Security & Privacy Concerns in IoT Devices
Today in the IoT era, both competing systems and services are streamlined in various areas of the world, and new businesses are emerging from the ground up. In turn, whether we like it or not people’s lives become more convenient. As we highlighted time and time again here in Hackercombat.com, convenience is a natural enemy of security. The fact that we attached Internet-dependent sensors to things we interact with means that our personal information is more likely to be collected, both by either the vendor/service provider or some other 3rd party. So to speak, the danger of someone watching over our daily activities, our habits and the data we create.
Where personal information is stored, personal information is drawn out, analyzed, used, by unknown parties due to easy availability. One of the reasons is that IoT has become a problem, as these devices are relatively easy to buy. There are devices that are likely to cause serious problems if operated by an authorized user, such as IP cameras that are left running 24/7 and have an Internet connection. So is medical equipment and new car models such as those released by Tesla. We are highly dependent on “convenient” technology, without fully understanding the implications of our purchase to our personal privacy and data security.
For cybercriminals, their motivation is directly linked to money. Vulnerable machines that seldom receive patches and security updates such as ATMs are very much exposed to possible attacks. The POS terminal used by various merchants, used to be just a direct link from the POS device to the bank’s systems are now connected to the Internet, especially convenient for customers who use Visa or Mastercard services.
The IoT devices in offices and private homes directly conflicts how we treated computing. Today safety can only be assured through air-gap. Basically, in order to minimize the chance of becoming a victim of cybercriminals, the only valuable solution is to disconnect from the Internet. Security assurance is needed by online users, but it requires a different approach, as working offline for them is not really an option, a dedicated machine with an Internet connection is always required.
Acquisition of IoT needs to be studied thoroughly, is it really needed by the office? There is still not standard when it comes to these devices, as Google’s Android Things and Microsoft Azure Sphere are still competing for domination in the IoT space. IoT devices also have weaker processors (SOCs), much less sophisticated than an entry level smartphone in fact. Such hardware cannot host complex apps like antivirus software, as we have learned the hard way, installation of an antimalware product increases the system resource usage, which cannot be provided in a weak computing device.
At the very least, if a firm decides to embrace the IoT revolution, such device need to be behind a hardware firewall. Giving it a connection that is physically not connected to the main corporate network but only plain Internet connection behind a NAT will greatly secure it. IoT vendors also issue regular firmware updates for their devices, and these updates contain bug fixes and security patches. A system administrator worth his salt will not delay updates for IoT devices.