Since IoT’s inception in 1999 (the actual term “Internet of Things” was coined by Kevin Ashton in 1999 during his work at Procter&Gamble), connected devices have taken over nearly every industry from retail and automotive to healthcare. While the end users have seen many benefits, they have also been targets of cyber attacks from hackers due to the vast amount of data being shared quickly. Why is this proving so easy for hackers and what can be done?
To gain an insight, Digital Journal spoke with Brad Ree, chief technology officer of ioXt. Ree leads ioXt’s security products supporting the ioXt Alliance.
Digital Journal: Where are most cyber-threats coming from?
Brad Ree: There are four sources that most attacks come from – the first being researchers. Researchers are focused on growing their resume and business by publishing information about attacks, rather than implementing the attack and directly causing damage. Another source are cyber-vandals, who are more focused on the challenge of completing a hack. Their attacks tend to be minor and include website defacement or the destruction of products and services, and typically aren’t financially motivated. Those that are looking for a financial gain are cyber criminals, which is an additional source of attacks. This group uses hacked devices on their targets, or sells access to hacked devices to other criminals. The last source of cyber-threats are nation states, who use cyberattacks to take non-military action against a nation’s corporation or infrastructure.
DJ: How have hacks changed in the past decade?
Ree: Over the last decade, the attack surface has greatly changed as the number of connected devices increased in tandem. There are now more devices connected to the internet, which also means there are more hackers attempting to gain access to these devices globally. Nowadays, many attacks don’t require the same level of sophistication as they used to and instead are based on script kiddies that simply run a set of programs from hacker toolboxes. Furthermore, legacy systems are being connected through gateway devices, leaving the traditional air gap in operational and corporate networks collapsed.
DJ: Have hacks become more sophisticated?
Ree: Most hacks used to be based on simple mistakes or incorrect assumptions. But over time, many attacks are now based on the combination of multiple defects in one device or across multiple devices.
DJ: Which sectors are most vulnerable to hacks?
Ree: One sector of concern is around low-cost IP cameras since these devices have unreliable security and have the capability to do malicious acts on the internet. Another area of concern are the legacy industrial systems because they often have poor security, lack patches, and are connected to critical systems.
DJ: What has the IT sector learned over the past decade in terms of responding to hacks?
Ree: The IT sector has learned to provide a separation between networks to increase security and decrease the impact of compromised devices, and, for the most part, it’s done a good job at this so far. In addition, silicon providers are offering better reference libraries to build security in from the onset of manufacturing.
DJ: What can the IT sector do better?
Ree: Manufacturers and network/ecosystem operators should collaborate to create a set of baseline requirements that all devices will need to meet before entering the market, and this is something the ioXt Alliance, along with other organizations, is working towards. It’s important for the IT sector to understand that the transparency of device security is critical and responses to known vulnerabilities should be quick and automated, and expecting the end consumer to address core security issues in home networks is not reasonable.
