On the Cover

Facing the threats of a connected world.

The benefits, in terms of lifestyle and businesses, are enormous. Incorporating IoT into our lives can boost health, safety, finances, and every day planning.

However, along with its conveniences, the IoT brings unprecedented challenges in terms of , privacy and trust.

The IoT will certainly not increase , says , VP business development and cyber strategy at BioCatch. “IoT devices are not just connected to the home network – the whole idea is that they communicate with the outside Internet as well. That’s the ‘I’ in ‘IoT’. This turns homes and offices into targets for remote attacks.

“Anyone will be able to connect to your smart home, office or hotel room remotely, and do as they please. Turn the heating system on, switch the lights off, tamper with the system or order pizzas posing as your fridge, can be a few examples. You don’t need to be a Hollywood screenwriter to think of the implications.” In addition, Rivner says patching will become a nightmare. “Today, you have a PC, a tablet and a smartphone and even this might drive you crazy in terms of updates; hardly anyone bothers patching all the applications.

Now think about dozens of small computers connected to your home network. Patching will have to be managed centrally, or things will quickly get out of control.”

Another risk, says Rivner, is that cyber criminals could create vast armies of zombie IoT devices. “To put things in perspective: in 2006, an attack against a major US bank was hosted in an irrigation computer in an Israeli Kibbutz; they had to physically go to the field and disconnect it in order to shut the site down. Eight years later, Proofpoint reported a network of over 100 000 Internet-connected smart home appliances was detected sending a spam and phishing campaign. Now think about controlling billions of Internet-connected devices in any house and building eight years from now.”

One of the challenges has already is the visibility into what is happening to find the bad things or protect against the bad things, adds Steve Schlarman, a governance, risk and compliance (GRC) strategist for RSA. “Adding more and more ‘things’ generating data and increasing the attack surface just complicates ’s role. Every “thing” added to the Internet has some possible implication, it is the risk of the “thing” that is important.

“Am I worried that someone could hack into my refrigerator and see that I am low on milk? No. Am I worried someone could hack into my power meter and shut it off? Yes. So the impact on will be multi-fold. Just take a look at software development and patching – two really core topics.”

On the consumer side, Schlarman says the rush to market of “Internet connected things” will make companies that aren’t necessarily conscious, such as refrigerator manufacturers, even more likely to introduce software into devices with more attack vectors, especially if open source or original equipment manufactured components are used widely.”

Schlarman also points out that even conscious companies will have to be very careful as “things” are brought online. “We see the car companies’ struggle with recalls. Now I need to start pushing out software patches to light switches, microwaves, stop lights, home thermostats, and so on. IT has struggled with patching known systems for years and meeting SLAs. Wait until I can’t get my furnace to turn back on because I have to patch my thermostat and it didn’t reboot properly.”

On the enterprise side, Schlarman says, the enterprise (which IT struggles to manage securely already) has been exploded into every device, assembly line machine, conveyor belt, and suchlike, that it can possibly be hooked up to. “IT now has more data going across the network and has more attack vectors. Every business partner I connect to has its own black hole of “things” and is a portal into my enterprise. The idea of traversing devices in leapfrog attacks just grows exponentially.”


Ian Farquhar, a researcher, ask whether the companies and organisations that produce IoT devices are really capable of producing secure solutions. “Too regularly, usability and are seen as incompatible. Will usability and time-to-market override good design, as it has so many times in the past, for example ’s early Web technologies?”

Secondly, is the question of whether those vendors keep their products up to date, for the lifetime of the product, says Farquhar. “Take a light switch in a house: will the company producing an IoT light switch continue to produce updates for the lifetime of the switch, potentially decades? Will the profit margins made on IoT devices support this on-going engineering effort? And even if they do, will people bother to update their firmware?”

Uri Rivner, BioCatchUri Rivner, BioCatch

“Can most people really tell the difference between good and bad , before it is too late?” asks Farquhar.

Farquhar says many IoT devices are connected to things which can cause serious damage in the real world, unlike a modern home computer. “Think about an IoT controller in a gas cooktop, with the ability to control a solenoid which turns the gas on, as an extreme example. But even something like a refrigerator could have its motor run so hard that it burns out, or spoils all the food.”

In terms of privacy, Farquhar says: “Can we trust these devices not to report on our activities to marketing agencies,government, or other organisations? Even the flicking of your light switch in your bedroom reveals a profile of activity about you. Does IoT create the ability for organisations to put a sensor network in your home to so perfectly track your habits and movements, that you will have no privacy left? I think this is a very serious concern.”

Schlarman agrees. “Privacy at some point is compromised merely by participating in the IoT. If you aren’t paying for a service, and aren’t able to dictate what can and can’t be done with your data, for example free mail services, then how can you expect your data not to be used by that service? It is hard to argue against Google - who has never been paid by its users who have been benefiting from its free services for years - using data freely given to it in searches, e-mail, and suchlike, to create revenue. Name another service industry in the world where the consumer/recipient receives benefit without paying money, or giving anything in return. So if I have an IoT device, and not paying for the benefits of that connectivity, then I should assume that something is being taken in return for my benefits.”


In terms of who is responsible for securing the IoT, Rivner says it’s an expectation setting matter. “When cars got connected to networks, car manufacturers didn’t really think about cyber implications. Recently this has changed, and the big carmakers spend significant resources on hardening the infrastructure. They don’t want any publicity about airbags being remotely inflated by hackers. The same will probably apply here. People will expect the IoT infrastructure to be secured and providers who have low standards will get crucified by the social media if their devices become involved or targeted in cyber attacks. They may not get right to begin with, but they’ll learn quickly.”

“Having said that, the chance of protecting an individual home network with all of its future devices is close to zero. Bad things will happen,” adds Rivner.

It is Farquhar’s opinion that the vendors who produce the products will hold the primary responsibility for securing their devices. “However, it is also likely that the users themselves will connect the devices to a home network, which is likely to have some gateway that provides protection against external attack. But it’s not just external attack that you have to worry about. As I said, one of my concerns is that the devices themselves could be a threat, by design.”

Remember too, adds Farquhar, that these devices will be manufactured internationally. “What may be acceptable in the US, or in China, may be unacceptable in South Africa, or in Europe. That is a problem now with the traditional Internet experience, and witness the deluge of problems with smartphone apps behaving inappropriately. What if its devices built into our house?”

In Farquhar’s opinion, part of the answer is to consider product vs platform. “I believe if we leave to product, it will be a disaster. Security will become an afterthought on the rush to production, and we’ll end up with houses and enterprises full of IoT devices which expose a massive attack surface to miscreants who wish to exploit that (criminals and government). We need to see the development of flexible platforms, with Google’s @home being an example of this. By building products off platforms, the engineering work needed to secure those platforms can be spread across multiple products and has a much better chance of actually happening.”

But, it’s not a perfect solution, Farquhar says. “Android is a platform, but I’m sitting next to a drawer containing 20 phones and tablets all of which run 2.x versions of it, and that’s the last version available. This is partly because Android is an evolving platform, sure, and its hardware requirements increase as Google releases new versions. But many of these devices are simply abandoned by their manufacturers, who see supporting these old products as not only redundant, but as potentially impacting on new sales. I cannot see any reason why this same market dynamic won’t be an issue with IoT.”

Secondly, with all due respect to Google, it is a company which makes its profits by selling information to marketers so they can target people better, Farquhar explains. “Apple has also been subject to criticism for its handling of the conflicts between its own commercial interests, its partners and its users. So who should be the organisation to build these tools? That’s an open question, I believe. Open source should surely be one answer, and there are companies looking at that (and one has to note: Google’s platforms are built heavily on open source code too). But could an open source project achieve the penetration needed to become market relevant? One hopes so, but it’s defi nitely not clear.”

Schlarman believes because everything is hooked up to the IoT, then everyone should be responsible for . “There are of course some front line people – the software developers, the manufacturers of Internet ready ‘things’, and so on. However, if I set up an Internet connected Web cam in my baby’s nursery, I had better understand the risks and take the appropriate steps, such as not setting the password to view the cam as ‘password’, making sure I patch any software and keep it up to date. So when it comes to critical infrastructure, the providers are going to be the first that are responsible. When it comes to embedding software into Internet ready appliances, or ‘things’, then it is the manufacturing/software companies’ responsibility. When it comes to understanding the risks of connecting those ‘things’ up to the cloud, then it is the responsibility of the person plugging the wire in, figuratively speaking, as most of these ‘things’ will be wireless which also raises the need for wireless .”

Security has many challenges, adds Schlarman. “What is connected? What does it do? What are the risks around what is connected? What can be done to/with/through/on the connected ‘thing’? So just understanding the IoT and its risks is a challenge. Then locking things down securely becomes a war of attrition – securing high risk, high value targets and keeping on top of what is happening.”

Schlarman says with the IoT, has some very fundamental tenants to consider: “Understand the risk. This risk needs to be understood top down – from the manufacturer to the person ‘plugging’ into the IoT. Hopefully people are becoming more conscious but there will need to be an uptick in people’s acceptance of responsibility, such as not using ridiculously weak passwords.”

Secondly, Schlarman says software development and patching will have to improve. Even good aware software companies produce buggy or vulnerable software. So the responsiveness and diligence around code development must get better and better.

Encryption and advanced technologies play a role, but aren’t a panacea, adds Schlarman. “Encryption will help with some privacy issues and must be a part of the solution, but it also has its overhead and administrative challenges. Advancing secure networking, such as IPSec and resiliency such as protecting against DDoS attacks, are also technical issues that must continue to evolve. However, some of these issues are just plain old people problems such as not patching or changing default passwords timeously. So we can’t underestimate the need for education and awareness and forget the people that form part of the equation.”

Security and law enforcement share many common traits, Schlarman concludes. “You cannot prevent all crime; you cannot prevent all hacks. Awareness, dedicated professionals, advancements on the global stance on computer-related technology and many other factors are going to help make the IoT secure. I think we can draw some lessons learned from crime prevention but, I suspect we will have a few disasters along the way. I just hope my toaster will be safe.”