We all have so many devices and so many technology toys, and we are loving the ability to link our lives to the cloud, says Mark McCallum, Orange Business Services, head of Global Services Africa.
We’re learning more about ourselves too, as wearable devices become more accessible and more useful – we collect, store and analyse data about our every activity, from our resting heart rate first thing in the morning, to our activity at work, and then to our training and fitness – not to mention our social life via Twitter and Facebook.
That’s a lot of information – very personal information, all collected and stored via what has become known as the internet of things. IDC estimates that the installed base of connected devices will reach 212 billion by the end of 2020, and will include all manner of solutions from public transit and private cars, homes and security, appliances and most other machines that form a part of everyday life.
That saturation level is several years away – possibly even further in developing countries such as those on the African continent – but the rapid pace of connection to the internet of things via the rapid proliferation of smart phones means that even less advanced societies are vulnerable to security threats.
Recently, Hewlett-Packard’s Fortify division recently tested a selection of internet of things solutions from a variety of categories, including everyday items such as TVs, webcams, thermostats, power outlets, door looks and control hubs. Each solution tested communicated with some type of cloud service, as well as mobile applications – so while the type of device may not be that common in developing markets, the underlying activity of connecting to the cloud via a mobile application is common to anyone who owns a smart phone, and who uses it to make purchases or store data.
The tests identified 250 vulnerabilities in those devices, including the fact that 90 percent of devices collected personal information, and 60 percent had insecure user interfaces. Seventy-six percent of devices used unencrypted network services, leaving devices vulnerable to man-in-the-middle attacks, while 80 percent failed to use strong passwords.
Criminals can use vulnerabilities such as weak passwords, insecure password recovery mechanisms, poorly protected credentials, among other traps to gain access to a device, the researchers noted. This not simply theory – in a recent experiment conducted in Holland, a so-called ethical hacker gained access to every device (which would include mobile phones and fitness trackers) in a coffee shop. In just 20 minutes, he knew where everyone in the coffee shop was born, what school they attended, and what their last five Google queries were. That sounds innocuous enough – but given another five minutes and enough malicious intent, and he would have had access to all the patrons’ bank accounts too.
It’s not just phones and fitness trackers that can be hacked – even your office coffee machine could be an access point for malicious hackers, if Daniel Buentello is to be believed in his presentation “Weaponizing your coffee pot”, based on his experience of hacking into a wi-fi enabled light-switch. If that sounds far-fetched, ponder for a moment that the notorious Target hackers in the United States in 2013 accessed the retail giant’s records via its HVAC company…
Apart from the obvious implications of company data protection like keeping competitive data secret from the marketplace, companies operating in South Africa have an added incentive as they will soon be compelled to comply with the Protection of Personal Information Act, expected to be promulgated during 2015. Companies will be held responsible by law if their data is breached, with repercussions being as onerous as having to contact the owner of every record compromised, with sanctions as severe as R10 million fines being imposed.
What should companies and individuals do to protect themselves from the seemingly endless vulnerabilities to which they are exposed by engaging with the Internet of Things?
One step may be to accept that risk exists, and implement systems for reporting and patching against vulnerabilities as they are found. The HP Fortify team suggests that vendors should test their existing solutions against the Open Web Application Security Project list of the top 10 security problems that connected devices currently face.
There are implications for end users too – if you have devices that are connected to the cloud, you need to take strong measures to protect your network and use whatever security protection exists on each device to its fullest potential. Start with the basics and avoid obvious passwords that include consecutive numbers, and opt for combinations of upper and lower case letters, numbers and punctuation marks – and have different passwords for all your online or application-based accounts.
While having a hacker hack into your phone might seem like a personal affront and an invasion of privacy, the United States government has highlighted that cyber threats include vehicles, industrial components and home appliances that generate information and link to the internet, noting that security and safety assurance are not guaranteed. Cybercrime via the internet of things is about so much more than raiding bank accounts, it’s about gaining criminal value by manipulating data and information.
Are you and your organisation protected?
