The adoption and proliferation of the Internet of Things (IoT) is unstoppable. Even though we have had massive DDoS attacks orchestrated using IoT, IP enabled CCTV Devices have been compromised and marshalled into a bot army of significant breadth and size; even though the implication of poor or shared cryptography of these IoT devices is well documented and a fantastic risk to any user/owner of these devices they are still being adopted.
At Def Con 24 last year Pen Test Partners showed how easy it was to hack a Smart Meter and make it run arbitrary code. The example here showed that functionality is taking priority over the cryptography necessary to defend these machines and inherently defend us all.
So, let’s now look into the near future! A world where the IoT and its devices are very visible and in every household and every work place. The refrigerator door flashes advertisements across the embedded LED screen that change every hour based upon the foods that we use or stock it with.
The toaster detects which type of bread is within it by talking back to a database at the vendors offices and then is guided on how long to cook it for. Our Smart Meter knows automatically when we have started our journey home based upon recognition of the pattern in the GPS monitoring of our mobile phone.
A Federal Trade Commission report recently found that less than 10,000 households can generate a huge 150 million discrete data points every day.
IoT in the workplace
Now let’s think about the office, the work environment and how that will change. Do we allow the refrigerator at the refreshment station access to the internet to be able to provide those advertisements? Do we allow the toaster that will never burn our bread products to access the database that means perfect toast every time?
Bear in mind that if these devices are going to be supplied without the correct levels of security and protection then let’s also think about the very large exposure we could be presenting to our security estate if we don’t cater for it.
Interestingly at CES 2017 in Las Vegas there has been a very interesting launch. Symantec, Bit Defender and Intel have all launched home use routers that take the risk out of IoT devices. These devices work on a real plug and play basis and protect the home user from the potential failures of a vendor’s device security.
The way forward for the enterprise though is already clear. Next Generation Unified Threat Management devices and Next Generation Firewalls are capable of deep packet inspection along with rules and policies that can massively limit the exposure caused by these devices.
Now is the time for enterprises to evaluate their security estate and then ask themselves “what else do I need to include within the scope of my security estate?”
Let’s not forget about the office kettle…