Artificial Intelligence (AI) and the Internet of Things (IoT) are set to revolutionise the way we live, work and play. Everyday items in the home will be connected in unprecedented ways and tasks traditionally carried out by humans will be replaced by automation and robotics. This promises to make the planet more sustainable, and the increasing population more manageable. The reality is that this ideal is being threatened every day.
Over the past five years, there’s been an exponential rise in data breaches and cyberattacks that costs upwards of £11 billion annually. The UK government released a report that confirmed nearly half of British firms have been impacted by a cyberattack in the past year and any organisation that holds consumer personal data is at an even greater risk. Despite increased investment in cybersecurity measures, the advent of IoT and AI introduces a new set of vulnerabilities, says Asaf Ashkenazi, VP, IoT Security Products at Rambus.
In recent months, malware such as Mirai, Brickerbot, and Hajime have emerged, targeting personal information on unsecured IoT devices and exploiting them for fraudulent transactions or identify theft. Smart home devices, new healthcare technology, and driverless cars are just some of the latest innovations being impacted by such vulnerabilities.
Recently a weakness was found in LG’s SmartThinQ, a home network solution that enables users to control home appliances with smartphones or voice-activated devices such as Amazon Alexa and Google Home. If exposed, an attacker could take over the account of a legitimate user, gaining access and control of their home appliances. SmartThinQ has been built into multiple LG appliances and products. This significantly raises the security stakes in the home as devices with remote-monitor cameras, for example, could be used for surveillance in the home or workplace.
Similarly, Abbott’s pacemakers were recalled recently by the American FDA, as a vulnerability was detected in the software. If exposed, attackers could drain a pacemaker’s battery life, change settings and even alter the rhythm of the device. Over 400,000 users were urged to go to the hospital to receive the software update as a result.
These examples illustrate the tangible risks associated with releasing unsecured IoT services and devices. As digital innovation rapidly evolves, devices are becoming potential targets for cyber criminals with malicious intent. Service providers and OEMs must take this security seriously, however this goes hand-in-hand with the evolution of existing security solutions. Solutions must place an emphasis on minimal cost and time-to market impact, to ensure wide industry adoption.
With IoT spending set to hit $840million (€712.92 million) by 2020, it’s easy for organisations to be overwhelmed by where to start. The most effective IoT security strategy is one that does not negatively impact profitability or a device’s release time. Before deciding on an IoT security solution for any business, it’s important to understand the core elements that make up a quality service.
The following three features are an ideal place to start:
Protect services, endpoints and information using cryptography, and standardise security protocols and best practices. Strong device authentication to ensure only authorised and approved devices can access services; robust service authentication, to ensure endpoints can only be accessed by a legitimate service; data encryption to protect users’ privacy; and disablement of unnecessary remote communication protocols, are just few examples.
No solution is 100% secure. When it comes to IoT, endpoints often have limited memory, CPU power and battery which can result in limited security. Real-time detection of infected devices allows companies to react quickly to an attack, thereby limiting the number of compromised devices. Early detection can be implemented by analysing anomalous device behavior. IoT endpoints behavior tends to be relatively predictable, which makes them ideal for detecting attacks through behavioral analyses. Sophisticated machine learning techniques can be leveraged to reduce false positives and automate the different devices behavioral learning process.
Many IoT devices are expected to be in service for many years. Moreover, they might be deployed in places with limited physical access, or operated by users with limited technical expertise. In the unfortunate event of an attack or the discovery of a new system vulnerability, the ability to quickly, efficiently and automatically patch devices is crucial to limit device abuse or service disruption. Over the air (OTA) updatability, where device credentials and security updates are pushed to the device automatically via the internet, is the fastest and most efficient way to provide in-field recoverability.
With half of the world’s population now online, the threat landscape will continue to evolve as more devices become connected. Security needs to be built into the fabric of every service provider and OEM’s design process to ensure products come to market with consumer safety in mind. This shift cannot come from individual businesses, the industry needs to collectively champion IoT security.
The author of this blog is Asaf Ashkenazi, VP, IoT Security Products at Rambus