Internet of Things – A New Security and Privacy Threat

The growing trend towards smart appliances and other things is raising concerns about security and privacy. We are seeing many things being connected to the internet, including cars, home security systems, refrigerators, ovens, wristwatches, clothing, furnaces – the list goes on.

Many of these items connect through the internet using the central modem located in a home. While some of the latest modems have relatively advanced security, many of the older ones, have little or none. If they have any security, it is often very poor.

That’s not the entire scope of the issue. Most security systems rely on passwords, which unfortunately is known to be a poor way to provide protection from intrusion, but remains the most common method by far. Many organizations are now stressing the importance of developing passwords that are complex, containing letters, numbers, characters, capitals and lower case, etc. These passwords are hard to guess, but also virtually impossible to remember, which means most people do not use them. And if they do, it’s with the help of a password management system, which stores passwords for particular purposes. They often represent a security vulnerability in themselves.

To make matters worse, the things being connected often make use of a simple passcode. Most home security systems, for example, employ an eight digit passcode to gain entry into the home. Some of the devices will accept short passwords like 1234. These are obviously very easy for a hacker to guess. And they have sophisticated software to help them with these and bigger challenges.

A recent HP report[1] expressed concern in several areas after doing a study of numerous “things”:

  1. 80% of the devices record private information, like name, address, credit card information, etc.
  2. 70% do not include encryption of the data being transmitted
  3. 60% of the web interfaces are insecure, using, for example, clear text to transmit credentials
  4. 60% of the downloads of software updates are not encrypted.
  5. 80% allow very simple passwords or passcodes.

The devices also often include the classic back doors still found in some insecure computer systems. These usually relate to access protocols set up for vendor or support purposes. For example, some common systems have a user ID called admin and the default password for that ID is admin as well. Since this is widely known, it leaves a very simple way for an intruder to gain entry. In fact, for many modems in common use, the default password is “admin”. There are other classic openings for hackers as well.

For people who use smart devices, which is rapidly becoming most of us, the first layer of defence is awareness of the threats and how they might be exploited. This leads to the observation that when purchasing such a device, it is good to look into the security that the device contains. Purchasing the brand with the best security may save a lot of trouble down the road. Also, information that is not mandatory should not be stored on these devices. If it isn’t there it can’t be stolen.

And then there are the usual password management techniques – change them frequently, use different passwords for the different devices, employ security software when possible, watch for signs of intrusion, etc.

New authentication techniques to enhance security are becoming more available and should become more visible in the near future. Many commercial and governmental organizations use them now, but we can expect them to become more common for homeowners and everyday consumers. These include biometrics – eg. fingerprint or palmprint pads to gain access, retinal scans, face recognition, and others. They also include token passwords that change continually, and that can only be activated with a device, such as a keychain fob, that is synchronized with the thing, such as a home security system.

Advances in “thing” security need to be monitored and kept up to date where possible. This should be an aspect of purchasing devices that is front and center. It should also be a service that quality vendors would offer their customers.

The security vulnerabilities around the internet of things is very real and growing. As new products come on the market, they will often be marketed with little or no security. Gradually this can be expected to improve, but in the meantime, the exposure of people using internet connected things will be very high.

Be aware.

[1] http://h30499.www3.hp.com/t5/Fortify-Application-Security/HP-Study-Reveals-70-Percent-of-Internet-of-Things-Devices/ba-p/6556284#.VBwZOkuWs0s