IoT Cybersecurity Clouds

The dark Internet of Things (IoT) cybersecurity clouds keep hanging around with the latest news about malware that can wipe data from infected devices. Researchers from Palo Alto Networks discovered malicious software called Amnesia that can infect digital video recorders. If Amnesia senses it is running in a virtual environment, it can wipe critical directories from the file system. The researchers say this is a new capability in malware aimed at Linux-based embedded devices—which include smart TVs, wireless routers, switches, set-top boxes, in-vehicle entertainment systems, navigation hardware, industrial automation equipment, and medical instruments. This potential threat goes beyond consumer devices and could affect the electrical grid. Several other threats against IoT devices have surfaced as well:

• University of Michigan researchers demonstrated they could hack into sensors on smartphones, automobiles, and IoT devices using a $5 speaker. They targeted microelectromechanical systems, or MEMS accelerometers, which measure speed changes in three dimensions. Using acoustic tones, they deceived 15 different accelerometer models into registering movements that never happened.
• Engineers at Israeli firm Argus Cyber Security remotely shut down a car engine using a smartphone app, a Bluetooth connection, and a $75 dongle, which insurance companies install frequently to monitor driving. The engineers triggered a signal that disabled a car’s fuel pump, something that would only happen after a collision, according to a Wall Street Journal report.
• A doll named Cayla was investigated by regulators in Germany for being a security threat. The doll does not link directly to the Internet, but can be accessed via Bluetooth to any mobile device that has the doll’s dedicated app. Researchers found the dolls recorded voices and sent data to a third party specializing in voice recognition.

Security Is Top Concern for Developers

Among developers who write software for IoT devices, security concerns remain high. Nearly 47% of developers who responded say security is their top concern and has remained number one for 3 years, according to an annual survey (see slide 16) by the Eclipse Foundation. The situation does not seem to be getting much better in terms of the potential threats posed by IoT devices. However, beyond the negative headlines, there is some positive work taking place:

• The prpl Foundation is making progress on efforts to reduce threats to IoT devices. Members of this open source and community-driven foundation are focused on enhancing the security and interoperability of embedded devices.
• Two industry groups joined forces to improve Internet security. The Online Trust Alliance (OTA) has partnered with the Internet Society to improve security and data privacy. For several months, the OTA has promoted a new framework for securing the IoT, supporting multiple built-in security measures for devices from the beginning, and advocating strong security through the entire IoT product lifecycle.
• The National Institute of Standards and Technology (NIST) continues to push a broad set of initiatives to create a safer marketplace through its Cybersecurity for IoT program.

Will the Clouds Part?

So where do we stand in this process to create a more secure IoT world? In short, there is progress taking place. One thing to keep in mind: the IoT security threat is not going away anytime soon. That said, key stakeholders need to stay focused on providing stronger security measures for IoT devices and services. Otherwise, IoT market opportunities (see Guidehouse Insights’ Emerging IoT Business Models report) will be lost or needlessly delayed. We are in for cloudy skies for the next several years, so get used to a blend of bad news about breaches coupled with positive steps to thwart them.