IOT devices targeted by hackers
As the world becomes increasingly connected with the Internet of things (IOT), so cyber security will become an ever-moving target which has to remain top of mind at all times for both vendors and users.
That's the view of Bertus Jacobs, CTO at IOT technology innovator, Centurion-based IoT.nxt.
He was commenting on the 2018 Open Source Security and Risk Analysis (OSSRA) report, which found that 77% of the applications scanned during 2017 by Black Duck's On-Demand audit services department each contained an average of 677 security vulnerabilities.
The report, which was compiled and published by the Synopsys Center for Open Source Research and Innovation, pointed out that hackers are continuously exploiting known vulnerabilities in software to access data via IOT devices.
Examples cited included hackers using Internet-connected toys to gain access to a child's name, school, likes, dislikes and locations; and vulnerabilities in the software controlling the temperature and salinity of a North American casino's high-tech aquarium to gain access to other casino devices.
According to the report, IOT devices have also been used in physical attacks. In one instance, hackers accessed an Internet-connected car wash to lock vehicles (and their occupants) inside the car wash chamber, and then have the car wash's mechanical arms smash into the vehicles, damaging them. In this instance, the hackers didn't exploit a software vulnerability. They simply used the default admin password (123345).
Special measures needed
IoT.nxt's Jacobs said avoiding security breaches in the IOT area demanded that challenging, but essential special measures were taken. These include:
- End-to-end encryption of the IOT solution, from edge to cloud;
- Implementing new development in terms of electronic design to secure hardware-based key storage or crypto modules. The problem, at present, is that the majority of IOT devices do not have this capability; and
- Default usernames and passwords that come with IOT devices must be changed promptly after installation.
XHead = Third-party risks
Kerry Curtin, Business Unit Manager: Financial Institutions at Aon South Africa, pointed out that even if a company's own IOT ecosystem is relatively secure, the way in which connected third parties are deploying IOT is often overlooked.
"It is therefore crucial for large organisations to update their approach to third-party risk management, and for small and mid-sized enterprises (SMEs) to implement better security measures, or they could risk losing business," Curtin said.
Despite the huge growth in IOT connected devices (one study cited by Curtin predicted that businesses would have employed 3.1 billion connected "things" by the end of 2017), a 2017 study by the Ponemon Institute found that only 25% of respondents asked for assurances that IOT risks among third parties were being assessed, managed and monitored appreciated.
"As enterprises derive more efficiencies from working with SMEs, hackers will pinpoint smaller businesses that utilise IOT platforms and devices to gain entry into larger businesses. An example is criminals targeting ATM manufacturers and maintenance vendors working with large banks," Curtin said.
"In addition, organisations face risks from smaller service providers of printers or copy machines, security camera systems and other connected endpoints through which client data can be exposed if hacked. As a result, demand for visibility into third-party security will increase and smaller vendors bidding for contracts will have to demonstrate stronger cyber security measures around IOT."