Internet of Things poses security concerns Tuesday, 16 February 2016

News article written by Corbett Communications. The statements made or opinions expressed do not necessarily reflect the views of Engineers Australia.

Connected devices, from refrigerators to sprinkler systems, representing The Internet of Things are about to become more pervasive in our lives than mobile phones and will have access to the most sensitive personal data.

Despite the benefits to being connected, as the number of IoT devices increase, security concerns will be exponentially multiplied, Hewlett Packard Enterprise (HPE) has warned. With one or two security issues on a single device such as a mobile phone quickly becoming 50 or 60 when considering multiple IoT devices in an interconnected home or business, the IoT is something of a major concern to HPE.

Gartner recently forecast that 6.4 billion connected ‘things’ will be in use worldwide in 2016, up 30% from 2015, and will reach 20.8 billion by 2020. This year, 5.5 million new things will get connected each and every day.

HPE, whose remit covers servers, storage, networking, consulting and support, is working on “edge computing” which is expected to play a growing role in IoT as many devices generate too much information to be hauled back to a data centre. The group is working with Intel on the IoT on products that will act as gateways, collecting, processing and analysing data from a range of connected sensors and devices.

In 2015, HPE conducted a research study on the IoT and found that 90% of devices collected at least one piece of personal information via the device, the cloud, or its mobile application; and 70% did not encrypt communications to the Internet and local network.

Alarmingly, more findings showed 70% of devices, along with their cloud and mobile application, enabled an attacker to identify valid user accounts through account enumeration and 80% failed to require passwords of sufficient complexity and length.

Six out of 10 devices that provided user interfaces were also shown to be vulnerable to a range of issues such as persistent XSS and weak credentials; and 60% did not use encryption when downloading software updates.

As a result, HPE has advised manufacturers and designers to conduct a security review of the device and all associated components including some fairly straightforward and simple testing such as automated scanning of the web interface, manual review of network traffic, reviewing the need of physical ports such as USB, reviewing authentication and authorisation, and reviewing the interactions of the devices with their cloud and mobile application counterparts.

Also advised was the implementation of security standards that all devices must meet before production and ensuring security is a consideration throughout the product lifecycle. Updates to a product’s software are extremely important and there should be a robust system in place to support this, according to HPE. Even at the product’s end-of-life, manufacturers and designers are advised to make sure the product is as secure as possible to protect the user and the device’s brand.