IoT brings opportunities but it also brings cyber security risks – some of which have barely been thought about.
IoT security- There are billions of connected devices in use around the world, in our homes, our offices, even inside our bodies as medical devices are connected to an ever-growing internet of things (IoT).
Vendors rush to add to the range of devices available, with many looking to gain a hold in the market as quickly as possible, delivering cheap, easy-to-use devices into the hands of users.
But this rush to market often comes at a cost, with cyber security often given little or no thought as manufacturers look to be the first to offer connected devices. That has often led to devices hitting the market and selling in large numbers of units, only to be discovered to be completely insecure.
Devices ranging from IP cameras, to children’s toys and smart home hubs have been found to contain significant vulnerabilities which can be exploited to spy by using the IoT device as an entry point into the wider network for committing other cyber crimes. The sheer number of insecure IoT devices on the market was also a key factor behind the Mirai botnet attack of late-2016, which spearheaded a massive Distributed Denial of Service (DDoS) attack that affected large sections of the internet.
That incident showed the damage insecure IoT devices could do — and governments around the world have since started examining how to ensure connected devices are better secured.
Last month Europol, the European Union’s law enforcement agency, and ENISA, the European Union Agency for Network and Information Security, held their IoT security conference at Europol’s headquarters in The Hague, The Netherlands to discuss the problem with industry — and how to go about securing the IoT, before it’s too late.
“There are many exciting opportunities for our citizens, for digital society, for businesses and also a massive economic opportunity for Europe to take part in this,” says Wil van Gemert, deputy executive director of operations at Europol on the IoT. But there are already signs that things could get worse.
“There’s also criminal opportunity because of the Internet of Things. We’ve seen some examples of this, but the real potential is yet to materialise,” he says. “It’s a matter of time before a shift towards a proliferation of IoT-related attacks.”
One of the major problems with IoT security is that users often have no idea that their device has been hacked or infected with malware — or that this can even happen.
In many case, devices will be bought, plugged in and simply forgotten about. They won’t receive updates, they won’t have default passwords changed and nobody is going to notice if their smart-kettle is being used to conduct DDoS attacks, or that it needs security in the first place. Criminals know this and are keen to exploit it.
“Hyper-connectivity also means hyper-threats. It means threats to security which are bigger, faster, smarter. So like with every new positive development, there comes a dark side and the challenge is that these threats can propagate in scales and with impacts that were unprecedented before,” says Miguel Gonzalez-Sancho, deputy head of unit for ICT for Inclusion at the European Commission.
IoT security is a “very serious area” for the European Commission, he says, arguing that cooperation across the European Union is key to solving the issue.
“Capabilities on cyber security differ across the European from one state to another, from one sector to another — which makes us vulnerable as a whole union. We need to become more cyber resilient and provide a better response to cyber attacks. Cyber security is now on the top level of the European agenda and every state involved today,” he says.