IoT (Internet of Things) is simply a fancy way of expressing that we have more devices online and connected to the internet than ever before when compared to my favorite tradition of Desktop PCs, Tablets and Phones. With the advent of embedded computing becoming more affordable, powerful and easier to develop than ever using tools like Raspberry Pi based on the ARM platform, this means we have a plethora of new devices and embedded, internet connected devices added to every day things we use.
Common examples of these are new cars, alarm systems, video cameras/surveillance systems, fridges, stoves, home locks, lights, watches, medical equipment and so much more.
The security issue with these devices is more challenging and complex than ever before for both the end user and businesses using them.
There is no doubt or anyone in denial that it’s an issue and the privacy, security and financial risks can be quite high. Security in general works on the basis of weakest link and it is arguable that a random internet connected device in your house or business poses an immense security risk with some of these devices having little to no security or out in the wild vulnerabilities.
These devices are certainly not impossible to secure, in fact the majority of them are easy to secure but it’s simply not the forefront or priority of most device makers or developers. Because of this devices are often completely unsecured and don’t even need to be hacked, sometimes they run a telnet,ssh or web daemon which can be accessed with no password or a dictionary password like admin/admin root/root or with just a username. There are others which cannot be easily updated which have vulnerabilities that end up being found later and exploited. Even more difficult some of these devices are physically inaccessible and installed in appliances and other devices where it can be harder to update them. A lot of companies would be reluctant to push out updates because often if the update failed it would render the device useless without physical intervention.
We can only hope standards emerge in the industry where updates will be easier, standard and guaranteed but this is unlikely to happen. Even with companies who use these products and recognize it is an issue there is only so much planning that can be done for devices that are not easily managed or accessible.
The only practical solution today is to try to firewall and physically isolate IoT devices where ever possible to reduce the risk (but for a lot of companies this is not easy or practical). At the end of the day more advanced network planning and management will be required and so will hardware firewalls play an ever increasing role in trying to prevent and detect attacks to these devices.