Levi, Ray & Shoup, Inc.

Security issues with the Internet of Things

2/20/2019 by Chris Hill

By Chris Hill

Wikipedia states that the Internet of things (IoT) is the network of devices such as vehicles, and home appliances that contain electronics, software, sensors, actuators, and connectivity which allows these things to connect, interact and exchange data.

This class of technology is growing by leaps and bounds, with Forbes predicting the market will reach $260B by 2020. The uses of this technology are endless, from high-end manufacturing automation to a simple electrical outlet that can be controlled from a smartphone.

Familiar examples of the technology are Amazon’s Echo and Google’s Home. The companies are using these IoT devices to directly interact with the consumer to order supplies and services by simply speaking to the smart home hub.

The hub is a device that can listen and respond to commands from the user and it can also interact with an ever-growing line of solutions such as home security monitoring, air quality monitoring, temperature control, garage door openers, keeping up with the score of your favorite sports team, or even ordering a pizza. Some more advanced devices such are fire and smoke alarms can be configured to interact with first responders and we can all see the value in that.

The challenge is that most IoT devices are not built with security in mind and are, by their nature, simply connected to the internet to start working as intended. Many of these devices can be difficult to manage from a vulnerability management perspective, as most of them are running a nontraditional operating system such as Windows or Mac and that can make it challenging for consumers and enterprises to maintain. Traditional security tools will also have challenges when it comes to monitoring and alerting capabilities around these devices.

Installing these devices on any network can inherently cause a security risk by not changing configuration items such as default password or any other default configuration that could leave the device vulnerable and allow someone else to control the device.

And that actually happened.

Back in 2016, an attacker took control of hundreds of thousands of these IoT devices that were left unmanaged and with default settings as described above and carried out what, to date, is still one of the largest Distributed Denial of Servie, or DDoS, attacks. Many large web sites, including Amazon, Twitter, Spotify, Box, Github, New York Times, Airbnb, and many others were rendered useless during that attack.

The attacker used what was later determined to be 145,000 Infected IoT devices to carry out this large-scale attack, which peaked at 1 Terabyte per second. Before this attack, nothing had even came close to that amount of traffic.

Imagine this scenario: You’re relaxing one Sunday afternoon with your family and the connected devices in your home suddenly have a mind of their own. Your refrigerator starts dispensing water and floods the kitchen, your oven turns on high, and your alarm system alters the authorizes that you have a hostage situation.

While this may not be a world crisis, imagine if this occurred to devices that are dispensing medication to patients across the globe, or if Precision Agriculture devices falsely started to alert the industry that there is a global outbreak of an animal to human disease.

Now that’s a different situation!

About the author

Chris Hill is a Security Practice Leader with LRS IT Solutions. Along with a degree in Electrical and Electronics Engineering, Chris has extensive experience in information security, including more than 20 years in state government, where he was involved in the strategic development of cyber security capabilities, specifically in the areas of governance, risk and compliance, security operations, security engineering, as well as identity and access management. Chris is currently pursuing his accreditation as a Certified Information Systems Security Manager.