IoT industry is in "for a big wakeup call" if security isn't addressed

The Internet of Things may be a big buzz term at the minute, but its potential is huge. Various analysts predict billions of IoT devices to be measuring the world around us within the next few years. However, the industry is doomed from the start if it doesn’t start taking basic security seriously.

While speaking at this year’s IP Expo in London and later in a one-on-one talk, James Lyne, Global Head of Security Research at Sophos, had some stark predictions for the Internet of Things. “We are placing an unprecedented number of devices around ourselves that do all kinds of bizarre new things that hold onto all kinds of new data. I love that, it has so many amazing opportunities for convenience, to learn, to enhance our lives. It's great, but it could also offer literally unprecedented power for cyber criminals in the physical and digital world.”

IoT Manufacturers: Must try harder

Warning at one point that security in the IoT is like Windows 95 when every other industry is running Windows 10, he showed a video where an internet-connected child’s doll was hacked to play Rick Astley’s Never Gonna Give You Up.

While that’s a fairly harmless – if upsetting for a child – example of an IoT hack, it’s just the tip of the iceberg. The event saw numerous devices all compromised within a short space of time, and in Lyne’s view these flaws are down to “mostly sloppiness, naivety and velocity” from the product makers. “There's a lot of fundamental design failures. A lot of these devices, the security model is “if you can connect to it, you can control it”. No username, no password, no cryptokeys,” he says. “That's a security model we abandoned in Linux with RHosts when I literally was a child.”

“If Microsoft introduced something that trusted you because you could connect to it - they would be lambasted. And yet here we have products that are implementing that.”

Even the companies that have avoided those simple pitfalls are still falling foul of basic security principles, however. “We see lots of really old Linux distributions and web applications that can trivially be command-injected; attacks that, again, just haven't worked for a long time on PCs that are the result of poor and out of date code,” he says.

“They’re either using the stuff because it's small or because it's easy to bash together a quick web application that looks pretty and does the job, but they don't even bother doing any testing.”

Avoiding complete doom-mongering, Lyne does offer some simple advice on how companies can step up their game. "Do testing and keep yourself honest – security and privacy are a part of quality. Take all of these lessons that we've learned in the traditional mainstream computing world over the last 10 years and apply them,” he says.

“It doesn't have to be expensive or difficult. Many of these security flaws could have been remedied practically for free if they were dealt with at the design and implementation stages, as opposed to fighting rear-guard action when either hackers or security researchers catch them out.”

Hackers: Waiting to monetise

We’ve yet to see a major IoT hack, but that doesn’t mean there isn’t one waiting to happen. “If you look at the simple vulnerability and easy exploitation of most IoT devices, there's little reason why they [hackers/cybercriminals] wouldn't have done it if they wanted to,” Lyne says. “I think the logical and obvious explanation is that they haven't yet found a way to monetise it and make it useful. And I really think that's a matter of time; when credit cards are on them, they're going to go for it.”

“There's another slight possibility, which is that it's already happening more than any of us think. Because there isn't much of an ecosystem of logging and forensics it's quite possible these attacks are occurring at least somewhat out there in the wild but it's not been big enough.”

When asked if there’s the possibility of a major IoT hack event in the future, Lyne doesn’t hesitate to predict bad times ahead. “I think we're going to have a big wake up call. There's going to be something that becomes widespread in use and all of a sudden there's going to be this horrifying revelation that those are being used to proxy into people's networks and steal data, steal usernames, passwords, and credit cards.”

“There will be an awakening event which will not only be scary for the industry, but will turn the eyes of more and more hackers and cyber criminals to these devices very quickly,” he concludes.

“We've seen that many times in our industry – and IoT hacking will be no exception to the rule.”


« Typical 24: Martyn Eley, Acquia


How to stop IT woes hurting your M&A plans »
Dan Swinhoe

Dan is a journalist at CSO Online. Previously he was Senior Staff Writer at IDG Connect.

  • twt
  • twt
  • twt
  • Mail


Do you think your smartphone is making you a workaholic?