They targeted children and stuffed animals. Hackers gained access to account information and voice recordings of more than 800,000 consumers who had purchased Spiral Toys' CloudPets toys, cybersecurity researcher Troy Hunt revealed last month. CloudPets are stuffed animals that enable parents and their children to exchange messages through the internet.
This anecdote reveals both the pervasiveness of the Internet of Things (IoT) and the serious threats associated with it. Personal assistants, wearables, home management systems, smart refrigerators, and other devices are becoming popular with consumers. But the IoT has become particularly entrenched in businesses — everything from security systems to security cameras to heating, ventilation, and air conditioning systems.
Research firm Gartner Inc. predicts that 8.4 billion connected devices will be in use worldwide this year, a 31 percent increase over 2016. That number will surpass 20 billion by 2020, Gartner forecasts. Currently, consumer devices comprise 63 percent of IoT devices, but businesses make up 57 percent of IoT spending.
"IoT services are central to the rise in IoT devices," says Denise Rueb, a research director at Gartner. Although businesses currently dominate the US$273 billion spent worldwide on IoT services, Rueb says consumer and connectivity services will grow faster. "Consumer IoT services are newer and growing off a small base," she explains. "Similarly, connectivity services are growing robustly as costs drop and new applications emerge."
Security is the dark cloud hanging over the IoT, information security experts caution. Before last year, many of those concerns were theoretical. Those theories became very real in October when a botnet based on the Mirai malware disrupted internet service in several U.S. cities. At its height, the malware infected hundreds of thousands of devices.
According to an HP study,
Internet of Things Security: State of the Union, 70 percent of IoT devices are vulnerable to attack. A separate survey (PDF) by Boston-based IT security company Pwnie Express identifies common attacks against devices, including malware (32 percent), ransomware (20 percent), and man-in-the-middle attacks that intercept communications (16 percent).
Threats to IoT systems were front-and-center this month at the CyberUK conference in London, hosted by the U.K.'s recently established National Cyber Security Centre (NCSC). An NCSC report released in conjunction with the conference warns that IoT devices are vulnerable to threats such as remote code execution or takeover. "Many connected devices have been shipped with less secure software and default passwords," The Cyber Threat to U.K. Businesses 2016/2017 report notes. "There is often no obvious way for consumers to update them, change passwords, or otherwise fix security problems."
Most of the information security professionals (63 percent) who responded to Pwnie Express' The Internet of Evil Things survey say their organization is prepared to detect threats to connected devices. But when the survey dug deeper, it found that less than half (49 percent) of those respondents knew how many connected devices employees were bringing into the organization, while one-third did not know how many and 17 percent were not sure.
Industrial systems are a likely target. Ninety-six percent of IT security professionals
surveyed by Tripwire (JPG) expect attacks on industrial IoT systems to increase this year, and 51 percent say their organization isn't prepared to protect them. "There are only two ways this scenario plays out," says David Meltzer, chief technology officer for the Portland, Ore.-based information security company. "Either we change our level of preparation or we experience the realization of these risks."
Health care is another area where the IoT shows great promise but carries great threats. Recent ransomware attacks have targeted health-care IT systems successfully. Gartner predicts more than one-fourth of attacks in the health-care sector will target the IoT. For health-care businesses, the IoT raises the stakes because "traditional cybersecurity doesn't always 'walk the talk' when it comes to the IoT," Damon Hopley, senior manager, product management with Verizon's IoT Security group, writes in
IT Healthcare News. Hopley points out that devices deployed by providers and insurers often are located in remote locations and some of those devices may lack security features that can reduce the risk of remote hijacking.
What can be done? A recent
white paper (PDF) from the Bellevue, Wash.-based Online Trust Alliance encourages businesses, consumers, and government to work together to secure the IoT. The paper outlines roles for retailers and ecommerce sites; developers, manufacturers, and automakers; brokers, builders, realtors, and car dealers; and internet service providers. It calls on the private sector to establish minimum security and privacy standards for IoT products, disclose security support, and enhance security offerings. In addition, it advises regulators and policy makers to allow self-regulation and provide safe harbor to device manufacturers that have adopted reasonable security and privacy practices. Finally, it recommends consumers patch and replace insecure devices, and only purchase devices that are backed by a security and privacy commitment from the manufacturer.