Connectivity and Vulnerability: An Examination of Cybersecurity Threats resulting from IoT Development
Whilst the Internet of Things has helped to revolutionize the way that people interact with technology, and has become an integrated part of our lives, there still exist serious threats that emerge from these technologies. As the IoT revolution is still in full swing, this article looks at the background of these developments and ensures that security by design/default principles is at the forefront of our minds.
From Aaron Dixon
Technological change is the only constant within today’s business world. In both the public and private sector, there is huge potential for integrated data collection, analysis and communication software. The Internet of Things (IoT) provides the means to create value through a new information value cycle – enabling business activities through sensor data collection and analysis, deriving insights and thereafter making decisions and taking action – a circular, additive process. However, there are inherent risks associated with the development of pervasive, smart technologies. This article examines what exactly IoT and cybersecurity threats are, and presents several examples of cybersecurity threats, highlighting the vulnerability of today’s IoT ecosystem. IoT extends beyond mere physical hardware; in effect, it is an integrated approach to, and process by which, data is ‘used’. The increased vulnerability to cybersecurity threats may be linked to three IoT features – ‘smart’ devices, increased connectivity, and a lack of security by design/default. As we move into the future and embrace new and innovative IoT capabilities, attention must be paid to the inherent risks of such an action.
What is IoT?
IoT, a term first coined by Kevin Ashton in 1999, is not something that can be easily defined. Any definition will be inherently vague, in order to provide inclusiveness, and not limit the scope of IoT. Deloitte provides a definition of IoT in referring to it as “as suite of technologies and applications that equip devices and locations generate all kinds of information – and to connect those devices and locations for instant data analysis and, ideally, “smart” action.” This description suffices for a number of reasons. Firstly, it refers to the coupling of technology and physical devices. This coupling is important as it means that consideration should not just be given to modern IoT devices such as smart phones, but also to devices that have been IoT-enabled. Secondly, it refers to the “smart” characteristic of IoT devices, and their ability to analyze data. Within a single device, there is the potential to both connect with other devices, thus gathering, and to use the hardware and software capabilities of the device to process. It must be noted that processing in this sense does not only constitute the analysis of the collected data, but also the storage, transfer and modification.
The scale of IoT device prevalence must also be considered when evaluating cybersecurity threats. According to industry reports, the number of IoT-connected devices in 2016 was 8 billion. That figure is expected to rise to 31 billion by 2020. A rising number of IoT enabled devices implies that significantly more, valuable data will be collected and generated, and also that the potential cyber-attack surface will be greatly expanded. The very nature of smart and connected IoT devices seems to be inherently opposed to the primary principles of cybersecurity, such as security by design/default, lifecycle support, testing for scale, 1:1 user access and authentication, or systems isolation.
What is a cybersecurity threat?
In order to explain how the Internet of Things (IoT) has developed in such a way that we are now vulnerable to cyber threats, one must first understand what a cybersecurity threat is. Tim Stevens defines cybersecurity in terms of both an offensive and defensive purpose. Cybersecurity protects the members and critical infrastructure of a society, and is the means by which a nation can pursue policies to bring to account malicious actors who exist on the global stage. Kevin Quigley et al. refer to cybersecurity threats as “uncertain risks.” The authors further elaborate that these risks result from the lack of scientific or technical bases for decision making, whereby a risk-modelling framework is unable to anticipate or elucidate risk events. The clear takeaway is that the key components of a cybersecurity threat are both the known and unknown elements – malicious actors use known methods to breach networks and compromise data, whilst 0-day exploits and software bugs may create system vulnerabilities unknown to developers. By its very nature, technological change causes uncertainty. Currently, companies do not know the extent of the additional benefits of IoT and associated revenue streams, nor are possible security breaches, technical difficulties or future regulatory challenges fully understood. One of the important things to remember when examining IoT and cybersecurity threats is that the identified risks are not new. However, the connectivity and ‘smart’ characteristics of IoT have allowed the number of malicious attacks or attempts to subvert systems to increase. Due to the speed of IoT development, basic principles of security may be overlooked, or deemed to be not of sufficient criticality to warrant investment and implementation.
The rapid development of IoT capabilities has meant that both governmentally driven regulations and controls, as well as ‘Security by Design/Default’, are lagging behind. Responsibility for such controls lies both in the public, and private sector, as both governments and businesses have a vested interest in leveraging IoT capabilities, but will do so to different ends. There exists the need to balance the focus upon restricting IoT advancement as it pertains to protecting individuals and reducing risk, while allowing growth and free development. A dilemma exists whereby regulators and developers are both uncertain of what the other is doing, as both are working in an uncertain environment; regulators cannot act without understanding the technology, and developers cannot work with uncertain regulations. However, without cooperative action, IoT will continue to develop in a way which increases vulnerability to cyber threats. The following paragraphs detail three cyber threats which are directly influenced by the development of IoT devices/principles.
The power of sequestered smart devices (AKA is your toaster hacking the CIA?)
The first threat examined is Distributed Denial of Service (DDoS) attacks. As previously stated, IoT devices combine the ability to gather data, as well as to process it. These characteristics give rise to the potential for IoT devices to be subverted for use as DDoS bots. DDoS attacks attempt to make unavailable a machine or network resources to the intended users, typically by overwhelming them with a flood of requests that consume significant amounts of resources and make the fulfilment of genuine requests impossible. In 2016, the source code for malware called Mirai, which had the potential to gain access to devices, subvert the use of those devices, and then spread itself to other devices that are connected to the network, was released to a hacking forum. The range of devices that may be affected by the malware included routers, DVRs, IP cameras, thermostats, and other internet-connected technologies. These devices would then be forced to become bots for Mirai. New records for DDoS attack sizes are being set as more devices are being integrated into bot networks, with an attack in excess of 600Gbps seen in 2016. On February 28, 2018, GitHub, a web-based hosting service for version control using Git, was targeted by a DDoS attack, which bombarded their website with data, reaching a high of 1.35Tbs per second. This attack resulted in Github being offline for five minutes, and was limited to this relatively short timeframe due to a swift response to redirect and scrub traffic thought to be malicious. For critical infrastructure or companies, such an attack could have significant financial consequences.
IoT and the problem of connected everything
The second cybersecurity threat relating to IoT is viruses. Starting almost 40 years ago, experiments were made to test how self-replicating mini-programs could infect and spread throughout computer networks. Fred Cohen undertook the task of testing the capabilities of viruses in the 1980s and was aware of the impact even at that time, stating, “if a computer virus of this type could spread throughout the computers of the world, it would […] wreak havoc on modern government, financial, business, and academic institutions.” The networked nature of IoT enables malicious software to move throughout dispersed systems to an increasing degree and with greater ease. A recent example of this which made international news was the deployment of STUXNET, a computer virus which was able to move through removable drives, through peer-to-peer networks, and private networks, before installing itself on PLC devices, and hiding itself through the use of subverted key communication libraries. Stuxnet managed to infect Iran’s nuclear centrifuges and covertly altered their rotation speed and frequency in order to stress components to such a degree that they were torn apart.
The Golden Rule: Security by Design/Default
The third cyber threat once more focuses on how IoT relies upon a great many devices to be connected, operating as a network in order to leverage processing power and data collection capabilities. The problem that arises from IoT however is that devices may be built with inadequate default security processes, which in turn lead to an increase in available attack vectors. The focus of security should now not only be upon the device itself, but also upon data which is transported to the device during updates, from the device during backend connections, and amongst devices when in use. If not all data is encrypted, and not all channels through which data is sent are hardened, a single data packet can be intercepted, extracted and modified to insert malicious software into data packets, which are then spread throughout the IoT system. Malicious actors will search the internet for devices with default passwords, which can be breached with brute force attacks in order to access these data packets. In 2016, F5 Labs recorded 6.293 million Secure Shell (SSH) brute force attacks in 6 months. The saying “a chain is only as strong as its weakest link” has never been more applicable to anything, as it is to IoT technologies.
IoT and the future
IoT is both a boon and a burden. The ability to connect a large number of devices allows users to gather information and undertake expedient action from a single, central location, much like a spider at the center of a web. However, the speed at which IoT is developing, the uncertainties which exist regarding regulation, as well as the very nature of IoT, which at times seems to run counter to cybersecurity best practices, mean that care should be taken to identify and mitigate potential cyber threats. IoT devices can and will be hijacked in order to partake in malicious acts such as DDoS attacks. Additionally, the connected nature of IoT means that viruses and other programs that thrive in open, easily traversable cyber environments will be more effective than ever at infecting systems. The last point speaks to the attitude, which accompanies IoT technological development; that security by design is not yet the default position of developers and manufacturers, and that comprehensive security protocols are not implemented for devices themselves, as they are not yet mandatory due to a lack of regulation, as well as for all data transmission and device connectivity. Cybersecurity threats have existed for as long as two devices may be linked together. However, IoT has developed in such a way that malicious actors have greater avenues of attack, are able to subvert smart devices to perpetuate cycles of infection and exploitation, and are unhindered by the strict regulatory controls which would ensure that all devices embrace security by design/default principles.
Deloitte supports its customers by leveraging our expertise and experience. Therefore, Deloitte strives to develop comprehensive risk management and governance processes in order to foresee and mitigate IoT-related vulnerabilities. Cyber security must always
- temper innovation
- a ‘risk philosophy’ must be created within organizations
- and a global structure needs to be developed to guide future IoT initiatives.
As IoT continues to develop, companies must keep pace if they are to grow and avoid unnecessary risks. Deloitte has developed a range of processes and techniques in order to ensure that our customers are secure, vigilant, and resilient.
For more information on Cyber Risk, visit us here.