Assessing the Risks to IoT Devices By Ang Cui, founder & CEO of Red Balloon Security
iStockphoto.com/Petmal
There’s no question that the Internet of Things is growing rapidly, and connected devices are finding their way into every conceivable nook and cranny of our daily lives, from the human body to home appliances, cars, office buildings, and more. Most major industries are also actively incorporating IoT into their supply chains, production processes, and facilities in the hopes of cutting costs and improving efficiency. But what is less understood is just how vulnerable these devices actually are to attacks, and how these vulnerabilities can expose consumers and businesses to new threats which they may not have anticipated. Device manufacturers continue to roll out new products with little built-in security, and
34
INNOVATION & TECH TODAY | WINTER 2018
updating the software and firmware of a device once it is “out in the field” is not always easy. Basic security mistakes like default passwords, remote device management, and unencrypted web connections, all of which are common among IoT devices, expose these products to serious threats, whether in the home or office.
Current Threats MALWARE
Malware attacks on IoT products continue to grow. Kaspersky Lab identified three times as much IoT malware in the first half of 2018 as they found in all of 2017, and there is no reason to believe the trend is slowing. Currently, IoT malware has been mostly limited to botnets like Mirai and Reaper, which enslave devices in order to harness their
processing power for DDoS attacks, spam campaigns, and cryptocurrency mining. Fortunately, botnet malware typically presents a low risk for the end-user, but there are two important caveats to this, particularly for businesses. First, a device’s functionality and performance could deteriorate if the malware interferes with its normal processes. Secondly, if the malware has a “downloader” component (which many do), it could install new malware later on that may not be so harmless.
REMOTE ACCESS The holy grail for an attacker is to gain administrative control of a device. This type of remote access allows them to spy on the user, steal information, or manipulate the device itself.