The summer heat is on, and the last thing on anyone’s mind is a long, cold winter. However, when it comes to data leaks, it appears as though a long, painful season is rolling in. As events unfold in the cybersecurity news sphere, many stories focus on “lower tech” ransomware, link hijacking, and phishing attacks—which became newsworthy events such as the Colonial Pipeline and the JBS Meat packing plants attacks. Recently, attacks against Internet of Things (IoT) systems emerged. Found in billions of everyday items, the scope of these sorts of attacks is worrisome and even worse, the migration to internet-everything is unstoppable. We will be seeing security incidents for a long time, unless we adjust course quickly.
The financial motive to add web features to every device known to mankind is clear. It seems everyone wants to be on the web, uploading the status of their bicycles, sprinkler systems, refrigerator energy consumption, and just about everything you can possibly think of. Even barbecue grills now come equipped with full internet connectivity, and mirrors on the wall are starting to be fully connected! The simple fact is that there are generations among us that expect these features, they have grown up with the internet and just wouldn’t do well without it. Thus, manufacturers are all too eager to connect anything and everything up to the web. It’s a perfect match. Consumers accept risks, sometimes unknowingly, because it is common to assume that the worst-case scenario will not happen to them or affect them in any significant way.
The Peloton Breach Incident
That leads us to the Peloton breach, the at-home fitness stationary bike company. In this incident, a security researcher discovered an open unauthenticated API. The discovery revealed an open channel to specific information about specific users such as age, weight, gender, workout statistics, and birthdays. A significant amount of scrutiny has fallen on Peloton as they made a mess of remediation communications and deadlines. It appears, however, that this is just the beginning of issues to come as more items from the physical world come online, handling sensitive and in the hands of the wrong parties, useful information that few people think about protecting until it is too late.
The Peloton incident is just the latest in a field of IoT missteps with popular systems and products. In the wake of consumerized products from all walks of life, IoT systems and online accounts are under significant threat. It does not matter how insignificant a product might be. For example, in January of 2021, a manufacturer of an IoT-enabled chastity belt was compromised in a ransomware incident. An increasing number of smart camera platforms are being targeted by thieves. At risk are privacy, security, and the risk of fraud, and criminal gangs are exploiting the spoils of data to their merciless benefit.
Can IoT be Slowed? Should it?
Once upon a time, distributed alternating current electricity was the next “new” thing. Electricity, lighting, and motors were added to every item available at the time. Therefore, you no longer had to crank record players or grind beans by hand, or shine shoes with a pile of rags. What it meant to consumers was that convenience and functionality were clear winners. With IoT, we are seeing a parallel application of the web to real world things, but we have an added variable of security and privacy to concern ourselves with. Consumers seem to be unable to resist these features as the ecosystem continues its stratospheric growth.
What many consumers don’t realize is that consumer product companies are in the business of selling the products that they make. They are not in the business of securing our information. If history is any indication, they have failed at protecting personal information, especially as they connect to billions of endpoints in your kitchen, your garage, your bedroom, and every place you live your life. In consideration of the factors such as the growth of the market, the continual cybersecurity threats, and the financial motivation driven by compromise success, we can expect to see information loss, even in places that have been deemed as safe. Worse, threats once only affected all things digital, but flipped on end, IoT has dropped the realm of cyber directly in the middle of our physical world. Attacks against data can be attacks against critical systems, human beings, resources, and the world around us.
Even the smallest bits of leaked data can be enough to compose purpose-built phishing attacks or stacked into significant waves of fraud. Unfortunately, it will take an unknown event of significant scale or personal financial impact for users to collectively wise up and demand more security from the market.
The basic fallacy in deploying these IoT systems, is the same fallacy that exists with deploying IT systems at an organization. Security is relegated to traditional point solutions, and perimeter security. Until we start to grasp the concept that security needs to be part of the foundations of any IT or IoT deployment, we must live with the reality of a computer-driven world that continues to suffer devastating breaches and compromises. It is an environment where attacks are easier to create than it is to create defenses against those attacks. Organizations that delve into the realm of IoT must recognize that prevention of security incidents, be they breaches, malware, or whatever form they might take, and they must incorporate continual vigilance and a fundamental grounds-up integration into the ecosystem of tools, services, and knowledge. It takes proactive executive decision making and a willingness to continually learn from the community and leaders in the enterprise security space. Until we change our mindset, the forecast looks like a long, hard winter.