The Security Risks of Advanced IoT Devices and Powerful Mitigation Strategies

Written By Stephen Wu
gadget-google-assistant-google-home-1072851.jpg

The evolution of Industry 4.0 will bring with it an explosion of interconnected IoT devices, each of which will bring with them distinct risk profiles and obvious advantages. It’s of immense importance to develop risk management strategies to protect the security of your devices, no matter their complexity.

Advanced IoT Devices

Let’s start with the bad news. IoT devices create a number of security threats. Consider the following threats, which would be shared by any computing system:

  • Access to the device by unauthorized personnel

  • Weak authentication mechanisms (such as passwords)

  • Lack of training leading to misuse or personal data leakage

  • Weak physical protections allowing unauthorized personnel to access it, tamper with it, steal personal data from it, and/or inject malware into it

  • Weak transmission security, allowing attackers to intercept personal data

  • Malware compromising its functionality and/or compromising personal data

  • Network intrusion for purposes of stealing personal data and/or disrupting functionality

The good news, however, is that the expense of advanced robots and other sophisticated devices means that businesses will see a business case in spending time, attention, and resources protecting such devices with administrative, physical, and technical safeguards to address these threats. For instance, the expense of such devices makes it worth constantly updating device software and firmware during their lifecycle. Moreover, onboard processing resources coupled with external resources can facilitate diagnostic checks, security features, and alerts in the event of anomalous behavior.

 Managing Threats to Unsophisticated IoT Devices

By contrast, consider cheap, almost disposable sensors and other IoT devices. The security challenges with these devices are more acute because it may not be worth the expense to monitor, maintain, and upgrade these devices. Consider the following threats to inexpensive IoT devices:

  • They may have less processing, power, storage, and other resources to allow for diagnostic checks, security features, and alerting functions.

  • It may be difficult, if not impossible, to update the software or firmware on the device with security patches.

  • Cheap devices may not encrypt communications.

  • Manufacturers may not have used secure software development practices.

Controls to Mitigate Risk

For such devices, it may be that a number of controls may mitigate risk. Examples include:

  • Embedding cryptographic key pairs into devices to facilitate encrypted communications with other computers;

  • Using processors that save power, thereby increasing the ability of the device to conduct other security-related operations;

  • Using secure software development to minimize vulnerabilities and focusing on top known code vulnerabilities;

  • Enforcing (and notifying consumers of) expiration dates to make sure that devices that cannot be patched are taken out of service after a certain point in time;

  • For devices that can be updated, making software patch updates transparent to users to prevent users from obstructing the patching process.

clint-patterson-dYEuFB8KQJk-unsplash.jpg

IoT Device Vulnerabilities

Overall, because IoT devices are and will continue to be the lifeblood of the next evolution of the industry, they will be a hacker’s goldmine. Whether these devices are extremely complex autonomous vehicles or more benign smart security cameras, strategies will need to be put into place to address the following high-level potential pitfalls:

  • Default passwords that attackers may be able to discover, in situations where operators may not change default passwords;

  • Hard-coded passwords vulnerable to discovery by attackers;

  • Cryptographic keys stored in plaintext;

  • Lack of enforcement of authentication protocols;

  • Exploitable software vulnerabilities.

For instance, security researcher Billy Rios found these issues with the Hospira network-connected infusion pump. An attacker compromising a device like an infusion pump could cut off medication flowing into a patient or cause the pump to multiply the dosage to patients. In either case, tampering could cause injury or death to patients. The above vulnerabilities violate basic security design principles and just applying basic principles can prevent these vulnerabilities.

Big Data and artificial intelligence systems for data analysis frequently run on enterprise software or, with increasing frequency, as software as a service (SaaS) applications. SaaS applications create a risk to businesses because they run on the vendor’s servers and are beyond the business’s direct control. Moreover, vendors commonly use cloud service providers to host the servers delivering the application such as Amazon Web Services, Microsoft Azure, or Google Cloud. Cloud service provider subcontractors further weaken control.

Mitigating risk requires due diligence on the vendor and any cloud service provider supporting the vendor’s services. Customers are frequently demanding to view security audit reports and certifications of vendors and the cloud service providers as a part of due diligence and on an ongoing basis during the performance of a service agreement. They may impose a series of requirements by security exhibits in service agreements. Where the SaaS services store personal data, customers also include privacy requirements in a privacy exhibit.

Blockchains face vulnerabilities that all cryptographic systems share, as well as vulnerabilities stemming from system architecture. A thorough discussion of blockchain vulnerabilities would be highly technical and beyond the scope of this article, but a few examples may suffice:

  • Exploiting weakness in encryption algorithms and hash functions;

  • Denial-of-service attacks;

  • Manipulation of control in the system to create false transactions;

  • Social engineering and man-in-the-middle attacks to compromise account information for wallets that can be exploited to drain wallets of value;

  • Crypto-jacking malware that causes infected machines to mine Bitcoin and other cryptocurrencies;

  • Brute-force attacks against cryptographic keys;

Risk Mitigation Techniques

Risk mitigation techniques to ensure system integrity and protect the systems of blockchain participants will require some combination of administrative, physical, and technical safeguards. Some blockchain system architectures may face inherent security vulnerabilities and the best way to avoid risk in the short run is to use a different system that does not share these vulnerabilities. Users should protect their account credentials (e.g., passwords) and educate themselves about phishing and other schemes seeking to fool them into disclosing their account credentials. Malware detection software can now detect crypto-jacking malware and businesses should scan their systems for this and other kinds of malware. 

Advanced Technologies, Advanced Effects, Advanced Legal and Security Risks

Artificial intelligence, robotics, Internet of Things (IoT), Big Data, and blockchain systems pose significant legal challenges. Their use may threaten the privacy and security of personal data. Businesses manufacturing, selling, purchasing, and operating these advanced technology systems may collect vast volumes of data of different varieties at increasingly greater velocities, while at the same time making data subject to bias, mistakes, and corruption. Increasing the correlation of personal data among disparate data sets increased surveillance capabilities, and new ways of directing marketing messages to individuals intrude on privacy, while at the same time individuals’ control over personal data is eroding. Internet of Things devices, including robots, may contain software vulnerabilities and their configuration may open them to hacking attacks. At the same time, cheaper IoT devices may not use safeguards such as encryption and may be impossible to update with software or firmware patches.

Nonetheless, businesses can mitigate privacy risks by enhancing their privacy practices and controls. Examples include enhanced transparent notices specific to context and location, de-identification of data and data minimization to minimize volumes of personal data at risk, enhancing opt-out mechanisms, offering procedures for humans to check the results of explainable automated data processing, using technical and interface methods to make data collection practices more transparent, and offering enhanced privacy controls. Businesses can secure devices and systems using these advanced technologies by implementing and maintaining administrative, physical, and technical security controls. Blockchain systems raise specific privacy issues by making erasure personal data in blockchain ledgers difficult, if not impossible, while their architectures open them up to attacks.

Advanced technologies are coming. They will have profound effects on society, both positive and negative. As a result, they will generate momentous legal issues, including in the areas of privacy and security. It will be up to lawyers to lead the way to use some of the safeguards discussed in this article to make sure clients’ interests are protected, privacy and security are maintained, and businesses deploy advanced technologies in a safe, ethical, and compliant fashion.

Stephen Wu
Previous

Why Worry About Data Security?
Next

Six-Step Process of Implementing an Effective Security and Privacy Program