Millions of consumers are getting new devices this holiday season, from phones and tablets to networked thermostats and controllable drones. In November 2014, market research firm Park Associates found that shipments of novelties like smartwatches, fitness trackers and connected entertainment devices would top 11 million by the end of the year, more than doubling the total from 2013. Plus, there’s obviously more to come: Apple is set to release its Apple Watch at some point in early 2015, potentially providing a boost to networked wrist gadgets akin to the one it gave smartphones with the release of the first iPhone in 2007.
With new devices, new security challenges await
At the same time, things are really coming together for the Internet of Things. Services like IFTTT, hardware companies such as Nest (now owned by Google) and the endless possibilities of platforms like Apple HomeKit and Android Wear, paired with the many of the devices mentioned above, point the way toward an ever more connected future. Gartner has estimated the economic impact of the IoT, also known as the Internet of Everything, at nearly $2 trillion by 2020.
With such ubiquitous connectivity spurred by the ongoing flood of devices, cybersecurity has become more important than ever. How an enterprise initially sets up its endpoints and other infrastructure goes a long way in determining whether its core data is secure or ultimately left vulnerable to targeted attacks. Some of the most prominent cybersecurity incidents of 2014 like the JPMorgan Chase breach in the summer and the Sony Pictures hack after Thanksgiving show what can happen when seemingly minor oversights, like not using two-factor authentication, pile up.
Even if an organization isn’t as prominent as either of those firms, it has to know how to manage an increasingly complex fleet of devices. Cyberattacks, misuse and device theft will all be major challenges in the year ahead, as consumers and businesses extend their connected worlds and attract more attention from attackers.
Start with the basics: No jailbreaking or third-party app stores
Android shipments were expected to cross the 1 billion threshold in 2014. Meanwhile, market analysts have predicted that Apple could ship a staggering 70 million or more iPhones in the first quarter of fiscal year 2015, setting it up for record revenue. Both dominant mobile operating systems are winning in their own ways, whether market share or profits, but their growth is raising the stakes for basic cybersecurity knowledge and practices.
Each platform has its own issues to keep an eye on:
Most of the time, iOS is safe for consumers since the App Store has a thorough vetting process and apps are sandboxed. Many potential vulnerabilities arise if an iOS device is jailbroken, though. For instance, the complex Inception malware documented in December 2014 by Ars Technica caused problems on Android and Microsoft Windows and was also able to exploit jailbroken iPhones and iPads by posing as a fake update to WhatsApp.
Even without on-device jailbreaking, issues can crop up. The recently discovered WireLurker malware used a USB connection and enterprise permissions – typically utilized for creating custom corporate apps – to mine data from infected iPhones. It requires usage of a third-party OS X app store, which is a good segue into…
Security on Android has come a long way in a short time, especially for phones and tablets firmly within Google’s ecosystem. Many devices are now automatically configured to only accept downloads from Google Play, but there’s still the option for – and possibility of – alternative delivery channels, some of which trade in malware.
The Trend Micro TrendLabs Security Intelligence has looked at examples such as a component downloader that was causing some trouble in third-party app stores in China, where Google is effectively out of the picture and not in control of Android. Essentially, threats of this ilk can gain deep access to an Android phone or tablet’s system and download additional malware and/or conduct surveillance.
The rest and the future
Platforms such as Windows Phone and Tizen haven’t gained much traction yet, but there’s always the possibility of a new ecosystem emerging, and with it fresh vulnerabilities. The aforementioned IoE, rather than the iteration of entrenched mobile OSes, could prove to be the next device setup and security challenge.
Dark Reading recently presented some worst-case scenarios involving manipulation of GPS, Wi-Fi and automated vehicles. Aside from such theoretical situations, there’s already signs that the scope of the IoE could create many new attack surfaces and weaknesses. A lot of people who received remote-controlled drones for Christmas, for example, have had trouble piloting them, leading to mishaps that, while mostly low-stakes, show how the IoE adds complexity. There’s more chance that something could go wrong.
Device theft and physical security
Losing control of drones is in much the same vein as losing one’s device, as well as all the sensitive data on it. There were more than 3 million smartphone thefts in 2013, according to Consumer Reports. In this context, enterprises must use endpoint security like encryption, two factor authentication and remote wipe to keep information safe.
“In addition to protecting yourself from mobile malware, you should also realize that because you carry a smartphone everywhere, you can lose your device very easily,” observed Trend Micro’s Raimund Genes. “If this happens, you may end up losing control of your personal data. Make sure you turn on your lock screen password and device encryption so that if you do lose your phone, the risk of losing your own data is minimized.”
Today we deal with easily losable phones, tablets and laptops. Tomorrow we could face the same problems with losable – or simply exposed and readily exploitable – IoE devices, on top of issues with malware and targeted attacks. Organizations should get started early with sensible bring-your-own-device policies and tight network security so that the IoE can be secured and turned into a business asset.