This guest post, a “reprint” of a Security Briefing from an HP researcher, looks at the Internet of Things and how the advent of millions of connected devices affects network security from a practical standpoint.
The release this week of long-awaited analyses from two U.S. and U.K. regulatory bodies puts the Internet of Things (IoT) in the spotlight — ironic, really, for a technological revolution that aims to be essentially invisible. But with astronomical growth comes attention, and hard questions about the security landscape of the new hyper-connected, always-on realm.
Security concerns with the Internet of Things start with the amount and types of data it gathers. The key to IoT effectiveness is the collection of accurate data. However, the quantity of data that will be collected is unprecedented. How that data will be gathered and managed leads to difficult questions for the security of the IoT.
Closely related to the collection of data, threats to privacy are one of the more obvious concerns for the Internet of Things. People legitimately fear they could be more easily tracked and profiled using data that is gathered about them without their consent or even their awareness. As consumer concern rises, legislative and regulatory interest grows.
The Briefing also looks at the variety of devices and manufacturing composing the IoT. While some standards exist, it would be naive to suggest that every solution provider, or even a majority of them, will be certified as standards-compliant during the rush to bring products to market. With this level of fragmentation across the industry, addressing security concerns is likely to require individual solutions for each type and family of device – an extremely complex situation.
Under these circumstances, attacks could involve various layers of the device infrastructure. They could include applications running on smartphones or tablets, cloud services – including firmware and network service stacks on Wi-Fi modules – as well as the firmware, as well as application-layer attacks on the host processor. Various avenues of propagation could also be used, including compromising update files or exploiting network and host processor communication layer vulnerabilities, as well as possible vulnerabilities in cloud service infrastructures and smart device applications.
In short, there are still a number of unknowns when it comes to the security of the IoT in practice. The Briefing, a companion to previous and future HPSR research, looks at specific security issues with the Internet of Things, provides an overview of the variety of risks associated with connected devices, looks at the attack vectors most likely to succeed, and lists the most interesting players currently in the IoT space. It also outlines how what we already know about information security does – and does not – prepare us for a world in which machine-to-machine communications may soon outpace those between humans.
Download the HP report about IoT security implications.