Skip to content
Menu
menu

Illustration by Steve McCracken

The IOT Revolution

By Megan Gates
01 October 2015

Print Issue: October 2015

​Brace yourselves: the explosion of the Internet of Things (IoT) is coming. Six years ago the number of devices connected to the Internet surpassed the number of people on the planet. And experts estimate that by the end of 2015 there will be 25 billion connected devices in the world, growing to 50 billion by 2020, according to the Federal Trade Commission (FTC).

“Everything is becoming sensorized—everything we carry, everything that we do is somehow connected or is going to be connected to the network, the global network, and to the cloud,” says Andrew Lee, CEO of ESET, an antivirus and security software company.

With this increase in interconnectivity also comes an increase in the amount of data collected and shared across the globe, he adds, with many not knowing what’s collected, who’s collecting it, who owns it, or where it’s stored. 

“You stand and look in the mirror and think, ‘Oh my god, I’m all grey hair and all that stuff,’ but you can see everything that you are in the mirror,” Lee explains. “But when you look in the digital mirror, you don’t even know where all your limbs are.” 

And when that digital data gets into the wrong hands or the devices collecting it are compromised, it can be problematic for everyone. The threats include unauthorized access and misuse of personal information, attacks on other systems, and risks to personal safety, the FTC summarized in a report, Internet of Things: Privacy & Security in a Connected World, released earlier this year.

One specific concern the FTC raised is the IoT being used to launch large-scale denial of service attacks. “Denial of service attacks are more effective the more devices the attacker has under his or her control; as IoT devices proliferate, vulnerabilities could enable these attackers to assemble large numbers of devices to use in such attacks,” the commission’s report said.

Sensors connected to the IoT—such as those used for building access control—are especially vulnerable because they are typically low-power and low-cost devices. This means there isn’t a lot that can be done to install software on them to improve their security, Lee says.

And personal devices, like Fitbits and smartphone social media apps, can be just as vulnerable to attack, often providing logistical information about their users if compromised. “If you can compromise [the GPS] and an employee’s working in a secret facility, you can now map out how that facility looks by the people that are tracked around it and where they congregate,” Lee explains. “So without ever going inside the building, you could build a picture of what it really looks like, and that’s the kind of unintended side effect of the Internet of Things.”

To prevent sensitive information from winding up in the wrong hands, the FTC has called for device manufacturers to limit the amount of data they collect and share with others—referred to as data minimization. “Companies should examine their data practices and business needs, and develop policies and practices that impose reasonable limits on the collection and retention of consumer data,” the FTC said in its report. This will not only protect consumer data, but it will also make companies less attractive to data thieves who might want to hack into their networks to steal that information, the commission explained.

Lee also says that users need to look at how devices such as sensors and GPS trackers work, map out how the information they collect travels throughout the network, and analyze what normal activity looks like. This will help users see whether a device has been compromised and allow them to respond to an attack quicker, he adds.

DEVICE SUPPORT

More also needs to be done to encourage device manufacturers to make devices safer at inception and support them throughout their lifecycle, says Eric Kobrin, director of adversarial resilience for Akamai Technologies, a cloud service provider. “Where we need to get to in the long term is where manufacturers commit to support for the lifetime of the device—we need to have that upfront when you buy it,” Kobrin says. 

Support for devices in the IoT is becoming increasingly important as they are getting older, especially in the United States. Globally, 53 percent of network-connected devices are either aging, meaning they are not the newest, most current version of the device, or obsolete, meaning that vendor support is no longer available. But in the United States, 64 percent of devices are now aging or obsolete, according to Dimension Data’s Network Barometer Report released earlier this year. 

“The first thing we thought was there’s something wrong with our data because the U.S. number is way too high,” says Andre van Schalkwyk, group practice manager for consulting and networking for Dimension Data, an IT infrastructure services provider. “But then analyzing it a little more carefully, the area that actually does stick out like a sore thumb was specifically around public spaces—public infrastructure, education, and government. We actually saw these networks getting really, really old.”

Why is this increase in age happening, specifically in the United States? A lot of it is related to the U.S. government sector’s technology habits when it sends out bids for new products and services tied to a five- or seven-year contract. During that contract period, equipment and devices are not changed or replaced, unless there’s a fault on the device itself, van Schalkwyk explains. 

“The majority of those contracts are generally on the seven-year side, and what we’ve actually seen is over the last two years, those contracts are being pushed from seven years into the 10-year period, which means that when you buy a device in 2010, it’ll only be replaced in 2020,” he says.

This means that a majority of these devices remain fairly static, and during that 10-year life-cycle, the vendor will likely no longer support that device so software patches will not be released for it. 

“At the end of the day, this has a security impact,” van Schalkwyk adds, because aging devices are more vulnerable than current, or even obsolete, devices. This is because security researchers have had time to test them, discover any bugs in the device, and exploit them. (Users more quickly abandon obsolete devices, meaning that there are fewer of them in the marketplace.) 

Additionally, because some patches are still rolled out for aging devices, users can inadvertently create more vulnerabilities each time they fail to patch. “The fact that we’re actually seeing aging devices with a larger amount of vulnerabilities than any other due to life cycle phases, really means that clients aren’t patching networking infrastructure,” van Schalkwyk says. 

Contrary to the U.S. public sector, however, the private sector is doing a much better job of updating and replacing devices. “We’re starting to see in little pockets in the United States, Australia, and in some parts of Europe where clients are starting to actually push from five years all the way down to a three-year cycle for networking equipment refresh,” he explains.​

WI-FI VULNERABILITY

Also affecting the security of the IoT are the Wi-Fi networks that devices are connected to, which are becoming increasingly more commonplace as companies move to make their facilities more mobile-friendly. 

“If you look five years back, if you deployed a new network, 80 percent of the access to that network would be wired and 20 percent would be wireless,” van Schalkwyk says. “And we’re actually starting to see that switch completely all the way to the other side where we’re seeing 20 percent being wired and 80 percent being wireless.”

While this might make employees’ lives and jobs easier, wireless access also comes with its own vulnerabilities—84 percent of the “discovered wireless access points were pre-2011 access end points,” van Schalkwyk explains. “So these are really, very old access points that don’t support high throughput and don’t support a huge amount of clients.” With the onset of the IoT, “we feel that wireless is going to become more and more critical,” so it’s crucial to ensure that it’s “deployed properly and that the underlying network can actually support the devices connected to it,” he says. 

One thing that will be key to this effort is the deployment of Internet Protocol version 6 (IPv6), which provides an identification and location system for devices on networks and routes traffic across the Internet. It was developed by the Internet Engineering Task Force to “deal with the long-anticipated problem of IPv4 address exhaustion,” and is designed to replace IPv4, according to the Network Barometer Report.

Dimension Data is slowly seeing users deploy IPv6 internally, but few projects are deploying it in the United States, and only about 20 percent of networking equipment is capable of supporting IPv6, van Schalkwyk says.  

“In the majority of cases, they just need a software upgrade to be IPv6 capable,” he explains. “If clients were actually patching over the last three years, chances are pretty good that simply going through the patching cycle would actually give them the ability to support IPv6 within their network.”

Users who do not deploy IPv6 will expose themselves to unnecessary risk because they won’t be able to monitor and manage devices that operate on that protocol. 

“The lack of visibility of this traffic, and its associated communications profile, introduces a significant security risk as these controls are developed based on device profiles, risk tolerance, and visibility required to maintain the device,” the report said. “Older controls may not be IPv6 compliant, nor able to provide the required visibility and control to effectively protect the data.”

arrow_upward