The rise of IoT comes with the increase in ubiquitous data connections, efficient power sources and the growing importance of data gathering in the business and enterprise setting. According to Statista, we will have at least 50 billion connected devices by 2020. IoT is not limited to consumer-grade devices like connected refrigerators and home air conditioning systems, or enterprise-oriented applications, such as inventory tracking. Even governments and nonprofits are already reaping the benefits of connected devices, such as one of Accenture’s implementation of forestry and agriculture tracking mechanisms in the Asia Pacific.
For security firm Incapsula, however, such an opportunity also poses a big threat, especially when these devices can easily be converted into botnets that facilitate HTTP and DDoS attacks.
In late 2015, for example, the company discovered how hundreds of closed-circuit television (CCTV) cameras were used to conduct an HTTP attack on a commercial cloud provider, which peaked at 20,000 requests per second. The attack was found to have originated from a botnet involving 900 CCTV cameras, all of which still had the default username and password configuration.
Imagine how such an attack could scale, especially with the estimated 245 million professionally-installed CCTV cameras around the world to date. This does not even include cameras installed by lesser-qualified personnel, which can further undermine the security of their deployment.
The risks are not limited to cameras. Gartner estimates that around 6.4 billion connected devices exist today, which include both consumer and enterprise deployments. With the risk of traffic-based attacks like HTTP flooding and distributed denial-of-service, this means that everyone should be concerned about the rise of IoT. Businesses that run digital infrastructure or services will need to beef up their capability to defend against such threats. Those that utilize connected devices like cameras, sensors, inventory tracking tags and the like, will need to implement safety measures that will prevent unauthorized access.
Taking a proactive stance against IoT dangers
The open web application security project (OWASP) provides 16 key principles of IoT security, which mostly involve limiting the capability and administrative access on connected devices, as well as ensuring that the infrastructure can scale (lest you become a victim of DDoS on your own mesh network). In addition, the OWASP warns that most attacks are likely to come from automated and autonomous sources, which make it even more challenging to track and defend against such bots.
In the case of businesses that own infrastructure, such as the above-cited CCTV cameras, it’s a matter of being prudent and smart when it comes to setting these up. “Anti-virus and security software are important considerations, but many businesses often neglect even simple things like using strong passwords,” Bobby Jimenez, Cloud and Enterprise solutions expert and CTO of a global clean energy company, shares with Techseen.
“For example, a lot of CCTV systems run on embedded systems with the same capabilities of computers that we use. If you’re conscious about security software on your personal machine then you should employ the same safety measures on your connected devices as you would on your desktop or laptop,” he adds.
The prospect of having devices connect and talk with each other might be exciting. For businesses, this can bring added visibility in terms of keeping track of inventory, materials and even personnel. For individuals, it can make life more convenient, through self-driving cars, self-regulating air conditioning systems, and self-ordering pantries and refrigerators. But consider that the Internet also plays host to malicious individuals and groups bent on stealing data or making profit out of your IT department’s headaches. This means everyone should be responsible with securing their own infrastructure, applications and devices.