In a connected world, where alarm clocks can measure the depth of sleep, beds can gauge the health of your heart, and lamps automatically adjust to your moods, everything is linked to the Internet. The ‘Internet Of Things’ (IoT) has been the topic of discussion for over two years now, and major corporations are already taking steps in developing technology for it. But has security of these devices evolved with them?
In 2015, a group of hackers demonstrated how a Jeep Cherokee can be hacked while on the move, just by using a phone network. It led to the driver losing control of the moving vehicle, which was eventually parked safely. Everything from pacemakers, baby monitors, fitness trackers, consumer drones, smart homes and networked medical devices have either already been hacked or demonstrated to be vulnerable.
Chinmayi SK - Technology consultant
“IoT devices, though convenient, have increasingly been a cause of concern when it comes to their role in violation of individual privacy and security of private data,” says Chinmayi SK, a technology consultant for non-profits working in the human rights sector and lead at Random Hacks of Kindness. She looks at technology policies and methodologies based on her understanding of rights. An Internet-connected toy that contains data about a child and her parents, could lead to serious identity theft issues if hacked. This is not just speculation. In the span of the last two years, toy firms VTech and Spiral Toys had customer data stolen from their databases.
For some, this might not be a big enough worry, but there is cause for concern. The Mirai bot took down the Internet on the East Coast of USA a few months ago. “The Mirai bot is basically a very simple script that performs DoS (Denial of Service attacks) on (web)sites from smart devices running on Linux (operating system). The problem arises because both user and manufacturer fail to change the default password for their device, which makes it easily accessible to attackers,” says Arun Magesh, a security engineer who deals with hardware and wireless communications. Both big corporations and start-ups are riding the ‘IoT wave’ by building products quickly and pushing them out to the consumer market.
Most start-up engineers Magesh has interacted with in India overlook security almost totally while building products, leaving the user vulnerable.
04bgmpFaud
“Hacking a crucial medical device by either physically or remotely tampering with it could literally kill the patient,” he continues. Researchers have already exposed these vulnerabilities in the past. While some of them are leading to a change in the way products are developed, most of these revelations are not leading to definite action, at least not yet.
Things aren’t easy for start-ups either. “The Medtech start-up space in India is still in its nascent stage. The industry is heavily regulated, and hence security is the last thing that comes to mind for Indian founders. However, if the solutions are aimed at the West, then unfortunately, that should be the first thing that needs to be handled,” says Shreekant Pawar, CEO of Diabeto.
“Although we have implemented security protocols according to the compliances in US and Europe, none of the software/hardware in the world is unhackable. However, we have taken steps and have a contingency plan in case of emergencies,” says Pawar. With most of his user base in India and 98% B2B business, he is answerable to security-related questions as a mandate.
On the other side of the spectrum are big legacy companies, who are trying to adopt the trend. Faud Khan is the CEO of TwelveDot, a security consulting company based out of Ottawa, Canada. He is also the current Canadian Chair for ISO/IEC SC27 – the ISO standards group that develops cyber security standards. He says most are still trying to catch up with new technology and ways of leveraging it. “One thing to realise about IoT technology is that getting compromised is not a matter of how but when,” he says. There have been cases where employees bring in consumer-grade IoT products into the work environment, and they become pivot points for attacks against corporate assets. Companies need to plan for this. He throws some light into future smart cities as well.
Arun Magesh - Security Researcher
“Smart city projects in Canada want to provide more real-time information to citizens about services and conditions. It requires them to track citizens to offer these services, and the biggest concern is privacy. The client can share lots of data, but if it becomes compromised, the city collecting it is now liable under new legislation in Canada. Cities are taking the time to understand the risks and prepare for the eventuality of a data breach,” he says. He has worked out a series of absolutely essential steps that companies and countries must take to ensure the security and privacy of citizens.
With India moving towards smart cities, we have a lot of learn from Canada. Are we as a nation prepared to tackle the threats posed by IoT? “We have a growing number of security professionals, who are experts in using secure protocols. But there are not many security standards set aside for IoT devices. This being a new field, there is a lot of work to be done in terms of regulations. We are also a country that does not have privacy laws. So I would say we are not prepared to host large numbers of IoT devices,” says Chinmayi.
Convenient as they might be, IoT devices come with their own risks. Maybe being a little paranoid will help us be safe.
Simple security tips
Change the password of your devices regularly.
Ensure your home Internet router and firewall are locked down and updated regularly.
If you are using your mobile phone or tablet to access devices in your home, make sure this too is locked down. Using insecure WiFi could lead to device logins being captured and providing someone else with access to your home.
