The Dichotomy of the IoT: Huge Business Opportunities, But Even Bigger Cyber Security Holes

So, about this Internet of Things, uh, thing. There may be a slight problem.

As the world rushes to connect anything and everything to the Internet, the resulting explosion of IoT devices presents one of the most challenging and complicated threats that cyber security professionals have faced.

IoT devices are popping up everywhere in a mad rush for data. They’re on factory floors to help keep operations run smoother. They’re monitoring industrial facilities to stay ahead of any service interruptions. They’re keeping track of goods as they move through the supply chain. They’re embedded in our vehicles, controlling our home air conditioning and heating systems, and even delivering powerful features to our kids’ toys.

With so many devices to manage and jobs to do, the IoT (and its offshoot, the Industrial Internet of Things) has become increasingly dependent on software protocols to manage the complex web of messages moving back and forth. One of these, the publish-subscribe-based Message Queuing Telemetry Transport (or MQTT), is used for one-to-many machine-to-machine settings. Another, Constrained Application Protocol (or CoAP), enables communication with low-power nodes such as small field sensors.

Now, according to a report from Trend Micro, it appears that both of these protocols are frequently being compromised due to the way they’re deployed. In fact, Trend Micro found hundreds of thousands of MQTT and CoAP hosts all over the world that were reachable via public-facing IP addresses, potentially exposing millions of records to attackers. Most of these were in the U.S. and China, but vulnerable hosts were found in smaller numbers all over Europe and Southeast Asia. This is not a small-scale issue.

According to the report, Trend Micro also found a design issue in some devices that allows attackers to supply invalid data to end points. The resulting vulnerabilities can expose critical data for casual attackers to see. Denial-of-service attacks are also possible, as is a hacker taking full control of an IoT system.

And these attacks can happen faster than security teams can respond. A recent report from Arbor Networks found that it takes less than a day for vulnerabilities in new IoT devices to be targeted by malware, and less than five minutes for them to be subjected to brute force login attempts.

Some of these attacks could potentially play out to deadly effect in factory settings, as illustrated in this video. They can also threaten the safety of autonomous vehicles, allow bad guys to take control of industrial facilities, or expose consumers via the growing number of risks presented by smart devices operating in their homes.

And it gets even more personal that that: With growing numbers of Internet-connected toys hitting the market, even data about young children’s whereabouts has become fair game.

Focusing on the industrial, factory and supply chain settings, which is where the biggest impacts from IoT technologies can be found, one of the key cyber security technologies going forward will be artificial intelligence.

As a recent piece in TechHQ argues, the sheer number of IoT devices is too much for traditional cyber security approaches to contend with, while machine learning algorithms can learn what is “normal” IoT behavior and then identify deviations. By sending in algorithms to do what humans used to, cyber security teams can ensure there are digital eyes on a lot more end points.

But for many organizations, sizeable investments in AI can be daunting. Fortunately, Network World recently published a list of 10 common sense tips for minimizing IoT security vulnerabilities. One example from the list: “Gizmos that connect automatically to open Wi-Fi networks are a bad idea. Make sure they don’t do that.”

All of these developments taken together lead to an unavoidable conclusion: As so often has been the case with major technological advances, we may be getting a bit ahead of ourselves by eagerly adopting a technology whose implications we don’t fully understand. And this time, the technology will be truly ubiquitous, showing up in every part of our lives, and in every setting.

Maybe we might want to get the security right before going any further, because whereas a secure IoT has the potential to bring transformational benefits to just about every industry, hastily deployed IoT components that lack strong security will open up more holes than cyber security teams have ever seen.

*** This is a Security Bloggers Network syndicated blog from RSAConference Blogs RSS Feed authored by Tony Kontzer. Read the original post at: