Let’s not believe that sky is blue everywhere. Enter the word smart written on every electronic appliance you see. Question Is, are all of these really getting smarter if so in what sense or is it a business gimmick to make a quick buck telling you it is secure? This article is written based on the insights given by Abhinav Biswas, Tech Evangelist, National Cyber Defence Research.
Well played business strategy
To get to an answer to these questions one must know what an Internet of Things (IoT) device really is. An IoT device by standards has three main aspects. One, sensors collecting data; two, a computing device or a board that connections machine to the cloud and three the cloud database itself. one of them is missing, they are of the guest list of being called smart in a nutshell. In short, if your smartwatch rings up your doctor in case of a medical emergency in an automated manner, you are owning the right IoT device.
Now, with respect to secure IoT devices (be it commercial or industrial), all sensor data is getting aggregated and collected from end-user level. The aggregated data is then sent to the cloud to the cloud for analysis via the internet. Furthermore, they are sent to other machines to as a feedback process and they notify the end user which accounts for usual business.
The unusual business
“Everyone is familiar with the DEFCON carjacking (of hacking into a car remotely) a couple of years ago. The vehicle was literally hacked and it was remotely controlled, destined for a crash. If that was not intimidating, it was quite surprising that hackers found a vulnerable SSL certificate that failed to validate with the servers of the company. The vehicle simply processed the request coming from this Man in the Middle (MITM) form of attack, just like getting instruction from a genuine company server”, says Abhinav.
This one is not unusual but if you get a call from your nearby furniture shop telling you about a good sofa with a really good discount, don’t be surprised. This would have happened when you had shopped something online (or using the app) and there are chances that they may have affiliate scheme to acquire new customer without you having knowledge all this information including phone number getting transferred to them. This may look negligible, but who else can make use of this data is not known.
In future, at the device level of IoT, there could be a bad sensor data that may go to a doctor because of a digital attack or configuration problem. Now, this digital threat transforms into a physical threat. Though this style of attack has been demonstrated, medical and healthcare sectors are still maturing to such level of advancement. Until then this could be seen with the eyes of speculation but with a pinch of salt.
Latest security threats
Mining for cryptocurrency is one of the latest in security threats. If you can see your mobile phone or computer taking up so many unknown processes that you didn’t authorize, this could be one of them. “Cryptocurrency can be mined on any device. Mining is not anonymous. There are cryptocurrencies of good value in the black market that are anonymous and miners here are constantly trying to isolate and monitor TV and mobile phone. They specifically look for devices that have processors and are constantly connected to the internet. This could include your smart TV’s of refrigerator mining for cryptocurrencies without you knowing”, says Abhinav. Monitoring home data and checking spikes in data could be used as a clue to this.
Are Isolated computers safe?
Commonly termed as airgap computers, these are isolated from the internet and from other local networks. It does feel secure from various point of view. Evidence show otherwise.
Taking the example of Stuxnet, a SCADA targeting worm with a programmable rootkit. This worm has its saga of attacks to its tag but it successfully penetrated and infected isolated network creating copies of it.
Some evasion techniques
“First step to being secure is being aware. Users must understand that their data resides in the hard drives of cloud servers and it has the potential to be shared with anyone as a digital copy. If you install an application on a cell phone, they give you the permission if you give permission it could be open to being accessed by the company”, says Abhinav.
At Business level, there is a need to know where the devices reside are and what they are doing without a second thought. If something goes wrong in a connected system, it could affect business.
For more such interesting stories, read more.
To know more, attend Abhinav Biswas’s talk on “DEMYSTIFYING THE DARK-SIDE OF IoT – A JOURNEY THROUGH SECURITY & PRIVACY CHALLENGES” at EFY Conferences 2018