Connect with us

Hi, what are you looking for?


Network Security

IoT: The Security Risk Iceberg

While politicians and security experts are constantly warning about the risk of cyber-attacks, they rarely, if ever, mention the risks associated with the Internet of Things (IoT). They should. Global connectivity between all devices creates significant security concerns. Recent reports of hackers being able to remotely control cars illustrate the immense risks posed by IoT.

While politicians and security experts are constantly warning about the risk of cyber-attacks, they rarely, if ever, mention the risks associated with the Internet of Things (IoT). They should. Global connectivity between all devices creates significant security concerns. Recent reports of hackers being able to remotely control cars illustrate the immense risks posed by IoT. This raises questions regarding current security risk management practices and illustrates the challenges that are being created by IoT’s all-in-one connectivity.

What is IoT anyway? According to analyst firm Gartner, “IoT is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment”. Nowadays many devices have embedded operating systems and are connected to the Internet, which introduces a board range of new opportunities for consumers and businesses alike. Gartner predicts that by 2020 there will be over 26 billion connected devices, while other analysts believe the number will exceed 100 billion.

IoT Security RisksThere are many applications of IoT, ranging from a house alarm system providing status alerts to a smartphone, smartwatches collecting health data and sharing it with doctors, vehicles accessing calendar data to pre-calculate the best route to take the driver to an offsite meeting, a wake up alarm triggering the coffee machine to prepare a dark roast just minutes it wakes the user, a refrigerator reminding the owner to purchase grocery items, or office equipment automatically re-ordering supplies when they run low. On a macro-level, smart city applications such as smart lighting and smart parking, would allow us to reduce waste and improve efficiency for things such as energy use. IoT provides endless opportunities and interactions, many of which we can’t even imagine yet.

The IoT market is still in its infancy, but is being driven by high expectations built around offering consumers a more convenient life style. Meanwhile, it promises to open up new markets for businesses by providing vast amounts of information on customer buying habits, which can be leveraged to drive further sales.

However, there is also a darker side to IoT, related to security and privacy. A good example is the recent case of hackers taking control of a car and crashing it into a ditch by remotely breaking into its dashboard computer from 10 miles away. That this is not an isolated incident was documented in a study by PT&C|LWG Forensic Consulting Services, which outlined that many other car makers’ were susceptible to being hacked. This is just one illustration of the tip of the iceberg when it comes to IoT’s security risks. Unlike traditional cyber-attacks, IoT incidents are not limited to extracting information; instead they can be used to cause physical harm and exploited by state-sponsored cyber-attackers to wreak havoc.

Ultimately, IoT opens up companies all over the world to more security threats. According to Robert Bigman, former CISO at the Central Intelligence Agency (CIA), IoT devices that manage personal health and safety systems will become the next ransom-ware gold mine. Like they have for the Bring-Your-Own-Device (BYOD) phenomenon, businesses need to adapt their risk management practices and broaden the scope of risk assessments to include all connected devices. If an employee’s smartwatch can be leveraged to spy on the corporate’s WiFi passwords, the watch suddenly falls into the scope of an organization’s risk assessment. In this context, one of the leading challenges for organizations will be how to store, track, analyze, and make sense of the vast amounts of data generated by including IoT in the risk assessment process. Emerging big data risk management technologies can assist here.  

To complicate matters, the development of IoT products preceded the creation of a common security framework or standard. In the case of many IoT products, security is an afterthought. The only reasonable solution to address the lack of security in IoT devices is for new standards and government regulations to be established that require the use of trusted networks and operating systems.

While it is encouraging to see several initiatives (e.g., Cloud Security Alliance, Open Interconnect Consortium) working to create frameworks to secure IoT ecosystems, an accepted standard will be needed to ensure the interoperability required to achieve this goal. Until then, IoT vendors need to incorporate security at the design phase of products to make them less of a threat when connected to networks. In addition, they need to consider early on what regulations devices will have to comply with so those requirements can be baked in and not added later when they would be less effective. Finally, device communication channels should conform to standards-friendly hub-and-spoke networking protocols, which are less vulnerable to attacks.

Time will tell if the IoT vendor community can come together to create a common security framework that helps shrink the security risk iceberg and minimize the risk of cyber-attacks.

Advertisement. Scroll to continue reading.

Related: Learn About IoT Security at the ICS Cyber Security Conference

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.