Beware the trade-off between IoT convenience and security

Beware the trade-off between IoT convenience and security
Beware the trade-off between IoT convenience and security

CSID’s Andy Thomas argues that while the Internet of Things (IoT) has gained momentum over the past year, the convenience of such connectivity could come at the cost of security.

Connected cars have made the headlines this year.  Vehicles have long been computerised, but only recently linked to the Internet, and some manufacturers have shown a lack of security expertise. In April, cyber-security experts revealed a software flaw in the Jeep Cherokee’s entertainment system, which allowed them to take control of the vehicle on the move using a laptop at home. The hack, which they described as “fairly easy” and “a weekend project,” enabled them to alter the vehicle’s speed, change its braking capability, and manipulate the radio and windscreen wipers.

More recently, researchers hacked a Tesla Model S – once again via the car’s entertainment system, although it took closer to a year to achieve.  They were able to apply the hand brake, lock and unlock the car, and control the touch screen displays. Tesla quickly developed a fix, which has been sent to all affected vehicles.

The thought of a hacker taking control of your steering wheel is rather daunting; the idea of them hijacking your refrigerator is probably less so.  However, apparently innocuous devices such as “smart fridges” and “connected toasters” warrant equal consideration, because they are a point of entry to your network.  It’s like leaving a window open in your spare room: it allows access to the rest of the house, whether or not there’s anything of value in the room itself.

The recently exposed vulnerability of a Samsung smart refrigerator is a case in point: its calendar integration functionality provided hackers with access to the owner’s network and the ability to steal linked Gmail login credentials. Similarly, weaknesses in smart light bulbs have allowed hackers to obtain the passwords for the connecting Wi-Fi network as they were passed from one bulb to another.

Meanwhile, there are plenty of unfounded security fears around things like smart medical devices. In fact, most use Bluetooth; they aren’t connected to the Internet at all.  Generally speaking, they’re too small to incorporate a phone connection, and consumer concerns over phone transmitters in the body restrict development of the technology. Pacemaker hacking is highly unlikely at present.

The majority of smart watches don’t connect directly to the Internet, either.  HP has found major areas of concern in many smart watches, including insufficiently robust authentication, vulnerability to man-in-the-middle attacks, and poor firmware updates. However, the real weakness is the mobile phone the wearable links to, which holds vastly more personal data and exhibits many of the same vulnerabilities.

Certain wearables are a problem, due to the information they hold. For example, some music festivals allow participants to load their wristband pass with credit card information. Simply holding the wristband up to the vendor’s reader pays for drinks, food and merchandising. It sounds cool and convenient, but lose the wristband, or sell it at the exit, and the new owner has only to crack the wristband’s four-digit PIN to gain access to the credit card information.

Wearable technology risks

Wearables, particularly fitness trackers, have taken off in the last few years. Figures for 2015 show that 14 percent of UK adults own a wearable device or smart watch (compared to 63 percent who own a smartphone or tablet), and the market for fitness devices and apps has doubled in the past year. All this wearable tech creates new opportunities for collecting private data, and Symantec threat researcher, Candid Wueest, believes that developers of wearable devices are not prioritising security and privacy. His research found some devices sending data to a staggering 14 IP addresses; and at a Black Hat demonstration, he identified six Jawbone and Fitbit users in the audience, and specific details about their movements – down to the time they left or entered the room.

In short, the IoT is here, but before placing an order for a fancy new fitness tracker or that swanky smart-fridge – or sensors for your business, take a moment to consider these points:

Prioritise security – Back up data as you would with any other tech device. Too many people don’t back up regularly until they lose their photos/tax returns in a hard drive crash.

Be aware – Read reviews and technical documents. Ensure you know what a device does, how it is secured, and how to minimise opportunities for others to misuse its data. Look for wearables with remote-lock capabilities, so that you can lock or erase data if they’re stolen; and always protect your devices with a password, or biometric authentication if possible.

Andy Thomas is Managing Director of CSID Europe