Blogs

How to avoid an internet of exploited things

March 1, 2016

Posted by: George Malim

Christian Fredrikson, F-Secure

Adoption of the Internet of Things is proceeding quickly and although most people don’t yet have a smart refrigerator or toaster in their home, smart has taken off in certain market segments, writes Christian Fredrikson, the chief executive of F-Secure. TVs, fitness tracking devices, home monitoring systems and personal wearable devices are all hot products for connectivity, and it’s only a matter of time before other segments follow. Gartner tells us that by 2020, 25 billion devices will be connected.

But as F-Secure’s chief research officer Mikko Hypponen has pointed out, “a smart device just means an exploitable device.” He is, of course, correct. In the past year alone we’ve seen exploitable flaws in smart cars, smart security systems, smart thermostats and smart toys, to name a few.

In order to experience all the benefits of the Internet of Things without the worst case scenarios of cyber criminals accessing our data and controlling us via our things, we’ve got to get IoT security on track.

Why is security such a challenge when it comes to connecting things?
Real world product companies, although they make great home appliances, toys and everything else you can touch and feel, know little to nothing about information security. It’s no surprise that in their smart products, security is not given the priority it deserves.

These companies focus on how desirable and useful their product is, not on how secure it is. They worry about whether their product is easy to use, not about whether it will get remotely hacked. And to keep costs down and move products out the door, they often sell products built with chips that use outdated software. Such devices may have grave security flaws from the beginning.

Even if these companies were concerned about security, the small size of many IoT devices creates challenges. Limited size and processing power also limit the strength of security measures that can be taken.

In the world of computers, smartphones and tablets, a product that is built in a less secure way can have third party security software installed to protect it. This is not the case with connected things. There is no way to install security to a smart camera or a smart fitness tracker.

Compounding the problem is the difficulty with updating vulnerable software in IoT devices. Many smaller devices are low cost, and if a vulnerability is discovered on such a device it may be difficult to update the software and then to let customers know about a fix. Even if customers were notified, they would have to have the know-how to download and install the patch.

There’s just no easy solution for securing individual IoT devices. But the good news is, the problem is widely recognised and new solutions are in the making.

One approach that F-Secure is using to secure the connected home is protection at the network level. For IoT devices onto which we cannot install security, we analyse incoming and outgoing network traffic to and from the device. Suspicious traffic – for example, if a smart TV is connecting to a botnet command and control server – will be recognised and blocked. Traffic analysation and threat identification are enabled by our Security Cloud, which analyses based on behaviour and reputation. Protection is real time and always up to date.

New ways of approaching IoT security are critical for the success of IoT. An Internet of Things-enabled world looks pretty amazing to me. Let’s not let it become an Internet of Exploited Things.