Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

IoT: The Security Risk Iceberg

While politicians and security experts are constantly warning about the risk of cyber-attacks, they rarely, if ever, mention the risks associated with the Internet of Things (IoT). They should. Global connectivity between all devices creates significant security concerns. Recent reports of hackers being able to remotely control cars illustrate the immense risks posed by IoT.

While politicians and security experts are constantly warning about the risk of cyber-attacks, they rarely, if ever, mention the risks associated with the Internet of Things (IoT). They should. Global connectivity between all devices creates significant security concerns. Recent reports of hackers being able to remotely control cars illustrate the immense risks posed by IoT. This raises questions regarding current security risk management practices and illustrates the challenges that are being created by IoT’s all-in-one connectivity.

What is IoT anyway? According to analyst firm Gartner, “IoT is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment”. Nowadays many devices have embedded operating systems and are connected to the Internet, which introduces a board range of new opportunities for consumers and businesses alike. Gartner predicts that by 2020 there will be over 26 billion connected devices, while other analysts believe the number will exceed 100 billion.

IoT Security RisksThere are many applications of IoT, ranging from a house alarm system providing status alerts to a smartphone, smartwatches collecting health data and sharing it with doctors, vehicles accessing calendar data to pre-calculate the best route to take the driver to an offsite meeting, a wake up alarm triggering the coffee machine to prepare a dark roast just minutes it wakes the user, a refrigerator reminding the owner to purchase grocery items, or office equipment automatically re-ordering supplies when they run low. On a macro-level, smart city applications such as smart lighting and smart parking, would allow us to reduce waste and improve efficiency for things such as energy use. IoT provides endless opportunities and interactions, many of which we can’t even imagine yet.

The IoT market is still in its infancy, but is being driven by high expectations built around offering consumers a more convenient life style. Meanwhile, it promises to open up new markets for businesses by providing vast amounts of information on customer buying habits, which can be leveraged to drive further sales.

However, there is also a darker side to IoT, related to security and privacy. A good example is the recent case of hackers taking control of a car and crashing it into a ditch by remotely breaking into its dashboard computer from 10 miles away. That this is not an isolated incident was documented in a study by PT&C|LWG Forensic Consulting Services, which outlined that many other car makers’ were susceptible to being hacked. This is just one illustration of the tip of the iceberg when it comes to IoT’s security risks. Unlike traditional cyber-attacks, IoT incidents are not limited to extracting information; instead they can be used to cause physical harm and exploited by state-sponsored cyber-attackers to wreak havoc.

Ultimately, IoT opens up companies all over the world to more security threats. According to Robert Bigman, former CISO at the Central Intelligence Agency (CIA), IoT devices that manage personal health and safety systems will become the next ransom-ware gold mine. Like they have for the Bring-Your-Own-Device (BYOD) phenomenon, businesses need to adapt their risk management practices and broaden the scope of risk assessments to include all connected devices. If an employee’s smartwatch can be leveraged to spy on the corporate’s WiFi passwords, the watch suddenly falls into the scope of an organization’s risk assessment. In this context, one of the leading challenges for organizations will be how to store, track, analyze, and make sense of the vast amounts of data generated by including IoT in the risk assessment process. Emerging big data risk management technologies can assist here.  

To complicate matters, the development of IoT products preceded the creation of a common security framework or standard. In the case of many IoT products, security is an afterthought. The only reasonable solution to address the lack of security in IoT devices is for new standards and government regulations to be established that require the use of trusted networks and operating systems.

While it is encouraging to see several initiatives (e.g., Cloud Security Alliance, Open Interconnect Consortium) working to create frameworks to secure IoT ecosystems, an accepted standard will be needed to ensure the interoperability required to achieve this goal. Until then, IoT vendors need to incorporate security at the design phase of products to make them less of a threat when connected to networks. In addition, they need to consider early on what regulations devices will have to comply with so those requirements can be baked in and not added later when they would be less effective. Finally, device communication channels should conform to standards-friendly hub-and-spoke networking protocols, which are less vulnerable to attacks.

Time will tell if the IoT vendor community can come together to create a common security framework that helps shrink the security risk iceberg and minimize the risk of cyber-attacks.

Related: Learn About IoT Security at the ICS Cyber Security Conference

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.