IoT security sucks, here’s how to fix it

When most people think about the IoT, they think about their smart appliances. The typical home has at least one connected device in it, be it a thermostat, a television, or an appliance. Given that perception, it might be easy to dismiss the idea of a ransomware attack as harmless. After all, it’s rather unlikely that a hacker will be all that interested in preventing you from accessing your refrigerator or coffee maker.

The thing is, though, that the IoT extends well beyond household appliances. Everything from urban transportation systems to medical equipment to utilities and even our cars are connected to the internet. Should any of these systems be locked down due to ransomware, the consequences could be dire.

We’ve actually already seen one ransomware attack on the San Francisco Municipal Transportation Authority late last year. Over Thanksgiving weekend, hackers locked more than 2,000 computers in the SFMTA system, and demanded 100 bitcoins (about $73,000) in ransom to provide the encryption key. In the meantime, the downed network meant that all the rail system’s payment terminals were down, and would not accept any payments from riders.

So, while residents and visitors received free rail rides all weekend, the city lost more than a million dollars in revenue. City officials never revealed how they solved the problem and got the network back online (many suspect they simply paid the ransom) but the attack made it very clear that the IoT is in danger from nefarious individuals.

In the end, the major victim of the SFMTA attack was the city, which lost revenue. No one was injured, and riders were actually relieved to have a reprieve from fares for a few days. Experts note, though, that not all IoT ransomware will be as comparatively innocuous. For example, in 2003, a major electrical blackout in the northeast caused more than $6 billion in damage — and that wasn’t even the result of hackers.

Imagine the damage that an intentional attack on the electrical grid or other utilities might cause. Hackers could conceivably shut down entire cities, cause major vehicle accidents, or even put the lives of hospital patients in danger if they were to prevent access to computer networks and data.

Protecting the IoT from attacks

Given what has already happened in terms of ransomware and the IoT, the question isn’t if IoT networks will be attacked, but when they will be attacked and what the consequences will be.

For most consumers, the threat is insignificant because as of right now, there is no evidence that the payoff for attacking consumer devices is there.

However, the industrial IoT is at an immediate risk of a ransomware attack, due to the payoff being much more valuable.

I spoke to Josh Seigel recently about his top IoT cyber protection tips. Josh is a faculty member at MIT’s IoT Bootcamp, one of the leading IoT training and hacking facilities in the US. His advice includes the 3 following tips.

Setup device policies

This will allow an administrator to enforce basic security policies like locking methods and password strength in order to connect with email accounts. It will also allow the administrator to locate and if needed lock or even wipe the content from your device, keeping company secrets and emails and files safe.

Knowledge is critical – when considering implementing IoT products and services, seek to understand the capabilities of new devices and services in full. What data does this device generate? What can it control? Who other than me has access, and do I truly understand who owns the generated data? If it’s shared, does it need to be or can I opt out?

If a device or service’s privacy policies, security implementation, and data ownership model make sense, next follow the manufacturers’ recommendations. Common vulnerabilities can be addressed by thinking through the potential unintended consequences of adding new devices to a network, along with ensuring devices are kept up-to-date and properly configured. This includes simple steps, like changing a device’s default username and password – something people often neglect.

2-step authentication

When you enable 2-step authentication, you add an extra layer of security to your account. You sign in with something you know (your password) and something you have (a code sent to your phone).

It’s highly recommended you enable 2-step authentication on every platform that supports it; it’s the only proven way to make your login secured.

According to One Identity, a provider of Identity and Access Management solutions, “in the past, two-factor authentication solutions have been expensive, cumbersome to deploy and difficult to manage, but that doesn’t have to be the case anymore.”

Let bigger companies maintain your security

In a lot of case’s SMB’s and mid-size businesses won’t have the resources to invest in “strong” security, however most SAAS solutions will almost always have higher security levels. According to Hadar Bluditch, CEO of Source Defense, “For example, many cloud services today will be in compliance with security policies required by banking and financial services (such as PCI and so on).

Whenever it’s possible I would suggest using SAAS solutions rather than creating and hosting on your own.” Cloud solutions developed specifically for certain industries, like Dentrix Ascend, are just one example of cloud-based computing aimed specifically at securing patient records in healthcare. The number of specialized, secure saas solutions is growing rapidly thanks to heavy investor financing recently, which means more options for SMBs.

What does this mean for cyber security tomorrow?

As IoT evolves, cyber security approaches will need to keep pace. One of the most promising visions for the future blends Cloud computing and AI to create a sort of “Cognitive Firewall” that can detect and respond to data misuse or invalid control requests. This firewall acts upon digital objects rather than physical, providing a degree of abstraction between an attacker and physical hardware.