More than 40 percent of all venture and seed capital investments made in the United States over the past year have gone to companies that manufacture Internet of Things (“IoT”) devices. The aggregate U.S. venture investment into IoT companies in 2016 is expected to exceed $1.3 billion. With this explosive growth of IoT companies and the devices they produce, it is only natural that the IoT industry is becoming the next cybersecurity battleground.
IoT devices connect cars, appliances, doorbells, security cameras and other everyday items onto the internet, but they are notoriously weak on securing personal information that is collected and shared over those devices. Industry experts predict that as more of these devices are placed online, each with its own IP address, hackers will have more than 21 billion potential targets and three times as many ways to attack those targets. Cyber attackers have already used IoT devices to launch a distributed denial of service (DDoS) attack that shut down the DNS-provider, DYN, for several hours. This vulnerability and availability is the ideal combination for hackers that are looking to breach any organization’s internal network.
A post-mortem analysis of a DDoS attack that targeted a security journalist illustrates how IoT devices are used in cyberattacks. The journalist’s website was targeted by an overwhelming number of HTTP calls that were launched from almost 50,000 different IoT devices around the world (primarily CCTV cameras) that had been infected with a sophisticated computer virus. The technicians who performed this analysis issued a recommendation that IoT device users should change all default or generic passwords and disable remote access to those devices. Given the number of those devices coming into use, it is not realistic to expect that everyone, or even a majority of device owners, will follow this recommendation.
From a broader perspective, security analysts have detected a number of challenges that make IoT devices attractive to hackers. IoT devices are now used to control transportation infrastructures and utility grids. Manufacturers make tens of thousands of the same type of an IoT device, each with the same embedded technology. A hacker that learns how to access one of those devices can then access every other similarly mass-produced device. Firmware in IoT devices is installed during the manufacturing process and is difficult to upgrade or to patch when a security problem is identified. Finally, a majority of IoT devices are operated outside of the secure boundaries of an organization’s internal networks and systems. In all senses, IoT devices are the low-hanging fruit that hackers will gravitate toward when they cannot break into a more secure network.
Organizations need to remain aware and to prepare themselves to repel hack attacks that originate with IoT devices. Cyber security insurance will be an important component in providing compensation for losses incurred in an IoT cyber war. That insurance can help an organization to recover revenues lost from downtimes caused by cyberattacks, and can help to notify and provide identity theft protection to customers whose information might have been compromised in an attack is crucial to your company’s success and image in the public sphere.
The IoT industry presents exciting opportunities for connectivity and improved services across every business sector, but it also increases the risks that every organization faces from cyberattacks. Organizations will need to monitor and update their cybersecurity practices as more IoT devices come online. Aggressive defenses to prevent attacks such as security clearance checks and software updates and strategies to stop attacks that break through defenses and cyber security insurance to cover any losses from cyberattacks will give every organization the best possible protection.