A raft of vulnerabilities uncovered recently in connected cars, medical devices and support systems highlight the need for a stronger focus on security in the IoT space, experts have said.
Security researchers attending the Derbycon security conference last month reported finding "thousands" of medical devices that were vulnerable to remote attacks via the public internet.
Gartner analyst Jeffrey Wheatman observed a similar talk at August's Def Con 23 hacking conference in Las Vegas, where researchers at Protiviti discussed over 20 vulnerabilities uncovered in medical devices and support systems.
Wheatman, who authored the paper, Musings From Def Con 23: Internet of Things Risks Are Bad and Likely to Get Worse, believes organisations need to do more to secure IoT environments.
“Organisations continue to ignore, or at least underestimate, the significance of the threats related to the Internet of Things,” he said.
“The ability of security and risk management professionals to protect their organisations from IoT risks is hampered by business leaders that are not concerned at this time in hearing about new types of risk.”
Intel Australia’s enterprise solutions sales director David Mellers agrees.
“We need to ensure we’re not deploying IoT solutions and then retrofitting them with security, Mellers told IoT Hub.
“IoT has the potential to open up entities and accessible networks quite dramatically.
"It’s critical we get this right as soon as possible and don’t allow security concerns to hinder the progress and innovation that is occurring."
Cars, safes also vulnerable
Security threats aren't limited to medical IoT environments; researchers have uncovered a number of vulnerabilities recently in connected-car systems.
In July, Chrysler’s Uconnect in-car system was exposed by hackers as vulnerable to remote takeover. This led to the recall of over 1.4 million cars.
Tesla’s Model S, one of the most ‘connected’ cars available today, was proven to be quite secure during the recent Def Con 23 event.
Some vulnerabilities were uncovered, but Tesla’s CTO JB Straubel – who was in attendance – was quick to thank the researchers who uncovered the vulnerabilities, and Tesla quickly released a patch for its vehicles.
New varieties of safe have also been outed as vulnerable.
US firm Brinks make the CompuSafe Galileo 'smart safes', which are used by retailers, restaurants and convenience stores.
Researchers were able to use a USB port on the safe - which is normally used to allow technicians to perform maintenance - to insert a malicious script that could allow a thief to automatically open the safe's doors by emulating certain mouse and keyboard actions and bypassing application protocols.
Old challenges in new world
One of the challenges for securing IoT devices is that many are coming from manufacturers that do not normally incorporate connectivity into their products.
This means that companies may be releasing internet-connected products without performing the due diligence around securing the connections.
In addition, the number of connected devices used by consumers and industries is growing at an exponential rate.
A SANS Institute survey last year saw about half of respondents identify either as unprepared for IoT security, or believing that being prepared would involve some "major" work.
A BYOD repeat?
The challenges organisations face with IoT are in some ways akin to the early proliferation of Bring Your Own Device (BYOD) in the workplace.
Companies saw the opportunity to improve their employees’ job satisfaction and productivity by allowing them to bring their own computers and mobiles to be used in a corporate environment.
However, full consideration was often not made around ensuring the security of the company’s existing infrastructure and data as a result of the introduction of these ‘foreign objects’ into the network.
This led to unnecessary pressure on IT departments within organisations to implement band-aid solutions to ensure the security and integrity of their networks, systems and data.
The security lessons learned during BYOD rollouts in organisations have just as much merit in the IoT space as well. Data and device security must be front of mind at all times.