Here’s why IoT security and privacy should be your prime concern

The Internet of Things is the latest in a long line of technologies that has gone from new and novel to established and indispensable. Smart homes with automated lights and air conditioning systems you can control with your phone used to be seen as somewhat of a gimmick. But given the rising cost of living, they’re now helping people to reduce energy consumption and lower their electricity bills. 

The same can be said for businesses who have adopted digital-first strategies in response to recent economic and pandemic factors. IoT is the source of transformative data and an enabler of automation, which can provide better customer experiences, more streamlined operational models and greater internal efficiency. 

Even so, IoT isn’t without its challenges, especially in complex ecosystems comprising multiple different devices all connected to the cloud. The focus of many organisations is to optimise IoT software, which can help in reducing bugs and rolling out new features inline with big picture business objectives. 

While these are important pain points that need addressing, issues such as security and privacy often take a back seat. This is despite the fact that an increase in connected devices gives hackers and cyber criminals more entry points. Worst of all, the cost of recovering from an IoT security or privacy breach pales into insignificance when compared to a proactive approach that fixes vulnerabilities ahead of time.

Take the high profile Optus data breach for example. The hacker found a vulnerability in the Optus API and was able to access the data of almost 10 million customers, including passport and driver license details. Based on other companies that have experienced similar breaches, Optus stand to lose hundreds of millions of dollars in the fallout from the cost of fixing weak security defences, compensating those affected, and a loss in profit to competitors as customers go elsewhere.

This will come as worrying news for organisations with extensive IoT footprints. First of all, the most common initial attack vector responsible for 20% of breaches was compromised credentials, a popular avenue of attack for malicious agents given many IoT devices use default security credentials. Secondly, security threats are becoming more complicated because of the adoption of technologies with multiple touchpoints such as IoT. Last but not least, the shift towards remote operations during the pandemic, where IoT devices are continuing to gain traction, has led to slower response times and more expensive data breaches. 

The Optus data breach cost the company hundreds of millions of dollars

So when it comes to prioristing IoT security and privacy, here are some key considerations:

Security

  • Default passwords – Hardcoded and embedded credentials on IoT devices are an easy target for hackers. In 2016, Mirai malware was used to attack multiple IoT devices, many of which still used their default usernames and passwords. It was the world’s first 1Tbps DDoS attack and resulted in the inaccessibility of high-profile websites including GitHub, Twitter, Reddit, Netflix, Airbnb and others. 
  • Lack of interfaces – IoT devices that are small, low cost and low powered tend to have limited user interfaces, which aren’t designed to implement common security measures or operate over long periods of time without updates. There is often little incentive for manufacturers to incorporate security into device designs as they aren’t typically liable for cybersecurity breaches.
  • Lack of encryption – Despite the fact regular updates are important for ensuring security on IoT devices, new firmware and software can still lead to vulnerabilities. Several devices fail to encrypt data that is being transferred to the cloud and back, providing a gateway for malicious agents to access sensitive information.
  • Physical accessibility – Unlike servers, most IoT devices are easily accessible physically, which can lead to vulnerabilities based on accessing the internals of the device itself.  Due to cost, most IoT devices do not provide the adequate hardware to mitigate accessing data or firmware via direct connection to the device, leaving security vulnerabilities not only to the device but the system that device may be connected to.

Privacy

    • Personal information – Although the definition of personal information differs according to jurisdiction, privacy laws generally protect details about an identified or identifiable individual, and give that individual control over how their information is handled. IoT devices frequently collect personal information, which could cause harm if used inappropriately. 
    • Collection and use of data – Data collected from IoT devices can be highly detailed and extremely useful for businesses. However, individuals could be uncomfortable with where this information ends up, prompting the need for care when data is used, especially if people have no choice that it’s being collected.
    • Owning and controlling data – Another consideration is knowing who will own and control information from IoT devices. If organisations that provide IoT devices or services can access data, there is a chance they could use personal information for profiling or targeted advertising that is not in the public’s interest.
    • Intellectual property – Firmware and associated data could provide an insight into the inner workings of a product, thus raising intellectual property issues. But then if organisations seek to protect the way an IoT device collects or uses personal information, transparency could also become a problem. 

Getting security and privacy right to capitalise on IoT’s power and potential

Regardless of the multiple security and privacy considerations you need to account for with IoT, its power and potential still makes any investment in this technology worthwhile. After all, research firm IDC says that spending on the Internet of Things in Australia and New Zealand is predicted to reach $24 billion by 2026. Leading the way will be labour-intensive and asset-heavy industries such as manufacturing, utilities and transportation.

“Enterprises in Australia and New Zealand are leveraging their technology investments to transform into digital-first organizations. The use of IoT will enable empathetic customer experience, robust operational models, and improved collaboration,” sai IDC IT spending guides⁠ market analyst Sharad Kotagi. 

Even so, challenges such as rising inflation, chip shortages and supply chain disruptions continue to impact the IoT market. DiUS IoT Lead Frank Losinno believes that this is another reason why security and privacy should be front of mind.

“At this moment in time, organisations must buy off the shelf or adapt and innovate their existing solutions,” he said. “Unfortunately, many of the devices we see and work with fail to deliver on business objectives or block the path to innovation. They have security vulnerabilities, can’t be updated over-the-air, and aren’t able to realise the vast potential of IoT.”

An area where DiUS is helping its clients overcome these obstacles is with IoT Lens–a technical and strategic review of their IoT products or solutions. DiUS’ team of specialists will consider the software, firmware and hardware of IoT workloads to diagnose any high-risk areas, along with the end-to-end security to enable organisations to prioritise remediation according to their business needs.

“Our approach provides the clarity and confidence to move an organisation’s IoT strategy forward, leveraging data for new or existing revenue streams and opening the door to additional technology options such as machine learning,” said Losinno.

Secure over-the-air updates and reliable quality control for Seeley

DiUS recently partnered with Seeley International to transform its IoT infrastructure to enable greater quality control and over-the-Air (OTA) updates to its cooling systems already installed in residential properties here and internationally. This meant developing new firmware, improving security between mobile devices and cloud provider AWS, registering devices with AWS IoT Core, and implementing proper CI/CD with infrastructure as a code.

“The DiUS team is extremely professional, and delivers quality solutions in a timely manner,” said Seeley International Product Manager – Controls, Barry Earl. “They have a wealth of knowledge in the AWS space and offer expertise in many areas including IoT and AI/ML. The team is friendly and happy to support you to become familiar with the environment’s solutions they build so that you can get an understanding and have the ability to maintain it should you desire.”

For more help or support with your IoT security and privacy concerns, don’t hesitate to contact DiUS. We can take stock of your current circumstances and situation before advising on the next steps.

Want to know more about how DiUS can help you?

Offices

Melbourne
Level 3, 31 Queen St Melbourne, Victoria, 3000

Phone: 03 9008 5400

Sydney
The Commons

32 York St Sydney,

New South Wales, 2000

DiUS wishes to acknowledge the Traditional Custodians of the lands on which we work and gather at both our Melbourne and Sydney offices. We pay respect to Elders past, present and emerging and celebrate the diversity of Aboriginal peoples and their ongoing cultures and connections to the lands and waters of Australia.

Subscribe to updates from DiUS

Sign up to receive the latest news, insights and event invites from DiUS straight into your inbox.

© 2024 DiUS®. All rights reserved.

Privacy  |  Terms