This article is more than 1 year old

When THINGS attack! Defending data centres from IoT device-krieg

IoT makers aren't doing enough about security, so what should you do?

When good fridges turn bad. It may sound like science fiction, but security experts are warning that the growing prevalence of interconnected “thingbots” is opening up businesses to all sorts of bother.

Security-as-a-Service provider Proofpoint warned recently that more than 750,000 Phishing and SPAM Emails had been launched from connected devices in an Internet of Things (IoT)-based cyber-attack. More than 100,000 everyday consumer gadgets, such as home-networking routers, connected multi-media centres, televisions and at least one refrigerator had been compromised and used as a platform to launch the global attack.

Security experts are adamant that the prospect of IoT-based attacks to infiltrate enterprise IT systems and the servers and data centres behind the devices is a growing reality. “Clearly the scope for things to go wrong is huge. We’re talking about billions of end points and if you compromise even a small percentage, that’s a huge problem,” warns Nicko Van Someren, chief technology officer of Good Technology. “We haven’t seen the car crash yet, but there are lots of people driving fast in the rain with no lights on.”

IoT includes every device that is connected to the internet – from home automation products, security cameras, refrigerators, microwaves and home entertainment devices like TVs and gaming consoles, to industrial machinery and smart retail shelves that know when they need replenishing. The IDC predicts that more than 200 billion “things” will be connected via the internet by 2020.

We have, of course, had sensor-driven environments for decades, in environments including nuclear power stations, subway trains and manufacturing plants. But these have been tightly coupled, hard real-time systems, whereas with IoT, we have large, loosely coupled networks composed of systems that were not purpose-built to be used together and are interoperating over the internet.

The cost of a 2013 attack on US retailer Target’s Pointe of Sale (PoS) system – which led to the theft of millions of customers' credit card details – has reached $162m, the US retailer revealed in its 2014 financial report, after air control and building control systems were also compromised. The cost so far underlines the risk to businesses of data breaches, both in terms of financial risk and the effect on consumer trust in a brand that handles personal information.

The increased digitisation of industries and the connection of people, processes, data and things will see significant growth at the edge of the network, particularly with wireless and Wi-Fi-connected devices. It’s the network edge that could be the badlands. “With more and more devices, the number of end points for network security quickly proliferates. The possibility of connected private networks between supply chains, and customers too, also demands attention, as data begins to flow between companies which have traditionally been ringfenced behind a firewall,” says Terry Greer-King, Cisco UK and Ireland’s director of security.

A Capgemini study reiterates this. It found just a third of organisations believe their IoT products are “highly resilient” against cyber-security threats, less than half focus on securing their IoT products at the beginning of the product development phase, and 47 per cent do not provide any privacy-related information on their IoT products.

Sounds like scaremongering, right? Paul Stone, a researcher at Context Information Security, disagrees. “Our research found that you could hack into a Wi-Fi network via Internet-connected lightbulbs and find the Wi-Fi password, and it was possible to upload malicious firmware via a printer. People are used to dealing with firewalls, but a lot of new devices are quite immature from a security perspective,” Stone told The Reg.

Next page: We're all DOOMED!

More about

TIP US OFF

Send us news


Other stories you might like