Internet of Things security

We've previously discussed the poor security of many devices on the Internet of Things (IoT) - the network of “smart” devices connected by the Internet. Unfortunately in their race to implement features, vendors seem to rate IoT security very low on their list of priorities. Often, IoT devices are protected by factory default or hard-coded usernames and passwords. Such poor security practices results in millions of connected devices that almost anyone can connect to - and in many cases control. Devices include home routers, CCTV cameras, medical devices, thermostats, and even cars.

A worrying example came to light this week. Two German security researchers have been looking for security holes in various places, and found that traffic lights produced by a certain German company can be programmed remotely by anyone - there is no encrypted communication channel. They report that 23 traffic lights were not secure, and even though they notified the manufacturer, they are yet to fix the problem.

According to Gartner, 6.4 billion connected things will be in use worldwide in 2016. This is an increase of 30 percent from 2015, and will reach 20.8 billion by 2020. These are staggering numbers of devices, and millions of them will be vulnerable.

Apart from the obvious problems that can be caused by hacked traffic lights. medical devices and thermostats, IoT devices are increasingly being incorporated into botnets and used to send spam emails and for distributed denial of service (DDOS) attacks such as the one described here. Because the attacker has a free botnet, it costs them almost nothing to mount a devastating attack on a website. The target, meanwhile, has to allocate more and more resources to keep their site running. Botnets compromised of CCTV cameras are being more common, and this particular attack also involved compromised home routers.

As the IoT expands, these security concerns are rapidly becoming a security nightmare. It's now been a year since the IoT Security Foundation was established, but it is not yet clear whether IoT vendors are taking heed of its message.

Posted by John Faulds in News