Where Next on Internet of Things (IoT) Security?

The 2016 edition of the Consumer Electronics Show (CES) just wrapped-up as the North American International Auto Show sprang into full swing. So what do they tell us about the state of cybersecurity for the exploding Internet of Things (IoT) market?

by / January 17, 2016

The world’s attention is centered in the USA at the beginning of every January for the Consumer Electronics Show (CES) in Las Vegas and the North American Auto Show in Detroit.

No doubt, there are many topics that these two events have in common, but none, perhaps, as unsettled as the questions swirling around cybersecurity and the growing number of connected things.

Here’s a quick snapshot of what I found most intriguing from the global media from the events:

1)      CSO Australia: Hyperconnected CES gadgets highlight growing Internet of Things security threat

CES was filled with smart-home devices such as the LG Signature Refrigerator and Samsung Family Hub Refrigerator, with smart control systems from the likes of Tado. Even paintball masks were getting connected.

LG's tablet-connected Hom-Bot Turbo+ robot vacuum can stream live video to a smartphone or tablet, and doubles as a security camera; Sony's Multifunctional Light integrates motion, temperature and humidity sensors as well as speakers, a microphone and connectivity to other devices. ...

The security of connected TVs has become a particular concern, with recent reports that Android-based TVs suffer from an old vulnerability — and can be forced to run malicious code — reinforcing functionality-based privacy concerns raised a year ago.

2)      Fortune.com: The 6 Things CES Taught Us About the Internet of Things

The Internet of things is about services not devices: This year, there was a subtle shift from building the device to designing services. A number of larger companies showed off connected products including Procter & Gamble with its Internet-connected air freshener that ties in to connected Nest Thermostat to spray air freshener to the optimal time to take advantage of your AC fans blowing air around your home. Whirlpool’s new connected kitchen suite includes an oven, fridge, and a washer and dryer that is working with both the Nest and IBM’s Watson to share information. Whirlpool also talked about partnering with Amazon on its Dash button to let customers automatically reorder laundry detergent from a connected washer when the washer estimates the laundry pods will have run out. Lowe’s, the hardware retailer, has taken its Iris DIY smart home hub and devices and connected them to a 24/7 monitored home security system that it sells. Under Armor, Medronic and SoftBank are also working with IBM to integrate services from Watson as well.

3)      TheVerge.com: The U.S. government just announced a 'historic' safety pact with automakers

(Important Note: Notice the picture backdrop for this announcement, along with the new focus on cybersecurity and hacking cars with an expanding auto ISAC.)

Today's announcement also incorporates a renewed emphasis on cybersecurity, which is becoming a hot topic for the industry as more and more new cars rolling off assembly lines are "connected" in one way or another — particularly considering that real-world exploits have already been demonstrated. The auto business already has a consortium known as the Information Sharing and Analysis Center (Auto ISAC), but now, the National Highway Traffic Safety Administration (NHTSA) and DOT say they want to "support and evolve" Auto ISAC, in part by adding additional members like suppliers. Automakers outsource many of their components — particularly connected car components — to outside suppliers, so the move would seem to make sense.

What about Smart Cities?

I covered the important topic of smart cities extensively in 2015, and in 2016, smart cities will get even more attention.

One important development at CES was the announcements of new smart cities initiatives, like this one announced by AT&T.

AT&T has formed an alliance with Cisco, Deloitte, Ericsson, GE, IBM, Intel and Qualcomm and plans to bring its smart cities framework to Atlanta, Chicago, Dallas and the Georgia Institute of Technology.

“We’ve built strong relationships with cities across the US for over 100 years,” said Mike Zeto, GM Smart Cities, AT&T IoT Solutions, in a press release. “We’re continuing to be a leader in smart cities innovation. Our holistic strategy can help cities save money, conserve energy, improve quality of life and further engage with their citizens.”

In fact, some people think that broad adoption of smart cities are coming before smart homes. A major focus was made to integrate diverse technologies into single solutions.

Not to be outdone by AT&T, Panasonic adopted Denver for a series of smart cities projects:

Denver and Panasonic Enterprise Solutions Co. plan to make parts of Denver International Airport (DIA) and a nearby development an example of cutting-edge solar energy use, in-home telemedicine technology and video used for traffic management and security.

The city and company on Tuesday announced some details of the “smart city” infrastructure planned at DIA and a neighboring development called Peña Station NEXT, where the offshoot of Tokyo-based Panasonic is putting its U.S. sales and engineering hub.

Wrap-up

As we head deeper into 2016, what action items should be considered regarding IoT infrastructure and specifically security?   

I like this article from Information Age which lays out 4 simple mistakes that businesses make that leave companies vulnerable. I certainly think these apply to governments as well.

Here’s a brief excerpt (note UK spelling):

As an example, some of our recent projects have demonstrated weaknesses in smart TVs that can be compromised in one of two ways: either via a Wi-Fi connection or quite commonly via its Bluetooth functionality.

Such an attack can be originated from outside the physical perimeter. Once the TV is compromised it can be used as a stepping-stone into the corporate network or turned into a listening device for attackers to cultivate company information. 

Organisations can avoid common weaknesses in smart devices by disabling unnecessary functionality (cameras/bluetooth/wifi etc) and keeping such devices up to date, just as they would any other corporate system.

In addition to this, these devices should be secured like any other device, for example ensuring that default passwords/settings are changed.

What struck me about this piece is the title that begins “testing, testing …”

I think that perhaps the No. 1 reminder or action item for all of us at home and work on IoT security is to test what we do deploy for vulnerabilities and security weaknesses whether that be default settings, security settings that are not turned on, or upgrades that are needed.

What is clear is that the many 2016 predictions of IoT hacking, security issues and more “things” are already happening.

And there is no going back, so get on the IoT and smart cities bandwagon now, if you are not already onboard.