Data Security and The Internet of Things
The Internet of Things (IoT) encompasses any object or device that connects to the Internet to automatically send and/or receive data. This includes common office equipment, such as networked printers and photocopiers, devices that remotely or automatically adjust lighting or HVAC, security systems, such as security alarms and Wi-Fi cameras. Personal wearable devices that employees often bring to work, including fitness devices like Jawbone and Fitbit, smart watches like the Apple Watch and Android Wear, and Google Glass, are also part of the IoT. The IoT has grown very rapidly in recent years as technology companies create more devices with wireless internet capabilities and sensors, and internet access has become more widely available. The analyst firm Gartner estimates that 4.9 billion connected “things” are in use today and projects that number will rise to 25 billion by 2020.
The proliferation of IoT devices has not been matched by corresponding data security measures creating a security risk severe enough to prompt the FBI to issue a Public Service Announcement (“PSA”) earlier this month about the cybercrime dangers of IoT devices. According to the FBI, the two biggest security issues are the failure to change default passwords and Universal Plug and Play protocols (UPnP), which come enabled by default on many new routers and allow them to connect and communicate on a network automatically without authentication.
The combination of deficient security measures, difficulties patching vulnerabilities in IoT devices, and lack of consumer security awareness create vast vulnerability for cyberattacks on businesses.
In addition to identifying security deficiencies, the FBI announcement included some examples of possible cyberattacks via IoT devices, including hacking into security cameras used by private businesses, access to unsecured wireless connections on automated systems like thermostats and lighting, email spam attacks sent from home-networking routers, multimedia centers, televisions, and appliances with wireless network connections, and attacks on business-critical devices such as the monitoring systems on gas pumps. For example, at the Black Hat annual information security conferences this summer, a hacker demonstrated how to sneak out network data via a laser printer. There are also recent reports of cybercriminals hijacking home and office routers and printers to help them overwhelm websites with traffic.
The FBI PSA issued a number of recommendations to reduce the risk of cyberattacks on IoT devices, including:
1. Isolate IoT devices on their own protected networks;
2. Disable UPnP on routers;
3. Consider whether IoT devices are ideal for their intended purpose;
4. Purchase IoT devices from manufacturers with a track record of providing secure devices;
5. When available, update IoT devices with security patches;
6. Change or add passwords on business devices and only allow them operate on a network with a secured Wi-Fi router;
7. Use current best practices when connecting IoT devices to wireless networks, and when connecting remotely to an IoT device;
8. Ensure all default passwords are changed to strong passwords that do not include common words and simple phrases or passwords containing easily obtainable personal information – or, if the device does not allow password changes, ensure the device providing wireless Internet service has a strong password and uses strong encryption.
IoT is growing rapidly and presents new and greater cybersecurity concerns. The burden of reducing these risks lies with consumers as much as — or perhaps even more so — than with companies marketing IoT devices. Ignoring these recommendations leaves businesses vulnerable to cyberattacks.