IoT in 2017 must focus on security

The Internet of Things (IoT) has moved from promise to more concrete reality, with more connected devices and more initiatives going live. The teething pains which experts have warned of in past years are now becoming more apparent as well.

Source: HDS. Yoshida.

Hitachi Data Systems (HDS), for one, believes that decisions made for IT in 2017 should be made with an eye to IoT. "Today, IoT requires data scientists and researchers with deep domain expertise and most projects are in the proof-of-concept stage. In 2017 we will be at the stage where we have the recipe for IoT projects, like train-as-a-service or industry 4.0," said Hubert Yoshida, CTO of HDS.

"In 2016 the IoT achieved significant mindshare, with many people now aware of the promise of a connected home," said Adam Judd, VP for Asia Pacific Japan, Brocade. "But unfortunately, some of the early adopters in 2016 also learned a painful lesson about the need for standardisation and open platforms. As some vendors with proprietary cloud-based platforms went out of business or changed business models, users were left stranded.

Source: Brocade. Judd.

"In 2017 we should expect the IoT market to begin to develop standards that make their platforms more secure, as well as more open and sustainable. In addition to easing consumers’ minds, these standards will enable an IoT ecosystem that increasingly appeals to enterprises, allows service providers to create innovative services, and enables advanced use cases that we can only imagine today."

Retarus, an information logistics expert, notes that the seamless combination of software, sensors and communication is a prerequisite for a true IoT. A secure and integrated flow of information throughout all parts of the process chain in the IoT will require application and communication protocols to interoperate with each other, the company said. "Cloud solutions for information logistics (will be needed to) facilitate the efficient and secure interchange of data between all connected platforms," noted a statement from the company.

Source: Zebra Technologies.
Goh.

Visibility into assets, people and transactions will be important for the Internet of Things (IoT) if it is to work as promised, says Ryan Goh, VP of Sales and GM, Zebra Technologies Asia Pacific. "While much digital ink has been spilled about the wealth of data IoT devices will provide, it is also imperative that enterprises have visibility on the devices themselves. The failure of any device will have a direct impact on staff productivity, possibly putting a dent in customer satisfaction, and ultimately on the organisation’s bottom line," Goh said.

"Internal Zebra research of Zebra enterprise mobile computing deployments identified that a single device failure can result in up to 80 minutes of lost productivity. Implementing comprehensive management on these devices will provide actionable insights to make intelligent decisions to stem a problem before it starts."

Source: Software AG. Schulz.

New infrastructure will be needed for new 'smart things' to operate properly, adds Software AG. "Smart things have their own needs - drones need landing areas and docking stations for recharging, robots require their own elevators," said Anneliese Schulz, VP, Software AG Asia. "Architects will realise that buildings have to accommodate these needs and we will start to see substantial changes to the layouts of buildings. Form follows function, becomes form, and follows digital functions. Architects will turn to hardware and software vendors to gain a better understanding."

2017 will mainly be about securing the IoT

The biggest issue for IoT, security, got serious attention in 2016, especially after well-publicised breaches in the US with Dyn and even in Singapore with when StarHub services went down in October.

StarHub even announced in late October that it would help customers address affected devices. "To further safeguard our network and our customers from cyber attacks, we are scheduling home visits to customers whose home Internet-connected devices were likely accessed without their knowledge during the 22 October and 24 October 2016 distributed denial of service (DDoS) attacks on our home broadband domain name servers (DNS). We would like to thank customers for their cooperation," the company said in a statement dated October 28.

"The Dyn attack in October disrupted an array of the Internet’s biggest websites and Singapore’s broadband service – demonstrating the vast number of IoT devices that don’t have security on them and are tremendously vulnerable to attacks," noted Symantec security experts. "As more IoT devices are installed in the mass market, the risk of security breach will increase. Once insecure devices are in the market, it becomes almost impossible to fix the issue without recalling them or issuing security updates...Given that this lack of security will continue for the foreseeable future, the number of IoT attacks will only increase as well.

"Beyond looking simply at computers and mobile devices for vulnerabilities, incident response teams will need to consider thermostats and other connected devices as jumping points into the network. Similar to how printer servers were used for attacks several years ago, nearly everything in an enterprise is now connected to the Internet and will need to be protected."

Source: Hillstone Networks. Liu.

"IoT security moved from talk to reality in 2016. We will see how these devices can become bots in 2017, highlighted by the recent DDoS attack on Dyn. Firstly, many devices are designed for consumers, prioritising user-friendliness over security. Secondly, device users have become diverse and many are not well-informed about IT security. Lastly, once compromised, breaches are hard to detect because of the limited user interaction.

"As the quantities and variety of IoT devices will eventually surpass computers and mobile phones, we will see greater security incidents, and hackers leveraging unique capabilities of devices for their financial gain," added Tim Liu, CTO, Hillstone Networks.

Source: Darktrace. Aurora.

2016 has seen some of the most innovative corporate hacks involving connected things, Sanjay Aurora, MD, Asia Pacific, Darktrace observed. “In the breach of DNS service Dyn in October, malware spread rapidly across an unprecedented number of devices including webcams and digital video recorders. In Singapore and Germany, we saw smaller but similar incidents with StarHub and Deutsche Telekom. Many of (2016's) IoT hacks have gone unreported – they include printers, air conditioners and even a coffee machine,” he said.

“These attacks used IoT devices as stepping stones, from which to jump to more interesting areas of the network. However, sometimes the target is the device itself. One of the most shocking threats that we saw was when the fingerprint scanner that controlled the entrance to a major manufacturing plant was compromised – attackers were caught in the process of changing biometric data with their own fingerprints to gain physical access.

"In another attack, the videoconferencing unit at a sports company was hacked, and audio files were being transferred back to an unknown server in another continent. Want to be a fly on the wall in a FTSE100 company’s boardroom? Try hacking the video camera.”

Source: Gemalto. Tay.

Alex Tay, Head of ASEAN, Identity and Data Protection, Gemalto, points out that hackers have quite a few attack surfaces and personas that they can manipulate when it comes to IoT. "(Take) your Fitbit as an example, and look at the number of people who touch it—the user, the manufacturer, the cloud provider hosting the IT infrastructure, the third parties accessing it via an API, etc. This creates a cross-pollination of risk that the security industry has not seen before, and that’s just one person’s 'thing'," he said.

"We expect to see hackers continue to exploit IoT device vulnerabilities to launch attacks, and they will likely use (devices like) Edwin, the app-connected smart duck," said Naveen Bhat, MD, Ixia, suggesting that such devices could be the biggest security threat of the year.

Source: Sophos. Jakobsen.

Joergen Jakobsen, Regional VP for Asia-Pacific and Japan at Sophos, agrees that the number of destructive DDoS IoT attacks will rise. “In 2016, Mirai (editor's note: a botnet that made use of insecure IoT devices to launch cyber attacks) showed the massive destructive potential of DDoS attacks as a result of insecure consumer IoT devices. Mirai's attacks exploited only a small number of devices and vulnerabilities and used basic password guessing techniques. However, cybercriminals will find it easy to extend their reach because there are several IoT devices containing outdated code based on poorly-maintained operating systems and applications with well-known vulnerabilities. Expect IoT exploits, better password guessing and more compromised IoT devices being used for DDoS or perhaps to target other devices in your network,” he said.

Jakobsen also touched on the threat that insecure home IoT devices pose. "Once attackers 'own' a device on a home network, they can compromise other devices, such as laptops containing important personal data. We expect to see more of this as well as more attacks that use cameras and microphones to spy on households. Cyber criminals always find a way to profit,” he said.

It does not help that IoT device manufacturers are likely to continue making unsecured devices. Kaspersky Lab expects vigilante hackers to take a statement by making such devices inoperable, or 'bricked', turning the Internet of Things into the Internet of Bricks.

“As IoT botnets continue to cause DDoS and spam distribution headaches, the ecosystem’s immune response may very well take to disabling these devices altogether, to the chagrin of consumers and manufacturers alike. The Internet of Bricks may very well be upon us,” said Costin Raiu, Director of the Global Research and Analysis Team (GreAT) at Kaspersky Lab and Juan Andrés Guerrero-Saade, Senior Security Researcher, Kaspersky Lab's GreAT.

Source: Trend Micro. Siah.

Trend Micro called for organisations and IoT manufacturers to be more vigilant about securing their devices. “These dangers can be proactively addressed by vendors who sell smart devices and equipment by implementing security-focused development cycles. Barring that, IoT and industrial IoT users must simulate these attack scenarios to determine and protect points of failure. An industrial plant’s network defense technology must, for instance, be able to detect and drop malicious network packets via network intrusion prevention systems," said David Siah, Country Manager, Singapore, Trend Micro.

“Enterprises alike need to understand the value that smart devices bring to attackers when taken hostage. A survey undertaken by Trend Micro found that over half of the survey respondents from respective organisations have yet to instil greater security measures for their current infrastructures – that brings to concern on the need to catch up to current and future threats.”

The scenario of insecure IoT devices could play out in other ways. The FortiGuard Labs threat research team warns that if IoT manufacturers fail to better secure their devices, consumers might hesitate to buy them out of cybersecurity fears, with a devastating impact on the digital economy. "We will see an increase in the call to action from consumers, vendors and other interest groups for the creation and enforcement of security standards so that device manufacturers are held accountable for their device’s behaviors out in the wild," said researchers from Fortinet's cyber security intelligence arm.

Source: Juniper Networks. Shi.

Jun Shi, VP, Sales Engineering and CTO (APAC), Juniper Networks is optimistic that artificial intelligence (AI) can help. "We foresee the security conversation shifting towards AI and machine learning as companies integrate automation into their security solutions,” he said of the security threats against the IoT.

Source: Ixia. Bhat.

Despite all the concerns around IoT, it is here to stay, and enterprises have to include it in their strategies for the future. "IoT offers an expanding horizon of opportunity that shouldn’t be ignored due to security concerns. With foresight into these current trends, practical planning, and persistence implementation, you can move your organisation vision for IoT forward with confidence in your security practices," advised Ixia's Bhat.

Interested?

Read the TechTrade Asia blog post on the bigger picture for security in 2017