The summer heat is on, and the last thing on anyone's mind is a long, cold winter. However, when it comes to data leaks, it appears as though a long, painful season is rolling in. As events unfold in cybersecurity, many of us focus on "lower-tech" ransomware, link hijacking, and phishing attacks — which turn into major events like the Colonial Pipeline and JBS attacks.
Recently, attacks against Internet of Things (IoT) systems have emerged. With the technology in billions of everyday items, the scope of these attacks is worrisome. Because the migration to Internet-everything is unstoppable, we'll be seeing these security incidents for a long time unless we adjust course quickly.
The financial motive to add Web features to every device known to mankind is clear. It seems everyone wants to be on the Web, uploading data from their bicycles, sprinkler systems, refrigerator energy consumption, and just about everything you can possibly think of. Barbeque grills now come equipped with full Internet connectivity, and even mirrors are becoming fully connected.
The fact is that many people expect these features; they have grown up with the Internet and just wouldn't do well without it. Therefore, manufacturers are eager to connect anything and everything to the Web. It's a perfect match. Consumers accept risks, sometimes unknowingly, because many assume that the worst-case scenario will not happen to them or affect them significantly.
The Peloton Breach
That leads us to the breach of Peloton, the at-home connected fitness equipment company. A security researcher discovered an open unauthenticated API in Peloton bikes and treadmills, which revealed an open channel to information about users such as age, weight, gender, workout statistics, and birthdays. A significant amount of scrutiny has fallen on Peloton, which made a mess of remediation communications and deadlines. It appears that this is just the beginning of issues to come, as more items from the physical world come online, handling sensitive information that few people think about protecting until it is too late.
The Peloton incident is just the latest in a field of IoT missteps with popular systems and products. In the wake of consumerized products from all walks of life, IoT systems and online accounts are under significant threat. It does not matter what the product is. For example, in January 2021, an IoT-enabled chastity belt manufacturer was compromised in a ransomware incident. An increasing number of smart camera platforms are being targeted by thieves. At risk are privacy, security, and the risk of fraud, and criminal gangs are exploiting the spoils of data to their merciless benefit.
Can IoT Be Slowed? Should It?
Once upon a time, distributed alternating current electricity was the next new thing. Electricity, lighting, and motors were added to every item available at the time. Therefore, people no longer had to crank record players, grind coffee beans by hand, or shine shoes with a pile of rags. What it meant to consumers was that convenience and functionality were clear winners. With IoT, we're seeing a parallel application of the Web to real-world things, but with additional variables of security and privacy concerns. Consumers seem to be unable to resist these features, and the ecosystem continues its stratospheric growth.
What many consumers don't seem to realize is that consumer products companies are in the business of selling the products they make. They are not in the business of securing our information. If history is any indication, they have failed at protecting personal information as their products connect to billions of endpoints in your kitchen, your garage, your bedroom, and every place you live your life.
Considering factors such as the growth of the market, continual cybersecurity threats, and financial motivations driven by successful compromises, we can expect to see more information losses, even in places thought to be safe. Worse, threats once affected only digital things, but IoT drops the cyber realm directly in the middle of our physical world. Attacks against data can be attacks against critical systems, human beings, resources, and the world around us.
Even the smallest bits of leaked data can be enough to compose purpose-built phishing attacks or be stacked into significant waves of fraud. Unfortunately, it will take an unknown event of significant scale or personal financial impact for users to collectively wise up and demand more security from the market.
The basic fallacy in deploying these IoT systems is the same fallacy that exists with deploying IT systems at an organization. Security is relegated to traditional point solutions and perimeter security. Until we start to grasp the concept that security needs to be a foundation of any IT or IoT deployment, we must live with the reality of a computer-driven world that continues to suffer devastating breaches and compromises. In this environment, it's easier to create attacks than it is to create defenses against those attacks.
Organizations that delve into IoT must recognize that prevention of security incidents — breaches, malware, or anything else — must be primary. They must incorporate continual vigilance and security into their ecosystem of tools, services, and knowledge. This takes proactive executive decision-making and a willingness to continually learn from others in the enterprise security space. Until we change our mindset, the forecast looks like a long, hard winter.