IoT: The Internet of Threat

The Internet of Things (IOT) sector has seen explosive growth over the last 10 years.  The Internet of Things was roughly ‘born’ in 2008/2009, and first added to the Gartner “hype cycle” in 2011.  In this time we have seen not only an exponential growth in the number and types of connected devices with over 8 billion connected devices, but also a rise in the risk this presents to organizations and their user’s privacy and security.

IOT Device Applications

The evolution of IOT devices began with most devices running only their base firmware.  For example, a connected thermostat would only perform thermostat functions running code written by the manufacturer.  This tightly controlled process left the security posture of the device in the hands of the manufacturer.  It is well known that the IOT market needed to mature from a security perspective.  We all remember reports of hacked IOT cameras or botnets created from DVD players for DDoS attacks against Twitter, Netflix and the New York Times.  Much of this was due to lack of basic security best practices such as unchanged default passwords or insecure connections.

As the market matures and adopts secure practices we will see the nature of the risk shift.  Third-party applications are rapidly moving into the IOT segment.  You can install applications on your television, or refridgerator. This shifts the nature of the risk from a controlled manufacturer’s code-base to the open application ecosystem.  The ability for an attacker to access a device on your internal network is no longer a pure function of an IOT manufacturers security practices, but also those of the third-party application that may be running on that device.  Imagine unsuspectingly loading malware onto your camera enabled interactive television that could record and transmit without your knowledge; or connected fridges running a malicious messaging app that turn them into a botnet (or cryptocurrency miner).

Risk

Much like how mobility has eclipsed PC usage and changed the nature of how risk and application security are perceived, we can expect IOT device proliferation to soar.  There are predicted to be 75 billion IOT devices deployed by 2025, truly embracing the sister term ‘Internet of Everything’.  This is an incredible number of endpoints and applications for hackers to attack.  From attacking both the device itself, as well as the devices (smartphones and tablets) that are used to remotely control IOT devices, hackers will have many avenues to infiltrate networks.  This is a risk not only to individuals, but businesses and governments as well.

IOT vendors will need to ensure their platforms are secured to mitigate the risk of third-party applications.  Additionally, the new and emerging  IOT application marketplaces will require the ability to properly vet third-party applications for privacy and security risk before offering to their customers.