The Internet of Things (IoT) leverages a network of automation software, sensors, AI, robotics, blockchain, and cloud technologies that generate a virtually unlimited flow of real-time data, fueling measurable growth, innovation, and efficiencies.
Many of us wear some form of IoT sensor. Most homes have some form of IoT in almost every room, thanks to devices like Alexa, Nest, and Ring (to name a few). At the enterprise level, IoT deployments have skyrocketed 333% since 2012. We’ve seen the utility of IoT declared in smart cities, autonomous vehicles, security systems and across critical infrastructure. We’ve previously discussed ways that local governments are combining sensors, connectivity and AI to increase service quality and citizen engagement. Even the Department of Defense is harnessing IoT for programs like ‘Installations of the Future.’
With this incredible potential for insight and efficiency, it’s no surprise that the IoT is projected to generate $8 trillion dollars worldwide over the next decade. By 2020, more than 50 billion devices will connect to the Internet — 83% of those connections will come from IoT.
Digital and smart technologies are transforming our world. The ubiquity of IoT raises operational excitement. It also raises cybersecurity concerns.
The Vulnerabilities of IoT
The most prevalent IoT cybersecurity risks are insufficient privacy protections for personal data and device hijacking — largely caused by the weaknesses of factory set or hardcoded passwords and the lack of security update mechanisms. The recent compromise of sensitive data by a CBP subcontractor put a new spotlight on the discussion about the security of IoT. The compromise was not nefarious — it was the result of an employee of a contractor who neglected to follow data handling protocols. Nonetheless, it highlights the risk of an improperly managed IoT system. It also raises vital questions for any group planning or overseeing an IoT solution:
- What data is collected?
- Where is it stored?
- Who has access to it?
- How is it secured?
- Who owns the data?
- Does that ownership change?
The inherent vulnerability of IoT is complex, particularly as organizations strive to balance data access and security. In a recent panel discussion on the topic, we examined the most common risks and pitfalls of IoT implementation.
Using factory-set passwords
- The OWASP (Open Web Application Security Project) and industry experts agree that factory set and hardcoded passwords rank as the most pressing IoT device security problem. Despite the obvious nature of the issue, weak passwords remain a common challenge among IoT manufacturers.
- Risk mitigation approach: Don’t use the password provided with the IoT device
Limited security update mechanisms
- Devices change often due to the rapidly expanding market, meaning manufacturers may only provide firmware updates for a limited amount of time, regardless of how long a user is employing the device. OWASP indicates that many manufacturers are unable to update devices securely because they lack firmware validation on the device, delivery security (unencrypted in transit), anti-rollback mechanisms, and notifications of security changes due to updates.
- Proposed risk mitigation approach: Track and monitor the maintenance schedule provided by the manufacturer after you have deployed the device
Insufficient privacy protections for personal data
- Hackers can access private information simply by identifying an unsecured device within an IoT system. Many examples (including the CBP hack) exist of user data being questionably stored, not anonymized, and not thoroughly secured, so it’s no surprise that 97% of risk professionals surveyed say they fear that an attack on unsecured IoT devices would lead to a catastrophic data breach.
- Proposed risk mitigation approach: Ensure you are storing redacted and anonymized data both at rest and in transit
- Hackers can access any device connected to the network, whether active or abandoned. Multiple people have reported incidents of their Nest smart thermostats and in-home cameras being hijacked and manipulated.
- Proposed risk mitigation approach: Maintain and patch all connected devices, even if they are not currently active
Leveraging the power of advanced technology like IoT requires patience and diligence. In too many cases, the desire for speed trumps the time required for security. It is imperative that teams take the time to understand new risks introduced by technology and to develop strategies to address them. Particularly in the case of IoT devices, risks change over time and your security strategy must stay on pace.
Get more insight on how civilian and agency groups are leveraging and protecting the data coming out of the IoT proliferation in this live panel recording from AFWERX Fusion 2019.
 Zebra Technologies and Forrester Research joint study
Tyler Sweatt is a GovLoop Featured Contributor. He is the founder and Managing Partner at Future Tense. Tyler works to identify and address risks and opportunities in changing environments. He advises startups across the cybersecurity, artificial intelligence, and physical security domains, and regularly supports R&D, S&T, M&A and strategy initiatives across DHS, DoD, the IC and Fortune 500 organizations. Previously, Tyler worked at futurist consulting firm Toffler Associates, leading emerging technology and security efforts, and worked at Deloitte where he focused on rapid technology acquisition for DoD. A West Point graduate, Tyler served as a Combat Engineer and Counterintelligence Officer with the Army, serving multiple combat deployments. You can find him on Twitter @Tyler_Sweatt.