Answer by Sai Ramanan, Security Ninja & Trusted Security Adviser, on Quora
HP Fortify report mentioned that the top 10 IoT devices include TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales, and garage door openers.
The scale and grandeur of IoT and the tons of data stored makes it an alluring target for threat actors to attack these cloud providers and consumers.
Before we speculate on which products are most likely to be exploited, let’s take a look at the risks these IoT devices introduce to the IT ecosystem.
1. Privacy risks:
Implementation of smart meter devices can solve a lot of things and save costs for the consumers, but they have inherent privacy risks as well. The design of these new smart meter products should consider security in their design as part of their product offerings. Consumers should be able to opt out to share the daily feeds to the third party cloud providers and opt in to share the data they feel more comfortable with. The usage of the consumers and what they do in their daily lives can be more intrusive and personal and not all consumers feel the need to share with the third parties. I definitely believe the smart metering devices and consumers have a shared responsibility in this space.
2. Risk of unmanned devices:
Much like an unmanned wireless access point (WAP) which can entice the wireless users to advertise the unauthorized WAP, there will be scenarios that are similar to this in the IoT space. In this scenario, the posture assessment and contextual access control will determine if an infected host is able to connect to the network.
You should consider application discovery tools to regularly scan the networks for any unauthorized sensors on the network trying to join and providing the updates to the management server.
Until their hosts are remediated, there should be rules established for the infected hosts or repeat offenders who could be issued increasingly stricter policies that limit their network access and real-time alerts to the managers. For example, if a particular IoT device is infected with a certain new type of malware or dropper, you can invoke checks to ensure all devices of that type have not been similarly infected and segment the vulnerable devices into a different part of the network until the issues have been mitigated through patching or reimaging.
3. Risk of Unpatched devices:
Now with the extensive proliferation of these IoT devices, enterprises will have to expand their patching strategy to include health tracking devices, smart metering devices, intelligent transportation devices, etc as part of other application patching. The IT operations team will now have to update their operational patching schedule to include these devices. The Verizon 2014 data breach report supports the call to attention and specifies patching as one of the key basic issues that are not addressed by organizations to stay protected.
We know that this could be very devastating to the consumers who have implemented these solutions. The cloud providers who collect sensitive information will need to think through the risks and apply a threat-centric approach to detect and prevent these threats.
4. Risk of burglary and homicide:
Let’s take a step back and see what happens if an unauthorized intruder has control of the smart metering information introduced by the IoT smart metering devices. The regular frequent smart-meter readings, if not properly safeguarded can provide hackers the data when a house was unoccupied and provide those useful statistics such as consumer’s sleeping patterns, usage of certain home electronics and medical equipment etc.
To summarize, hackers are “most likely” to exploit the
- targets that are can lead to extremely critical data (Scada systems, smartgrids, etc)
- targets that control multiple devices if compromised
- targets that process credit card and personal consumer info
- Intelligent devices that can enable real-time decision making
- and ….. Cloud based IoT startups
Hackers are “least likely” to exploit the
- targets that process individual consumer info (garage door openers, set top box systems etc)
Over the next few years, the IoE will provide the opportunity for unparalleled access to data coming from billions of new endpoint devices, people, and processes and this will be interesting phase for venture capitalists, CIO’s and security strategists.