IoT Product Failures And Security Impacts

by Dr. Christopher Pierson, CSO and General Counsel, Viewpost

From our cars to our televi­sions to locks, cameras, and lights we are immersed in the Internet of Things (IoT) world. Even our crock-pots now have the option of being connected to the Internet, automating dinner at the push of a button! In many ways, IoT devices have enabled convenience, com­fort, automation and monitoring, have improved physical security, and have decreased the amount of time spent on menial or repetitive tasks. The explosion of IoT devices this past holiday shop­ping season was even more evident by the sheer number of cameras, doorbells, and thermostats that were heavily dis­counted and flying off store shelves.

In fact, a recent study from the In­teractive Advertising Bureau found that 62 per cent of U.S. consumers own at least one IoT device. Gartner pegs the number of global IoT devices in 2016 at 6.4 billion, rising to nearly 21 bil­lion IoT devices by 2020. The explo­sion of IoT devices is in part due to their ability to easily connect to home networks - no more opening ports, using static IP addresses, or punch­ing holes in the firewall. IoT devices just work the way “plug and play” were originally envisioned.

IoT is here to stay and its simplic­ity and convenience are what will truly make our homes “smart” and more efficient.

So what is there to talk about?

With the ease of connecting devices to your network (home and yes, the work environment) consumers are empowered to tackle those do-it-yourself projects and claim success when the blinking light turns green. Each of the prod­ucts we connect to our networks puts connectivity and opera­tions first over all else espe­cially cybersecurity.

The tales of misconfigured devices have been captured in the past on webpages showing infants sleeping and other cam­eras showing private moments. So, what is different in the year 2017?

At the end of 2016, we wit­nessed multiple Distributed De­nial of Service (DDoS) attacks using IoT cameras on Krebs’s website and the DNS provider Dyn that flooded these net­works with attacks peaking at 660Gbps and 1Tbps worth of Mirai laden bot-net traffic re­spectively. It is estimated that 100,000 hijacked cameras and other IoT devices were behind this bot-net army.

It is the ease and ability of an adversary to wield IoT de­vices in such high numbers that have changed the game for cybercriminals and their unsus­pecting targets. It is unlikely we have yet seen the biggest risks from unsecured IoT devices.

IoT Risks in 2017

To date, weaknesses in IoT de­vices have been used as a part of bot-networks and digital vo­yeurs. However, the business of cy­bercrime will rapidly shift in 2017 to other attacks, including:

• Hijacking/Ransomware - tak­ing over IoT devices and then re­questing payment to regain access to the device. Regardless of the fact that a hard factory reset may assist in returning the device to a known safe state, many consumers will struggle with this.

• Destruction - bricking IoT devices is a sure-fire way to harm the U.S. economy and the entrepreneurial spirit embodied by these companies and products.

• Extortion - devices with mi­crophones and cameras are es­pecially susceptible to leak­ing information that is of a private nature.

• Extortion - the continuation and escalation of large-scale DDoS at­tacks using IoT devices.

How do we tackle this insecurity of IoT?

IoT devices have demonstrated the capacity to bring immense value to the forefront of consumers’ lives. Just check out the websites of several lead­ing camera providers and you will see the videos of many burglars who are now behind bars that previously would have victimized countless oth­ers but for the camera on the book­shelf or in the window. So, with all this good, how do we tackle insecu­rity without smothering creativity?

1. Balance operationalizing the prod­uct with cybersecurity at the Venture Capital Firm and Board levels.

Security can be a very important dif­ferentiator, especially when a prod­uct sits in the most private place in our lives - our home. Of great im­portance is selecting a VC firm and Board who know how to hire the right advisors to ensure security is on the roadmap in a way that does not cause friction and will still al­low a company to capture and re­tain market value. If a webcam was attacked and every one of the $200 devices rendered useless or the lights in a house forced to blink on/off every second, the goodwill of those companies will be eroded. Selecting business partners who know how to mitigate these risks can improve the overall product and customer experi­ence.

2. Aligning the interests of the prod­uct engineers and creators with agile and open-minded privacy and cyber­security experts.

Simply put, baking security and pri­vacy into a product on the front end is less costly and disruptive than trying to code it on the back end. All too often the interests of en­gineers and security teams are not aligned with the company’s most important interests - the products/ services. This is a failure of lead­ership and something that can be easily avoided. No one wants their IoT devices letting the world know what they are doing, and we can and should coalesce around this goal of alignment.

3. Making cybersecurity part of eve­ryone’s job - even the engineer’s job

Most engineering programs do not have mandatory components of se­cure coding or cybersecurity as a part of the basic requirements. While non-engineering talent can help educate coders and designers, it is best to have a baseline level of knowledge on how to code securely, test APIs, secure a web application, and avoid those items that are consistently part of the OWASP Top 10 and SANs Top 20 lists. Where it does not exist, it is up to the leadership to sponsor and grow this talent.

4. Incentives for strong cybersecurity

Sponsoring cybersecurity in IoT de­vices through incentives, grants, or even subsidizing cybersecurity posi­tions or access to cyber-talent ben­efits everyone. We can and should make this a priority.

IoT devices add immense value for the consumer, but we need to be careful that we imbed basic cyber­security protections and controls in each product prior to pushing them into the market.