November 9, 2017

The Real Reason Your IoT Security Doesn't Work

7 minute read

We're being engulfed by the IoT swarm. What's the real cost? Security professionals are fumbling, and it's no surprise. Historically, we're seeing undeniable parallels to cybersecurity's very foundation.

In it's beginnings, cybersecurity was straightforward: Security professionals would put up a perimeter firewall, IDS, access control lists, create a layered model, and set up a traditional architecture. Their approach to security was maximized, and they were content. But that’s no longer the case.

Back in 2006, Blackberry took over the corporate mobile market with 50% ownership. Because everyone wanted a BlackBerry, IT security teams were suddenly asked to punch new firewall holes to use the BlackBerry Enterprise Server (BES) at the office. In turn, they offered a proprietary OS within their full control. That was one of the biggest turning points in the IT security landscape.

Blackberry responded by creating a secure network. Corporate IT and users were satisfied—temporarily. Then, in 2007, the iPhone came along. The era of BYOD began to proliferate, and with it, threat vectors changed forever. IoT is the next iteration of BYOD attack surfaces, and now, we’re introduced to a threat architecture built around physical cybersecurity.

We’re now getting acquainted with IoT as a bridge between online cybersecurity and physical cybersecurity. Think of something as simple as smart appliances. These days, you have everything from smart cities with interconnected street lights to houseware appliances—a smart grill, for instance—embedded with Linux technology.

Yet the manufacturer brushes off the idea of patching the software. Your smart grill, camera, or video recorder becomes a snug little home for mass data collection. An electric grill information leak sounds ridiculous, but that’s exactly why it should stick. It’s fresh blackmail meat, ripe for the next cybercriminal to pluck.

Security flaws arise when vulnerabilities are exploited. Just a couple weeks ago, LG SmartThinQ home appliances were at risk when "researchers uncovered a flaw in the mobile app and authentication process and the way in which it interacts with the LG infrastructure between apps and the devices," according to ZDNet.

Yet, business leaders are still riddled with anxiety. A survey by Forrester Consulting found the IoT would potentially cause security challenges for 77% of respondents. Of those, 82% would have a hard time identifying connected devices in their network, and unclear about who's in charge of securing IoT hardware.

This uncertainty is causing a mismatch of the security ecosystem. In order to ward against them, it needs to be addressed. As IoT devices are given life, their infrastructure is nothing more than a soft shell. We cannot install bare-bones software into IoT devices, ship them off to consumers, and hope for the best.

Let's say you want to set up a building with IoT sensors that are dedicated to monitoring environmental controls. Typically, the manufacturer of those sensors banks on a 5-year lifespan before eventually replacing them. It’s not an indefinite lifespan by any means.

There’s no direct benefit to ensuring the software upkeep, so manufacturers leave up-to-date patches by the wayside, and in the hands of the consumers. Nor do they offer a means of reinforcing connected security, or even a heads-up. Enjoy your brand-new office's espresso machine that uses voice recognition to piece together a custom profile for brewing your favorite dark roast. But if the software goes haywire and exposes your entire office network to a hacker, then good luck, consumer!

With the climb of the IoT inching us toward the 8 billion mark, our risk profile shifts, and it's no longer just about cybersecurity, but also encroaches the realm of physical cybersecurity. The stakes raise. Let’s say a hacker successfully cracks into a server. Now compromised, a data breach hands over 10,000 credit card numbers. Inconvenient, sure, but no one’s lives are at risk.

But with a system like connected cars—poised to tick up to 250 million by 2020—it does break the barrier of cybersecurity to physical cybersecurity. It brings human lives into the equation. Instead of one car crashing on the freeway, it’s all of their connected cars.Not to mention innocent pedestrians along their path. The IoT opens the gateway to these threats with little to no preventative measures in place.

Therein lies the beauty of preventative indoor security using indoor positioning and indoor analytics.  IPA uses RF sensors to detect active wireless signals in any physical space and passively pieces together a device Reputation Profile for each device and network, based on all viewable deployments. They’re placed in a virtual security dome, where a dashboard displays all devices, distinguishes the known signals, and pings the unknown.

We then upload that device profile and network for disparate places. It can cover an entire corporate campus, or anywhere involving hundreds of thousands of people moving through the system on a regular basis.

Inpixon Analytics answers and analyzes: Where was it, what was it doing, what and who did it connect to, and how did it connect to others?

Modern devices are increasingly connected daily to multiple networks. Compromised devices effect every credentialed network, and not isolated to the breach’s origination.

When protected information is exposed, a single breach has an exponential ripple effect on customers, employees, and shareholders. It only takes one rogue device. As IoT shifts the terrain, we need to evolve, or else risk a collapse at the mercy of physical cybersecurity holes.

Topic(s): Security

Related Blog Posts

Subscribe to Blog Updates