Gauging 'Internet of Things' Risk
U.S. Top Spymaster Voices Concern About Securing 'Things'The term "Internet of Things" has been around for a half decade or so, although "things" connected to the Internet are as old as the network of networks itself. But in the past few months, the Internet of Things has gained more attention, and the cybersecurity and privacy implications are only beginning to be addressed in many quarters.
See Also: How to Take the Complexity Out of Cybersecurity
Even the feds are concerned. James Clapper, the director of national intelligence, recently testified before the Senate Select Committee on Intelligence on global threats facing the United States. Among potential cyberthreats he cited are those "things" - physical objects such as vehicles, industrial components and home appliances - that generate information and increasingly are being linked to the Internet.
"These 'smart objects' will share information directly with Internet-enabled services, creating efficiencies in inventory supervision, service-life tracking and maintenance management," Clapper testified. "This so-called 'Internet of Things' will further transform the role of information technology in the global economy and create even further dependencies on it. The complexity and nature of these systems means that security and safety assurance are not guaranteed and that threat actors can easily cause security and/or safety problems in these systems."
Recipe for Disaster
What makes these "things" more dangerous than objects found on the Internet in years' past is that they're smarter and faster. They're a recipe for disaster.
Many of these devices could be hijacked to conduct distributed-denial-of-service attacks more easily than, say, a botnet of laptops, PCs or servers because most computers have anti-malware software, protection many "things" lack.
Even mundane "things" pose threats. Anton Chuvakin, a Gartner research analyst, has been giving some thought to the security implications of the Internet of Things. In a recent blog, On Internet of Things and You!, he identifies threats posed by various types of devices. The first device he mentions is the TV, citing risks posed to subscribers to services such as Netflix and YouTube who face having the content they watch revealed.
The vulnerabilities the "things" pose became personal a few weeks ago when turning on my Samsung Smart TV. All of my apps - including those linking the set to Netflix and YouTube - vanished one by one right before my eyes. (It wasn't till the next day that I got to watch the next episode of "Orange Is the New Black.") I called Samsung, and a recorded message said its network was experiencing problems. This episode made me realize that my interaction with my TV - a device I think of as a one-way medium - could expose personal information I would prefer to keep private.
Revealing Your Whereabouts
It's not just smart TVs. Chuvakin points out that hacking into smart thermostats could reveal whether or not a family is home. Web-linked security cameras could be used by outsiders to spy on your company's employees.
Manufacturers of these "things" should make these devices less vulnerable, but Chuvakin has his doubts that they will. "Vendors who focus on and excel in hardware royally suck at software," he says. "If they can barely write a UI [user interface], do you think they can write secure TCP/IP drivers?"
The risks posed by these consumer-oriented "things," for now, are low because the value gained by manipulating them is low, although Chuvakin points out these "things" remain highly vulnerable. But when the value of a hack increases to the attacker, so will the threat. "Will vulnerabilities subside?" Chuvakin asks. "Have they elsewhere?"
How seriously is your organization taking Internet of Things security and privacy? What safeguards are you taking? Please share your thoughts below.