Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/8/2019
02:30 PM
Jason Haddix
Jason Haddix
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Your Life Is the Attack Surface: The Risks of IoT

To protect yourself, you must know where you're vulnerable - and these tips can help.

Today, there are more connected devices than humans. The unprecedented growth of connected devices has created innumerable new threats for organizations, manufacturers, and consumers, while at the same time creating opportunities for hackers. The world has seen the risks of this firsthand: Internet of Things (IoT) devices now constitute the largest-scale botnets, able to take down major websites like Twitter, GitHub, and the PlayStation Network. The many ways a hacker could access this data is apparent and quite disconcerting. The first step to protecting yourself is knowing where you're vulnerable.

Connected Devices as the Fastest-Growing Attack Surface
A growing number of households now have an IoT hub — be it Echo or Google Home — a device that takes the place of or attaches to your wireless router and has permissions to do things on your behalf. One of the most immediate security concerns comes with this permission. If your device is set up to purchase things on your behalf, there is nothing to stop someone else within the microphone's listening range, even on your TV or radio, from commanding "Alexa" to buy something for you.

This issue extends to other personal devices as well. For home security cameras, it might be backing up or storing video images. For health tracking devices, it's personal health data such as heart rate, pulse, diet, etc. An Internet-connected stuffed animal was recently found to have exposed more than 2 million voice recordings of children and parents, as well as e-mail addresses and password data for more than 800,000 accounts. In other words, this seemingly innocuous data is highly personal on the individual level and therefore a great risk to individual security.

The Role of Policy and Defenders
Thus far, IoT has gone unregulated and largely unsecured, and given the rapid growth of IoT devices it's no surprise that these devices represent a major and growing threat — and a major opportunity for adversaries. The sheer number and types of the devices being networked and connected to cloud interfaces and on-the-Internet APIs is one the greatest challenges in security today. Each device has its own set of technologies, and thus its own set of security vulnerabilities. Additionally, some of these industries have never dealt with Internet-facing devices before, and their development staff is just not trained in the ways of web application security. High pressure, low awareness, and the absence of a governing body to police the market has resulted in an increase in attacks on these devices. That's why it's becoming imperative to implement global security standards.

Before the industry really starts inking policy, however, we'll continue to rely on hackers to identify vulnerabilities and ultimately improve the way the industry addresses potential risks. This group will be essential for improving the security maturity of the market and ensuring the implementation of security controls for IoT devices, such as toys, thermostats, and even smart cars, which provides a fascinating breeding ground for best practices.

How to Prevent Cyberattacks
There is a lot of work to do for manufacturers, policymakers, researchers, legislators, and companies that are releasing IoT devices, identifying risks, and creating regulations. And unfortunately, IoT extends far beyond household gadgets. From your car to your pacemaker and your Fitbit, any device that connects to the Internet is a potential attack surface.

While the broader security industry addresses these issues, how can you personally prevent cyberattacks in your own digital life?

  • Research your device before purchase: For any device you're considering buying that's connected to the Internet, determine whether the vendor is paying attention to security. Does it have security notes online? Has it had any security research directed at it before, and if so, has it responded well to that research? Use the answers to make a decision about which device to purchase. Amazon reviews and Better Business Bureau reports can be great indicators here.
  • Use strong Wi-Fi encryption: Securing your Wi-Fi at home goes beyond plugging it in and setting a password. The choices for encryption standards typically can be found on vendors' websites, so if you're unsure, it's a good idea to do some due diligence before choosing one. Implementing the most advanced encryption that your router can support (usually called WPA) is the difference between offering someone easy access to your home network and being secure.
  • Check the device for additional security configurations: While updating the device regularly will help avoid unnecessary breaches, it's also a good idea to ensure additional security configurations are in place if available. To find these, log in to the control panel of the device. In the settings section, there will often be additional controls. They can be cumbersome to set up but useful to keep you secure.
  • Disable features not being used: These features will vary by device, but an example would be your laptop's webcam, which could be a threat if it's not disabled or obscured, especially in light of numerous well-documented attacks. Being aware of all enabled features is a great way as a consumer to protect yourself against IoT hacks and malicious actors accessing your personal devices on your network or other places you use devices.

The Future of IoT Security
From the takedown of Dyn to the distributed denial-of-service attack on Brian Krebs' website, the industry has learned some major lessons around IoT security in the past few years. This is causing standards to be created that will help reduce risks. However, change takes time. IoT security is in the standards phase right now, which means that legislators haven't yet prescribed specific policies around what security devices need to have in place for manufacturers to ship them. Given this, consumers must take personal action and be aware of the risks.

Related Content:

 

Jason is the head of trust and security at Bugcrowd. Jason works with clients and security researchers to create high value, sustainable, and impactful bug bounty programs. He also works with Bugcrowd to improve the security industry's relations with researchers. Jason's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MeeraSK
100%
0%
MeeraSK,
User Rank: Apprentice
2/20/2019 | 10:22:06 AM
Do connected home appliances really fall under IoTs ?
 

Please check on iiot-world website about the definition of IoT and IIoT. Couldn't share a link because of the current restriction.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...