The Internet of Everything, a blanket term denoting the emerging system of wirelessly connected appliances such as thermostats, automobiles and altered reality glasses, is both a tremendous business opportunity for technology vendors and a prime target for cybercriminals. At the 2014 Consumer Electronic Show, Cisco CEO John Chambers estimated that the IoE could become a $19 trillion market over the next few years, an assertion that is hardly an outlier. McKinsey has projected that IoE applications could drive as much as $33 trillion of economic activity by 2025, while Gartner thinks that their impact could total nearly $2 trillion by 2020. But as vendors and the public become more acquainted with the IoE, are they prepared for the risks associated with this more intelligent, interconnected infrastructure?
Security has taken a back seat in the current land grab for IoE technologies
The IoE is already here, although consumers may not realize it yet because many of its most distinctive devices still cater to niche audiences. For example, this year’s CES booths were full of sensor-laden fitness and health trackers that follow in the footsteps of the Nike+ Fuelband and the Jawbone Up. These gadgets have received plenty of press, but they haven’t captured the public imagination in the same way that smartphones and tablets have. Data tracking website NerdWallet pegged the fitness tracker market at $85 million in 2013, a sliver of the multi-billion dollar mobile phone industry, ABC News reported.
However, technology giants are betting that consumers will soon care a lot more about IoE devices. Take Google for example. It recently acquired Nest, a company that makes Internet-enabled thermostats, to get a better foothold in IoE hardware. Plus, while its Google Glass heads-up display has been a commercial and cultural non-starter so far, the headset’s media prominence and ethos of a fully immersive online experience may have spurred Facebook to acquire Oculus, the maker of a virtual reality headset designed for video gaming. There’s a land grab for IoE technologies as vendors look for the next big computing platform, and security considerations are taking a back seat to commercial ambition.
Trend Micro researcher Robert McArdle noted that AR in particular could become mainstream in 2014, in part because its use case is ill-suited to a phone. McArdle noted the innovations of the Oculus Rift, as well as the historical trend of gamers being targeted by cybercriminals. Recent distributed denial of service attacks on properties such as League of Legends and the 2011 compromise of the Sony PlayStation Network demonstrate the danger, and the move toward AR and the IoE could open up new vulnerabilities.
“AR works best with full immersion – and that’s where wearable technology like Google Glass and SpaceGlasses come in,” wrote McArdle. “There are many interesting technical and even psychological attacks that can be carried out against such devices. For example, owners of these devices are (almost literally) walking around with a camera attached to their head. It’s not a major leap for a criminal specializing in banking malware to realize that this an excellent way to capture banking PINs and passwords.”
These specific dangers – which would bring the technical capabilities of desktop and mobile malware to the IoE – are over the horizon for now. Lack of consumer enthusiasm for IoE devices limits the target audience for malware, making it impractical for cybercriminals to devote many resources to hacking AR headsets or smart watches. However, there are less glamorous parts of the IoE that are already under attack, exhibiting vulnerabilities that could lead to more trouble down the road.
VoIP phones and routers vulnerable
Network infrastructure is the backbone of the IoE. As more devices become IP-enabled, the stakes become higher for securing routers and switches, in addition to the endpoints themselves.
Even while Cisco touts the potential of the IoE, the networking giant has had to issue security fixes for several popular wireless LAN controllers. Prior to the updates, it was possible to compromise this hardware and use the network to stage a DDoS attack or improperly gain privileged access. Similarly, the recently identified Moon Worm threat caused headaches last month for users of some old Linksys routers. It exploited an authentication bypass vulnerability to take over routers and then replicate itself.
These incidents underscore the challenges ahead in protecting the IoE, since cyber security in this context means properly monitoring and responding to threats that could target a network, device, application or some combination thereof. In other words, security professionals must take a holistic approach and also seek the help of equipment vendors. They have to look even at everyday devices that they may not consider parts of the IoE, such as VoIP phones.
Slate blogger Lily Hay Newman noted the lack of security for IoE devices across the board, while also positing that typical PC and smartphone patching procedures may not translate well to new networked appliances. Endpoints such as VoIP phones could provide an easy entry route for attackers looking to exploit neglect of IoE infrastructure.
“Companies can release security updates or patches when they learn about vulnerabilities in their devices, but who is going to do a software update on their refrigerator?,” asked Newman. “The problem is particularly troubling in an industry where there are Internet routers in every office and a voice over Internet protocol phone on every desk. Even if attackers can’t get into your computer because it’s running anti-virus software, they can still get eyes and ears in your office by hacking a VoIP phone or video console unit.”
Securing the IoE requires attention to routers and phones and other seemingly mundane hardware, not just cutting-edge AR headsets or fitness trackers. By focusing on this older infrastructure first, vendors and organizations may be able to realize the scope of their undertaking in defending IoE assets. Using protective software and following best practices such as changing the default password on an endpoint will still be relevant, but security teams have to be cognizant of the uniquely dispersed vulnerabilities in the IoE.