Navigate Up
Sign In

Your Connected Better Half

Publication Date: Mar 05, 2020
 

edit 2.JPG
Written by: Antoine Debono and Robert Muscat

Debono Antoine 326192.jpg

It is no news that the world is becoming more digitised as time goes by. Mobile phones have become an integral part of our lives, tablets are replacing both books and notebooks and companies can now not only look at the Internet of Things as a money-saving technology, but also a revenue generation opportunity.
Internet of things was one of the topics that were discussed during one of the workshops of the Cyber Security Conference organised in February by ESkills Malta Foundation.

Muscat Robert 449792M.jpgWhat is the Internet of Things?

The Internet of Things is just a collection of interconnected devices that communicate with each other to enable intelligent decision making. The use of the word ‘Internet’ in the term ‘Internet of Things’ should simply be seen as a generalisation, implying the notion of connectivity given that most IoT devices connect to the Internet either directly or indirectly.

During the workshop, IoT was broken down in 4 layers for the audience to better understand the key elements that IoTs are made up of which are Hardware, Data, Software and Connectivity.

The hardware layer allows the digital items to connect with physical objects, making use of sensors and actuators that work together. The raw pieces of facts that sensors collect and send is called data. Data in its raw form is useless unless it’s analysed to be interpreted and turned into information. Software is used to interpret data and turn it into information, which can provide value to consumers. All the activity mentioned above cannot occur without the use of a networking technology which provides connectivity to these devices.

During the Cyber Security Conference, we chose to highlight the current situation surrounding IoT security and several actions items that both consumers and manufacturers can adopt.

Why now? What is happening?

The increasing hype of this technology is a result of the rapid evolvement of several factors surrounding the IoT market. IoT is growing and will likely be even bigger than most people think. In fact, statistics show that by 2025, there will be 75.4 billion devices as compared to the 26.7 billion devices registered in 2019. Meanwhile, the price of IoT sensors, which are integral components of IoT devices have dropped drastically from $1.30 in 2005 to $0.38 in 2020, according to Microsoft’s 2019 Manufacturing Trends Report. To put things into perspective, according to a reputable American management consultancy firm, in 2025 the IoT market has a total potential value creation of $11.3 trillion.

As more and more devices are connected, privacy and security risks increase, and most consumers don’t even know it.

Privacy and Security concerns

When looking closer at IoT devices, one can notice that these devices in their tangible form aren’t usually smart; in fact, they’re usually dumb but still connected. This means that intelligence, which allows these devices to perform intelligent decision making is somewhere else. This thought automatically triggers privacy and security concerns surrounding the data collected, especially when these devices collect attributes related to a user’s health such as fitness trackers and other passive monitoring devices.

To further convince the audience that these concerns are legitimate and should be taken seriously, throughout the workshop we went through a number of past cyber-attacks that occurred, effecting both home users and various industry giants utilising smart devices such as CCTV cameras, network routers, smart light bulbs, and smartwatches amongst other IoT devices.

Entry points that allowed the attacks to be successful were explained. These varied from default passwords, use of weak networking protocols, unnecessary network ports exposed to the Internet, lack of authentication and authorisation methods while also the use of broken encryption algorithms and ciphers.

IoT Demo

IoT is a double-edged sword, it can be helpful as much as it can be lethal if the necessary security measures are not taken into consideration. In the last decade, we have seen a number of military exercises carried out using unmanned devices such as drones and Field Artillery Autonomous Resupply robots that were deadly. On the other hand, we have seen the introduction of robots delivering medicine to patients in hospitals.

During this Cyber Security conference, we have demonstrated how misconfigured IoT devices such as access controls, smart TVs and IP cameras can be exploited by a malicious attacker. We have used a camera exploitation framework that is available online that enabled us to exploit the stream of an IP camera hosted on a local network simulating the steps taken by an attacker. The audience was confused about how a malicious attacker with a basic level of expertise can exploit a misconfigured IoT device in a few minutes.

Who is responsible?

In the IoT sphere, when considering the number of stakeholders involved in the operation and maintenance of security devices uncertainty is comprehensive. Developers and users of IoT devices and systems have a shared responsibility to ensure they do not expose others and the Internet itself to potential harm. Every stakeholder involved in the lifecycle of an IoT device must take the responsibility for contributing to a comprehensive IoT security.

IoT technological implementation should ideally rely on a commonly agreed basis, for example through standardisation. The international standards are needed to avoid regional fragmentation and allow worldwide use of solutions and products. Standardisation is essential to attain the objectives of interoperability and compatibility across several domains without, however, compromising on security. Some frameworks that are working towards this goal are the ENISA Good practices for IoT & Smart Infrastructures Tool and the Online Trust Alliance IoT Security & Privacy Trust Framework.

Possible Regulations?!

One of the key characteristics of IoT is that it is inherently domain cross-cutting in nature. There is, therefore, a wide range of different policies and regulations that are applicable to the take-up of IoT in the EU. Regulatory and legal aspects should be the enabling factors for a successful adoption of IoT in the EU and not barriers!

Countermeasures

The audience was provided with countermeasures that can be applied, illustrating countermeasures both from a manufacturer perspective and from a home user perspective.

Although not an exhaustive list, for manufacturers the below countermeasures were suggested:

·  Considerations for security and privacy should be made for the whole lifecycle of the development of the IoT product.

·     Start by defining what the product was developed for, identify potential threats and perform a risk analysis.

·      Monitor and manage vulnerabilities affecting your product and disclose the duration and end-of-life security and patch support.

·      Adopt a holistic approach to security training and awareness of the employees, relevant to the different areas of the IoT ecosystem.

·     Create a Business Continuity Plan and Disaster Recovery Plan covering the assets critical to your operations and business.

·       Make sure to segregate your environment according to the criticality level it has in view of your business. Avoid using flawed protocols and encrypt data that is sensitive and critical to your business success.

·   Monitor your networks and systems for anomalous behaviour and make sure that auditing capabilities are enabled on your systems.

For home users, we provided the below countermeasures to avoid falling victim to cyber-attacks on IoT devices:

·    Learn how to “shop smart” for connected devices by looking at trusted reviews, checking the vendor statements with regards to the updated policy they’re adopting and also what data will be used and how.

·       Update your devices and their applications regularly.

·       Turn on encryption, stop reusing passwords, and always use a strong password.

·       Adjust a default configuration and security settings.

·       Turn off/disconnect the device when not in use.​