Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/6/2018
10:30 AM
Carl Nerup
Carl Nerup
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Hidden Costs of IoT Vulnerabilities

IoT devices have become part of our work and personal lives. Unfortunately, building security into these devices was largely an afterthought.

Another day, another hack. Whether it's a baby monitor used to spy on mother and child, or an FBI warning to reset home wireless routers due to Russian intrusion, the question continues to be: What's next?  

Internet of Things (IoT) devices are part of both our work and personal lives. Unfortunately, building security into these devices was largely an afterthought — the ramifications of which we are now seeing on a near-daily basis. However, let's look beyond the headlines at the hidden costs of IoT security vulnerabilities. These fall into five categories: device security, intellectual property (IP) protection, brand protection, operational cost containment, and user experience.

Device Security
Once hacked, some devices can do a disproportionate amount of physical damage. It all depends on the degree of criticality to the nation-state, community, or individual.  

The agriculture industry, for example, is as valuable to a country as any other strategic asset, such as utilities, finance, or communications. Many big farms today are automated via field sensors and autonomous vehicles. Let's imagine that someone hacks the sensors to erroneously indicate that the corn is ready to be cut, even though it's three months too early. Or that a hack signals an autonomous tractor to spread too much fertilizer, burning and causing the loss of an entire crop. This potentially catastrophic hack, as well as the corresponding financial losses or risk to the nation-state and its citizens, seem endless.

It is highly recommended that you closely examine the security of your IoT devices via the lens of worst-case scenarios. Ensuring the integrity of the data coming from your remote sensors is especially important because this data drives automated decisions with long-term implications.  

IP Protection
It's astounding how many organizations will spend millions of dollars on R&D and then put that valuable intellectual property on an insecure IoT device. In this case, a hack could mean the end of your business.

Now, let's presume that you are investing heavily in building sophisticated algorithms to enable machine learning, artificial intelligence, or facial recognition. As you look to deploy these proprietary algorithms for use in an IoT device, you are ultimately left with two choices: 1) Protect the algorithm in the cloud, forcing the IoT device to run back-and-forth to run the process and adversely affecting the customer experience, or 2) install the algorithm into the OS stack on the IoT device and risk a hack that steals your algorithm — essentially making you toss your entire R&D investment into the wastebasket.  

Brand Protection
Apathy and inertia are creating a sense of "hack numbness," though the consequence of turning a blind eye depends on where you sit.  

Let's say you make devices that help protect or enhance the life of children, with cameras or microphones that are always on and always watching. Consider a hack on these devices, and the misuse of the information they have access to, now being consumed by unsavory characters.  

This is a brand killer. No matter how noble your IoT device and its application, if you cannot protect children, the market will make sure your future is cut short.  

Consequently, security can't be ignored because you became numb to attacks. This is especially true if you're in a business that requires your IoT devices to gather sensitive information. Couple this with an emotionally invested customer base, such as users of child-monitoring devices, and a hack will mean the end of your business.

Operational Cost Containment
Satellite time is expensive. Within the broadest construct of the many new IoT devices, some will have a component that relies on satellites for data communication. It does not need to be said (but I'll say it anyway) that satellite time is a very expensive path for data backhaul.   

Imagine a hack where a botnet starts a distributed denial-of-service attack on a music-streaming server, which then causes the IoT device to start rapidly and overwhelmingly pinging the music streaming service. As the IoT device is battery powered and using satellite for its backhaul, every ping now statistically shorts the life of the IoT device.  

This scenario serves as a double whammy of cost containment. If you're leveraging satellites in your IoT strategy, you must examine where potential vulnerabilities are because they could affect your overall costs of operation and maintenance.

User Experience
As the saying goes, everyone has been hacked, but there are some who don't know it yet. While there may be no disruption of service at the time of a hack, what happens when there is some type of glitch?  

Let's imagine that you get up one morning and ask Alexa to open the blinds, but they don't open. Now you have to check if there's Internet service into the house, and then confirm that the Wi-Fi network is broadcasting and that Alexa is enabled properly, and, finally, you have to ensure that the app for "my blinds" is connected and working. Considering how much time this could take, it would be quicker to get out of bed and just open the blinds manually.  

Consequently, adding a path to ensure that the original code base is not corrupted through attestation, we can minimize the impact on the user with a highly secure device update, but the hidden cost is the impact on their time.  

Conclusion
The world is catching on to the idea that IoT device security is of paramount importance. Frankly, if end users were affected in a meaningful way (say, something involving their TVs) through one significant hack, the demand for security would become "top of mind." The question is how many of these hidden costs will affect organizations while we work toward a more secure ecosystem.

In my opinion, embedding security in the IoT ecosystem can't come soon enough.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Carl Nerup's experience is a powerful mix of proven marketing and sales leadership and strategic execution. He provides advisory services to numerous companies in the high-technology and telecommunications industries as well as nonprofit organizations and graduate ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dread763
100%
0%
dread763,
User Rank: Apprentice
11/6/2018 | 3:12:44 PM
Great article. Some additional ideas...
Layer 1 security (e.g. iptables) should be government mandated for all these devices. Also CALEA (Communication Assistance for Law Enforcement Agencies) needs to be modernized. CALEA has not been updated for over 20 years and rudementary back doors are killing security. Secure unique keys (think Master Key for only law enforcement) need to be created by the vendor and held offline by a 3rd party gov agency... Only the key for the target device is released having a valid warrant and/or writ.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.