iot: NEvER aSSuME, NEvER tRuSt, alWayS vERify
How to stay secure when even your fridge can hear you internet of things now has many names: internet of operational things, or industrial Things. Perhaps the most fitting term for our hyper-connected world is internet of Everything. by Scott Nursten, cEo, ithQ any home could now contain a smart fridge, smart watch, Alexa device, fitness tracker or a doorstep camera... We can order wine, control our lights and monitor our body fat with voice activated tools that once belonged in science fiction. But all this convenience comes with a trade-off: every connected device is also a potential attack vector. however, in real life as in fiction, the shiny, convenient side of tech is the focus, rather than the inconvenience of losing your data or worse. the most disturbing case recently involved cayla dolls – toys that, via bluetooth, doubled as child monitors and could be easily hacked by phone from 50 feet away. Researchers discovered someone could watch, communicate and share footage of kids, through the very device designed to reassure parents of their safety. german telecom watchdog, federal Network agency, designated the toy a spy and banned it. all cayla dolls must now be certified destroyed in Germany, or owners face a €25,000 fine.
assumption + trust = massivE sECurity issuE
because they are so convenient, we trust our smart devices to the point where we assume they are secure by design. the distance that trust must stretch is the entire length of its supply chain. iot supply chain security is so pressing, that ENiSa, the European union agency for cybersecurity, published a lengthy report in November 2020: guidelines for Securing the internet of things. Every aspect is covered, from conceptual design to end user delivery and maintenance. in conclusion, the need to ‘take a comprehensive and explicit approach to security’, is listed, amongst others. assuming a device is safe is extremely dangerous – and we’re not only talking hacking. alexa records often, even when you don’t ask it to. Samples of your voice are captured and analysed in the cloud, to improve the service you receive. If you work in regulated finan-
cial or legal services, for example, often under Nda, imagine a sensitive call being recorded. then imagine it shared in the public arena. Every time you use a connected device, you are putting trust in the entire supply chain involved in iot. if your device is from Microsoft or apple, you’re not only assuming those singular organisations are safe, but that the millions of people collectively working for them, their suppliers, delivery and maintenance people are trustworthy too. this is a big mistake.
If you work in ❛❛ regulated financial or
legal services, for example, often under Nda, imagine a sensitive call being recorded. Then imagine it shared in the public arena ❜❜