Experts worry over Internet of Things security
IoT attacks set to move past proof-of-concept stage in 2015, experts warn
Security experts are warning that Internet of Things (IoT) devices will be increasingly targeted by cyber-criminals in 2015, as uptake continues to grow among consumers and enterprises.
According to a recent Cisco report, 2015 will be a “tipping point” for the Internet of Things, with the number of connected objects forecast to grow to 50 billion in 2020. However, security experts have warned that little thought is being given to the security credentials of these devices, with some accusing IoT device manufacturers of rushing products into production without considering the security implications.
James Lyne, global head of security research at Sophos, said that, in 2015, Internet of Things attacks will move from the proof-of-concept stage to becoming “mainstream risks.”
“In 2014, we’ve seen more evidence that manufacturers of Internet of Things devices have failed to implement basic security standards – either they haven’t learned from the long and painful history of failures of mainstream computing or, in their rush to go to market, they just don’t care,” he said.
“I’ve personally hacked wireless routers with web attacks such as command injection, CCTV cameras that don’t bother implementing account lockout, and wireless plugs that don’t bother with usernames and passwords and instead explicitly trust the local network.”
Lyne warned that, without better security on IoT devices, attacks on them are likely to have real-world impact. He called on the security industry to evolve with these devices, and on the vendors of these devices to recognise the importance of security. He also said that consumers should grow awareness of the issue, so that it becomes a commercial requirement.
That said, Lyne admitted that the Internet of Things has so far been less exploited than the industry might have expected. He said that this could be down to the fact that cyber-criminals have not yet found a business model that enables them to make money from attacks on IoT devices. But he warned that this would eventually change.
“As use cases grow more diverse, the probability of these emerging [threats] grows far greater – and at present trajectory, the IoT vendor community won’t have buttoned up the security issues before this happens. Worse still, unlike Microsoft, which has learned the hard way about patching, these vendors may not even have an infrastructure to distribute updates in a timely fashion.”
Not all security experts are as worried about IoT threats as Lyne, however – for the moment, at least. According to Corey Nachreiner, WatchGuard’s director of security strategy and research, security surrounding the Internet of Things does not constitute something that enterprises should be worried about in 2015.
“Embedded computing devices (IoT or IoE) are everywhere and have security flaws. However, today’s cyber-criminals typically don’t just hack for the heck of it,” he said.
“They need motive. There’s not much value to having control of your watch or TV at this point, so we won’t see hackers targeting them directly. For now.”