How Secure Is The IoT?

About a year and a half ago, a “botnet” made up of malware-infected, internet-connected CCTV cameras, baby monitors and digital video recorders was used to put many popular internet services including Amazon, Airbnb and Netflix out of service for a while, so you’d think that we might be used to headlines about cybersecurity and the Internet of Things (IoT).

It still came as a shock, however, when at the end of May researchers at Cisco revealed that between 500 000 and a million routers around the world had been compromised by a malware that appeared to be designed to spy on owners. The FBI believes that the malware, dubbed VPNFilter, was created by Russian hacking group Fancy Bear, which is suspected to be connected to the Kremlin.

VPNFilter is just the latest in a long list of malwares that target IoT devices. Their purposes are diverse: some simply listen to internet traffic; some are designed to interfere with industrial control systems while others are forms of ransomware, threatening to disable systems unless money is transferred to the creator. There are so many infected devices that costs in the criminal underworld have collapsed – anonymous websites offer to point a crippling Distributed Denial of Service (DDoS), generating 300GB/s of traffic, at a target of your choice for about $20 (R253).

Getting better all the time

Clearly, the challenge of security in IoT is a long way from being solved, but we can’t unplug our devices, and businesses can’t ignore the benefits that connected solutions provide.

“Any device connected online is subject to weaknesses and exploitation,” says Martin Walshaw, the systems engineering team lead for F5 in sub-Saharan Africa. “IoT includes devices and software that were not designed with security in mind. As IoT vendors scramble to take a lead to market, security is often an afterthought.”

Sheldon James, managing director for technical services at facilities management firm Servest, says that in some areas – like CCTV, access control and intrusion systems – connected devices are fast becoming the standard offering, thanks to the economic benefits and efficiencies they achieve. But not all solutions are equal.

“We constantly review our strategy to ensure that our IoT solutions remain secure,” James says.

“IoT devices shouldn’t be exposed to the public internet,” he advises, “but even so attacks can take place on many levels – particularly when so many of the solutions Servest provides means putting things like cameras in hard-to-protect public places.

“Our security strategy includes multiple layers of security ensuring that we secure not only the device itself, but also the data it transmits and the data we store.”

This approach is dubbed “secure by design” by experts and means trying to second-guess hackers at every step in the design and implementation process. Implementing secure by design strategies is great for the future, but what about existing IoT devices that have already been deployed which have fundamental security flaws?

It is possible to protect them, says F5’s Walshaw.

“Solutions are able to be provided for both service providers as well as organisations who have already implemented IoT deployments to be able to secure both IoT devices as well as clients,” Walshaw says. Networks of the future, he continues, will need to be “self-defending”, using automated tools to monitor for and respond to an increasing volume of attacks.

No security can be guaranteed when it comes to IoT devices, but we certainly have a lot more tools and a wider body of best practice knowledge available now than we did even a year and a half ago. Even so, the scale of the problems around securing internet-connected devices remains huge, and with news that the US government is going to close down the office of its Cybersecurity Coordinator, the question remains: is everyone taking it seriously enough?