Video Screencast Help

IoT Security and the law of unintended consequences

Created: 12 Feb 2014 • Updated: 12 Feb 2014
D Thomson's picture
0 0 Votes
Login to vote

It’s still early days for the Internet of Things (IoT). While some are suggesting a complete revolution in 'smart' physical objects which will change our lives, I don’t think anyone will notice that much of a difference in the short term. Even so, over the next couple of years we will see all kinds of new devices connect to the internet, from plug sockets to plant pot monitors.

Each becomes not just a data source but also, potentially, a controllable device - and as such has a potential security impact. For a start, smart devices inevitably create data, which may need to be protected depending on the risks that surround it. Risk factors may not always be obvious - for example, burglars might be able to hack into a lighting control system to determine if a building is empty, before breaking and entering.

Speaking of which, we have the fact that smart devices are, in fact, tiny computers which can be hacked, corrupted or otherwise abused. We’ve already seen examples of appliances containing ‘rogue components’ such as wifi-enabled microphones - though it is unlikely they would find their way into the local Argos!

In the corporate context, a more realistic scenario is denial of service - for example, rendering a remote monitoring or control system system inoperable. Evidence suggests that Stuxnet was designed for exactly this purpose, that is, to attack SCADA-based industrial control systems. Just last month, a major security flaw was reported in SCADA, which is still to be resolved. 

Once breached, smart devices can also be used as springboards to access other systems. For example a poorly secured device could be logged onto, and used as a ‘base’ on the internal network, from which to connect to other internal systems; a compromised device could equally be used as part of a botnet, by running a malicious program or replacing the firmware.

A final thought concerns the human security impact, through accidental or deliberate use of smart devices. For example, an over-zealous manager might connect a cheap surveillance monitor to an employee’s vehicle without them knowing, or a person may be linked to an event simply through proximity, reported by a location sensor. I have no doubt that the ‘law of unintended consequences’ will apply to the Internet of Things as much as, if not more than, previous technology waves. 

So, should we just switch everything off? Even if this was a good idea, it will be nigh impossible to prevent our increasing use of increasingly smart devices so the most important thing is to keep a broad mind open to both the potential and the risks of IoT. Like it or not, the world is going to become smarter so this is no time to rely on either blissful ignorance or security by obscurity.