Despite its many benefits, the Internet of Things (IoT) is posing a real threat to the cybersecurity of public and private sector systems. This disruptive technology is creeping into workplaces, homes and industrial facilities as technologists deploy monitoring devices, smart controllers and other technologies designed to have an impact on the physical world. The IoT is here to stay, with estimates that deployments will grow to include more than 50 billion Internet-connected devices by 2020.
Hackers are also noting the widespread use of IoT devices, and analysts are beginning to see devices being used as both the target of attacks and a means for attacking traditional systems. Recent reports underscore the significant risk that a software vulnerability in a single category of IoT devices can pose to the physical safety and the cybersecurity of other networked devices. The proliferation of these devices, combined with terrorist interest in undermining them, requires a strong response from agency security teams.
Attacking the IoT
Attackers may decide to directly target a software vulnerability in an IoT device to cause undesirable effects. Forbes reports that hackers have consistently used baby monitors, security cameras, cable boxes and other IoT devices to harass people in their homes. In a troubling report, Wired explained how cybersecurity researchers Charlie Miller and Chris Valasek were able to remotely control a Jeep by hacking the vehicle’s entertainment system over the cellular network.
As a result of these violations, government agencies must pay careful attention to the development of IoT as a disruptive technology, particularly in sectors where it might jeopardize public safety. The growth of technology use in healthcare, transportation, public safety and other regulated industries raises concerns about the potentially disastrous impact of a vulnerability in those devices. In order to combat potential threats, healthcare providers and government agencies should take advantage of secure medical devices and other IoT systems. Security measures for these devices should include:
- Placing IoT devices on segmented networks that isolate them from both direct internet access and other devices on the network. Controlling the devices that may communicate with IoT systems, as well as the systems that IoT devices may contact, dramatically reduces the potential for attack.
- Implementing strong authentication measures that verify the identities of users and administrators connecting to IoT devices.
- Monitoring vendor security bulletins for vulnerability announcements and applying security patches to IoT devices promptly after release. IoT devices must be treated with the same care and attention to configuration management as any other networked device.
- Encrypting the communications to and from IoT devices. Data streams and control channels for IoT devices should use encrypted, secure communications channels to prevent eavesdropping.
Agencies that follow these measures will find themselves better positioned to fend off an IoT attack.
Weaponizing the IoT
The effect of a software vulnerability in commonly used IoT devices can also extend beyond the IoT system itself. On October 21, 2016, the internet suffered one of the largest distributed denial-of-service attacks ever recorded. The attack targeted Dyn, one of the primary Domain Name Service (DNS) providers that serve as a directory for internet sites. This attack on the infrastructure resulted in a massive internet outage that affected major sites including Twitter, the New York Times and Amazon. A Wired magazine analysis of the attack revealed that the attacker likely used a virtual army consisting of compromised cameras, DVRs and other IoT devices to wage the attack.
While the Dyn attack had a widespread effect, future attacks may have an even more significant impact on global affairs. Imagine, for example, an attack that simultaneously knocks all major media sites offline on Election Day or cripples 911 response systems during a major natural disaster. As IoT deployments grow, the record-setting attack against Dyn may pale in comparison to the potential size of future attacks.
Government agencies know the significance of a comprehensive approach to defending against IoT-based attacks. The Defense Advanced Research Projects Agency (DARPA) recognized this as early as 2012 when they issued a call for research proposals focused on defending cyber-physical systems. DARPA’s High-Assurance Cyber Military Systems (HACMS) initiative focuses on protecting IoT devices: “Researchers and hackers have shown that these kinds of networked embedded systems are vulnerable to remote attack and that such attacks can cause physical damage while hiding the effects from monitors,” DARPA says.
As IoT continues its inevitable growth, it’s crucial that cybersecurity professionals consider the impact of this new technology during risk assessments. These assessments should include evaluations of the security of agency IoT deployments, as well as the susceptibility of government systems to attack from botnets of compromised IoT devices.
Samsung’s government technology solutions help agencies provide a secure IoT experience with tools such as the Samsung Knox security platform for mobile devices.