The Internet of Things (IoT) will radically change our lives. However, while the risks of this brave new world are already apparent, there may still be time for the industry to learn from past mistakes in IT security.
There are forecast to be around 212 billion IoT devices in use in 2020, with 30 billion of these machines and appliances being automatically connected. Their software is expected to collect up to 30 million petabytes of data across both consumer and industrial applications. In the light of these impressive IDC figures, Belgian security expert Eddy Willems from the anti-virus manufacturer G DATA has pointed out the security problems arising from the widespread use of interconnected “things”. One area that Willems addresses in a recently published article relates, in particular, to the increasingly popular fitness tracker.
Health data for scammers and extortionists
The virus institute AV-TEST was largely satisfied with the results of their investigation into data transmission from trackers to smartphones and then from smartphones to the cloud. The testers pointed out, however, that none of the products in the study were able to achieve the highest security level. There is a risk that hackers could intercept data during transmission.
For Willems, this raises a number of worrying scenarios. As organisations such as health insurance companies seem determined to offer special, and often cheaper, rates to those who wear fitness trackers, there is a growing temptation for people to reduce their own contributions by using data belonging to their neighbours, colleagues or even complete strangers. For this to go unnoticed, the targeted insurance customer only needs be around the same age as the attacker. In other, more drastic scenarios, hackers gain access to the software for insulin pumps or pacemakers and attempt in this way to extort money from patients.
More and more security vulnerabilities in connected cars
The attention of security experts has long been focused on new connected cars, which were dubbed “smartphones on wheels” by the former German Minister of Justice Sabine Leutheusser-Schnarrenberger. A series of unsettling news reports about security vulnerabilities have come to light in the course of 2015. Fiat Chrysler was forced to recall 1.4 million Jeep models after a successful cyber attack. Hackers succeeded in remotely controlling the brakes of a Corvette. And, at the start of the year, a software update for BMW’s ConnectedDrive technology had to be given to 2.2 million cars, which otherwise could have had their doors unlocked with just the use of a smartphone.
Such updates are likely to be increasingly necessary for the cars of the future. This begs the question as to how they should be carried out. A workshop recall is the safe option, but this is expensive and inconvenient for vehicle owners. Automatic software distribution such as via mobile networks would be considerably cheaper. However, this also carries the risk of criminals tampering with update mechanisms.
Customers expect verifiable security policies
From these examples, Eddy Willems concludes that it is high time for the IoT sector to develop policies that can be used to monitor the security of connected products. He proposes that an independent organisation or institute should be established for this purpose. One already in place is the Online Trust Alliance, which, with its IoT Trust Framework, is intended to provide manufacturers and developers with appropriate guidelines for improving the security of their products. The initiative also promotes the development of best practices in data security, privacy and sustainability.
What we need, for example, are security concepts following the model of Security by Design. This means working to achieve the highest possible level of security, especially in terms of software, right from the development stage of a product. The history of IT has shown that whenever this is not the case, the resulting flaws are almost impossible to handle. Companies must no longer be allowed to bring products to the market without considering security first – only then to attempt to rectify one new vulnerability after another with an endless series of retroactive security updates. (Source: G DATA/rf)