operate, preserve its brand and comply with its legal
obligations arising from the breach?

Conclusion
The purpose of this article is not to discourage the introduction of IoT
devices into a business's operations or products. Nor does it suggest that
it is possible to guarantee that the security of IoT can ever be
guaranteed. That said, it does provide a list of some questions any
business should consider in introducing IoT devices so that it can
adequately evaluate the costs and benefits associated with that
introduction and put in place appropriate mechanisms to minimise the impact
of any security breach caused by the IoT device.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!