Estimates vary about how many “things” will be connected to the Internet by 2020, but the more conservative sources put that figure at around 26 billion, double the 13 billion figure connected in 2015, according to IoT Daily.
From energy grids and haulage firms to warehouses and financial systems, every industry is going to be getting in on the act, and CEOs of both large and small operations are going to be rightly excited about the efficiency savings and increased capacity this “smart revolution” will bring. Regardless of the actual numbers involved, the IoT is coming, and there will be a huge amount of extra data zipping about on the Internet. Now the question needs to be asked: How secure is the Internet of Things actually going to be?
What price is your data?
Whether it’s answering an online survey in return for free Wi-Fi access or permitting your browsing history to be recorded so that relevant ads can be served alongside your content, we all know that being connected comes at a price – and that that price is often our personal data. However, when we lose sight of the companies behind the things that are sending out bits and bytes from our homes and businesses, it can become a security blind spot. We all understand the importance of watertight security when it comes to logging on to our online bank or accessing the hospital database, but even an apparently harmless “smart” kettle can expose important network information, which can then act as the thin end of a wedge, cracking into a company’s data.
It’s not just the companies that we buy the smart gadgets from that we have to beware of; it’s also the hacktivists and downright criminals who are actively scanning for a leaky source of data and improving their techniques all the time. It’s almost a cliché to say that data security is only as strong as the weakest link, but, sticking with that analogy, the IoT is about to add infinitely more links to that chain. As the Internet of Things is gradually absorbed into our infrastructure – our health services, our energy grids, our traffic networks, etc. – the risk of a data breach increases. From intellectual property theft to ransom demands to terrorist attacks, the risk to society of unsecured data is significant.
Internet protocol dissociation: An imperfect solution
Much has been made of the insufficiency of the current IPv4 identification and routing standard and the transition that will have to be made to IPv6 or some other protocol in order to cope with the sheer number of online objects expected to swell the network. Part of the discussion has focused on maintaining robust IP dissociation practices to ensure an object’s online identity is delinked from personal or company data. These are obviously key factors in designing a secure IoT, but more needs to be done to address security issues that do not require a link to personal data at all.
A classic example is the vulnerability that allowed two hackers to take control of a Jeep Cherokee – part of an exposé highlighting weaknesses in the Uconnect system used by auto manufacturer FCA (Chrysler). Using just a cellphone and a basic Mac computer, two hackers took control of the vehicle’s air conditioning, visual display, radio, windshield washers, and even the engine and brakes, and then released the in-car video footage. During their research they also realized that they could have targeted any one of a number of similar vehicles if they wanted to launch a genuine zero-day attack. For them, any actual personal data connected to the vehicles’ IP addresses was irrelevant as long as they had rewrite access to their chips’ firmware. Aside from the real danger of fatalities on the highways, auto manufacturers should already be having nightmares about product recalls and class action lawsuits.
The role of the cybersecurity advocate
The Cherokee hack was – according to the hackers involved – designed as a wake-up call to the auto industry, but it also pointed the way to a possible solution to the security dilemma. Working with the hackers (under the euphemism “cybersecurity advocates”), Chrysler sent out a patch and that particular loophole was closed.
The example above demonstrates that to stay ahead of the game, companies are going to need to get inside the hackers’ mindset and anticipate problems before they happen – recruiting proactive expert help rather than relying on the standard iterative process of IT development.
Standardization vs. fragmentation
As ever more companies race to implement the latest IT operation and usability solutions, the insufficiency of the overarching IT ecosystem is becoming apparent. There is often no Apple, Google, or Microsoft architecture that can provide all of the components necessary. In this absence of standardization, the IT savvy have created their own private networks, devising bits of code to link up the various parts where needed. This kind of fragmented IoT is just what the hackers want, as there will always be vulnerabilities into which they can hook themselves and try to siphon off data.
Standardization offers the best hope of shoring up the IoT as well as ensuring company staff are trained to follow best practices in IT security, such as creating robust passwords and ensuring the latest patches and updates are downloaded.
Technological advance and competition go hand in hand with companies falling over one another to implement improved tech solutions and make their businesses more efficient and their end users happier. While this healthy drive towards innovation should be encouraged, it should also be tempered with a concerted effort by all stakeholders to build a robust and secure IoT, one that is invulnerable to data leakage. Data theft and compromised safety are real threats that can harm individuals, businesses, and civilization itself. There is a real danger, if data security is not treated as a priority, that those risks will undermine the significant rewards that are on offer.
For more on how data from the IoT is changing business, see Live Business: The Importance of the Internet of Things.