The Internet of Things Must Not Be Allowed To Turn Into The Internet of Trouble

Uploaded on 2016-11-24 in TECHNOLOGY--Developments, NEWS-Cybersecurity News, FREE TO VIEW, TECHNOLOGY--Hackers, TECHNOLOGY-Key Areas-Internet of Things

 

Over the past couple of years, there has been a huge upsurge in the amount of information security incidents, ranging from malicious software that holds you to ransom by "kidnapping" your digital assets to alleged hacking attempts by nation states against global companies.

There have been high-profile incidents such as the Yahoo hacking that led to the compromise of more than 500 million accounts, through to the cancellation of surgeries and other medical procedures in a hospital in the United Kingdom in recent days.

We also had a chilling demonstration of how fragile the ecosystem of the Internet is when the service provider Dyn was among a group of companies deluged with a tsunami of internet traffic and unable to deal with the real business traffic that they were supposed to process. This led to a massive availability issue for large swathes of the internet, including major brands such as Amazon, Twitter, PayPal and Spotify. Their systems were up and running, but their customers in many parts of the world could not connect to them.

This was the second attack on a scale never before witnessed on the Internet, the first was an attempt to silence a security technology journalist by the name of Brian Krebs. Society does not benefit from the silencing of an investigative journalist.

And there would be outcry if this sort of attack on investigative journalism happened in the "real world" as opposed to it happening online.

These attacks were carried out by a massive "bot", or army, of devices connected to the internet with poor security controls implemented on them that allowed a hacking group to install their own software on millions of devices around the world.

Somewhat ironically, these were security devices. They were security cameras that people had bought to protect their homes, their loved ones and their personal assets. Many of these cameras were connected to digital video recorders (DVRs) that record the CCTV type images from the security cameras. A piece of malicious software known as Mirai was developed by a crime-ware organisation and released on to the Internet.

Belatedly, the manufacturer has issued a recall to any customer who purchased through official channels, but it is likely that take-up of this offer will be slow.

So what does this mean for the average Internet user?

Unfortunately, as things stand, it is not good news. This article is not meant to be a prophecy of doom, but as long as there is money to be made through crime on the internet, things will only get worse. There is such limited regulation, almost no legislation and consequent enforcement capability on the global platform we all share as the internet that it cannot get better in the short term.

We are already on an exciting journey into the "Internet of Things" (IoT). If you were to believe all the marketing hype, this will transform all our lives. From smart-home heating systems to fridges that will order products as they are finished to lighting systems we can monitor remotely, the list goes on. Undoubtedly, many of these things will be of huge benefit, particularly in the health and security scenarios for people who may be isolated or have limited mobility.

However, as has been seen with Mirai, if these systems are not secure, the very future of the internet and all its amazing benefits, will be threatened. This is not an attempt at hyperbole or scaremongering.

Within Europe, we have the CE mark applied to products that have demonstrated their conformance with specific product standards. Some classes of products cannot be sold in Europe without the CE (Conformité Européenne) mark. A consumer purchasing a CE marked product can take certain comforts in the fact that the product is likely not to cause them or anyone else harm if used according to manufacturer guidelines. There is currently no equivalent on the internet. Anyone can buy any product from any supplier via any commercial channel in any jurisdiction and just connect it to their Internet connection.

Unfortunately, we have a "perfect storm" situation developing here. There is a very low level of awareness with consumers as to the type of things they should be looking for from a security perspective when purchasing a new product.

Price tends to be the deciding factor and more of these purchases are done via the internet and delivered from suppliers in other jurisdictions. Until that level of consumer awareness increases and responsibility taken for the choice of a low cost, but insecure device, as opposed to a more expensive one with demonstrated compliance with standards in the area, it will be very difficult to keep the Internet safe.

When purchasing a car, we are all well aware of the safety features and these are often key decision factors for those with young families etc. The NCAP ratings are heavily promoted by safety-conscious manufacturers. We also have the situation where manufacturers are acutely aware of the potential for fines and compensation in the event of their products causing harm.

The lack of consumer awareness combined with a dearth of regulation or legislation in the area of consumer devices that are internet connected is a recipe for disaster in the long term.

This lack of regulation or legislation that is applicable to all jurisdictions that are connected to the Internet is a fundamental issue for the users of the Internet, now and into the future. There are states across the globe that are struggling to deal with far more serious issues in terms of wars, famines, natural disasters and so on and quite rightly will not commit to a global effort to secure the internet. This is even if the will to do this would ever exist.

Anyone could control these devices, access content on them, create malicious or misleading info on them, delete footage of a crime, determine when someone is at home or not and so on.

One area where we are seeing regulation requirements is the European Union General Data Protection Regulation (EU GDPR). This regulation, that comes into force in May 2018, states the principles of data protection by default and data protection by design. This is a principle that all of us in the InfoSec industry are excited to see. Our desire would be to see this sort of principle extended to all other situations, not just ones that process personal data.

The directive on security of Network and Information Systems (NIS) from the European Union was formally adopted during the summer of 2016 and member states have up to two years to transpose into local laws. It has wide-ranging implications for providers of "essential services" and how they handle cyber security and cyber incidents.

However, it does not do anything to address the issues highlighted recently with regard to the security of consumer devices that will be connected to the Internet.

The Internet is a utility in the same way as the water service, electricity grid, transport networks and so on. Many people cannot carry out their daily tasks or jobs without reliable Internet services. As we move more and more to the IoT, especially health-related devices using the Internet, the internet transitions from a useful tool to a critical service.

Regulators and legislators must do more to ensure the basic quality from an InfoSec perspective when it comes to the sale of IoT and other connected devices. This could go as far as requiring the equivalent of a CE conformance from an information security perspective before access to the internet is granted.

Consumers must be made more aware of the risks associated with the connection of insecure devices to the internet and installed within the home or given to children or other vulnerable members of society. We have seen the withdrawal from sale in the past year of motorised devices often referred to as "hover boards" due to battery fire safety concerns. The same thing has happened with regard to battery safety issues with mobile phones recently.

The Internet of Things must not be allowed to turn into the Internet of Trouble. There are so many opportunities for IoT devices to contribute to society and the next wave of Internet usage.

Now is the time to ensure that attacks such as the Mirai based ones are not the future, but rather the past.

Independent:         Internet of Things: 2017 Predictions:

 

« German Spy Chief Fears Russian Interference In 2017 Elections
Was Donald Trump's Surprise Victory Hidden In The Data? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Sapphire

Sapphire

Sapphire deliver flexible and scalable cybersecurity solutions, helping organisations to detect, protect, respond and remediate against cyber threats.

Brainwave GRC

Brainwave GRC

Brainwave GRC is a leading European software provider focused on Identity Analytics and intelligence to strengthen IT security and compliance.

BGD E-GOV CIRT

BGD E-GOV CIRT

BGD e-GOV CIRT's mission is to support government efforts to develop ICT programs by establishing incident management capabilities within Bangladesh.

MerlinCryption

MerlinCryption

MerlinCryption develops infrastructure security software, delivering advanced encryption, authentication, and random data generators, for Cloud, VoIP, eCommerce, M2M, and USB hardware.

ObjectSecurity

ObjectSecurity

ObjectSecurity is a leader in authorization policy automation. With OpenPMF, you can manage application security policies for access control and auditing.

Wayra UK

Wayra UK

Wayra UK, part of Telefónica Open Future, has been chosen to run a new cyber accelerator facility to help UK start-ups grow and take the lead in producing the next generation of cyber security systems

Cryptosense

Cryptosense

Cryptosense provides the first application security software dedicated to the detection and remediation of crypto vulnerabilities.

Synectics Solutions

Synectics Solutions

Synectics deliver solutions for reducing risk, combating financial crime, and enabling organisations to meet their compliance and regulatory commitments.

Cyber Security Cooperative Research Centre (CSCRC)

Cyber Security Cooperative Research Centre (CSCRC)

The CSCRC provides frank and fearless research and in-depth analysis of cyber security systems, the cyber ecosystem and cyber threats.

Fenix24

Fenix24

Fenix24 is an industry leader in the incident-response space. We ensure the fastest response, leading to the full restoration of critical infrastructure, data, and systems.

Kingston Technology

Kingston Technology

Kingston is a leading global manufacturer of memory and storage solutions including encrypted storage solutions to protect data inside and outside the firewall.

Astrill VPN

Astrill VPN

Astrill VPN is a Seychelles based Virtual Private Network(VPN) Company.

Policy Monitor

Policy Monitor

Policy Monitor is a cyber security company founded by experts with extensive experience in operational and risk management.

Zokyo

Zokyo

Zokyo is a venture studio that builds, secures, and funds legendary web3/crypto businesses.

Benchmark IT Services (BITS)

Benchmark IT Services (BITS)

BITS is a leading cyber security company in Australia. Our certified professionals work with you to keep your data assets safe and secure.

Liverton Security

Liverton Security

Liverton Security is a New Zealand-owned cyber security provider offering consultancy and security-related products to government and commercial customers throughout New Zealand.