Technology evolution has led to the emergence of low- power IoT devices with high processing performance, large internal data storage capacity and wireless communications interconnectivity.
The ability to integrate small low-cost sensors into these devices has led to a greater range of embedded and wearable products and associated services. The inclusion of microphones and cameras in IoT products has also raised concerns over privacy, both in the workplace and in the home.
To increase the level of trust in the use of IoT devices and services, reduce exposure to risk and drive greater adoption, developers and manufacturers must be aware of the potential vulnerabilities and ensure that these are reduced or removed.
IoT-based systems become vulnerable in several ways:
These issues create particular challenges for smaller or highly distributed organisations who may not have a full-time member of staff responsible for cyber security. It might fall to an IT or operations member of staff as only part of their job.
Even in larger organisations with dedicated cyber security staff, the sheer number of devices an organisation handles can still create a challenge.
This was highlighted in a BBC interview with the Chief Information Security Officer (CISO) for the largest health provider in New Jersey, USA. The CISO was responsible for 13 hospitals containing 30,000 computers, 300 apps, a data centre and company mobile phones. During an IoT audit he discovered 70,000 IoT devices accessing the company’s network – these were devices like security cameras or uninterruptable power supplies.
Many were not registered with the IT department and did not meet security standards, making them vulnerable to attack.
The potential consequences in this case were very worrying – the theft of personal medical data or an attack on the systems that provide power to life-critical machines in the event of a main power failure.
It is good practice for organisations to develop and publish a coordinated vulnerability disclosure (CVD) process. A CVD process is the gathering of information from whoever has found and legally reported a device or service vulnerability, managing the distribution of the information to stakeholders and disclosing the existence and solutions to the stakeholders, often including the public.
It is generally expected that the reporting party will not publicly share any knowledge of the vulnerability until the process has been followed and ideally a solution or mitigation has been found.