The emerging Internet of Everything is set to heighten the security burden for device makers, software vendors and the numerous organizations that will rely on an interconnected network of smart devices to support operations and serve customers. While tablets and smartphones rule the roost for now in terms of consumer and business attention, new technological frontiers are already being opened up by devices such as wristband trackers and networked thermostats and automobiles.
This proliferation of Internet-enabled endpoints means that cybercriminals will gain access to many new attack surfaces. Hacking a heads-up display, security camera or refrigerator, while a seemingly outlandish prospect at the moment, ultimately could have much more immediate, tangible consequences than breaching a PC, since users interact with these newly networked assets in highly personal ways and often in their own homes.
However, the broader risk emanates from the vast amounts of personal data that IoE devices are collecting and storing. For example, current gadgets such as the Jawbone Up already collect personal information about sleep patterns, health activity and dietary regimens and synchronize it with the cloud.
As more devices follow in this mold, users and security professionals must be conscious of how deeply the Internet is becoming intertwined with their lives and how the IoE promises a different, more intimate computing experience. Threats once confined to mainframes, PCs and smartphones will evolve to persist within the new connected landscape, and the security community must be ready to guide users and companies as they consider how to address these risks.
Number of networked devices could top 50 billion by the end of the decade
How big will the IoE become? The number of connected devices had already exceeded the human population as of 2012, but it is set to surge by 2020.
Cisco estimated that by that time, there will be more than 50 billion networked devices, with most of them coming online during the last three years of the decade. Morgan Stanley was even more bullish on IoE growth, projecting 75 billion connected devices in 2020, or 9.4 for each of the 8 billion people alive at that time.
Most immediately, the emergence of the IoE will fuel growth in networking and surveillance equipment, as well as new sensors optimized for verticals such as healthcare, retail and transportation. Hospitals may be able to better track patient conditions, while businesses can keep tabs on inventory and vehicles.
However, IoE is already becoming consumerized with items such as Sony’s proposed SmartWig, which vividly displays the benefits and potential security perils of the IoE. This networked wig contains GPS, as well as tactile sensors, capable of gathering sensitive information about the wearer’s location or vital signs such as pulse and blood pressure. Still, it may also have the ability to guide a user through dark areas, interact with smartphones and enable wireless gestures such as moving one’s eyebrows to control a TV or slide projection.
While the SmartWig is still a prototype, it demonstrates that we may not be far from a world in which billions of devices monitor user behavior, producing practical benefits while simultaneously generating massive amounts of sensitive data. Moreover, the intimacy of many IoE devices means that they produce data types that cybercriminals may find attractive and profitable. For example, there have already been several instances of researchers and hackers taking over wireless IP cameras and posting their video feeds to the Internet.
Wireless IP camera hacking incidents illustrates stakes of protecting the IoE
In early 2012, security researchers at the Hack in a Box conference in the Netherlands demonstrated that many wireless IP cameras are vulnerable to remote hacking. At the same time, their efforts illustrated how data from hundreds of millions of connected devices is already readily available on the controversial Shodan search engine, which collected information even on obscure devices like smartphone-controlled door locks.
The Qualsys researchers stated that, via Shodan, they had discovered more than 100,000 IP camera feeds that were unrelated to security surveillance operations. Twenty percent of all IP cameras that they found would authenticate a user with nothing more than “admin” as the username. Even devices that were password-protected had weak firmware that was vulnerable to brute force attacks and path transversal. Since these cameras relay network information and authentication credentials to a Web-based interface, they are putting many users’ sensitive data out in the open.
“The web based administration interfaces can be considered as a textbook example of an insecure web application and easily leads to an exposure of not only sensitive personal information (such as wireless network, FTP, and even email access credentials), but also provides an eye to an inside of your house,” stated the abstract of the Qualys researchers’ report. “Apart from the flaws in the web interface, the cameras also use questionable security practices when it comes to securing the firmware, which leads to even more interesting attack vectors.”
In a separate incident from early 2012, a hacker compromised the software that runs SecurView IP cameras. With the number and variety of networked devices growing, and with networks like Shodan providing insight into their data, device makers and the security community must step to the plate and ensure that data privacy is respected and risks to virtual and physical assets are mitigated..
Securing the IoE against tomorrow’s threats
Securing something as vast as the IoE seems a like a daunting task. However, there’s still much that can be done to improve basic security – professionals should start with enforcing better encryption on Web apps, using stronger passwords and keeping operating systems and anti-malware solutions up-to-date. For example, 99 percent of the IP cameras that were exploitable via Shodan had not been updated with new firmware that protects against password attacks.
At a broader level, the IoE will demand well-designed network infrastructure that protects users while not reducing the utility of their devices. Credit card systems offer a blueprint for how to achieve this goal, since they utilize multiple layers of local and remote security to ensure that the payment experience is both safe and easy. Securing the IoE may take some creative thinking – especially in light of devices like the SmartWig – but the foundations for comprehensive security are already there and just require more diligence.