As consumers we have become obsessed with connected devices. We like the idea of smart homes, smart cars, smart TVs, smart refrigerators or any machine that can be automated with sensors and an IP address. Yet fewer tasks in IT today inspire more fear than the prospect of protecting corporate networks from this proliferating wave of connected devices. The internet of things phenomenon expands the threat surface exponentially, in turn boosting business risk.
But CIOs often aren't aware of all of the devices that make inviting targets for hackers. "One of the fundamental issues that faces the internet of things is knowing that they're there and giving them some identity," says Gartner analyst Earl Perkins. "You can't manage what you can't see."
Factor in the hiding-in-plain-sight machines and BYOD devices, as well as emerging technologies that control office light fixtures, temperature and even window tint, and it's easy to see how vetting what's on the network will only get harder for CIOs. Securing internet of things is a primary focus of this week's Black Hat USA conference, whose organizers told the Wall Street Journal that they received 50 proposals for seminars related to infiltrating devices, including how a computer worm could spread smart lightbulbs, how to hack medical systems, and a new kind of ATM skimming device.
Matt Kraning, CTO of security software startup and DARPA spinoff Qadium, says CIOs are focusing on locking down devices operating on the network as a result of BYOD policies while the mundane teleconference systems are ignored. There are tens of thousands of such unified communications and collaboration systems installed in executive boardrooms around the world. These systems use dated protocols, such as Session Initiation Protocol (SIP), aren't encrypted and are rarely kept current on patches.
Imagine this scenario: The entire C-suite huddles with the board for their quarterly meeting. The IP-enabled video conferencing system doesn't work so they call IT in. Turns out the system was properly blocked by the corporate firewall, consistent with corporate policy. But rather than cancel the meeting, the execs order IT to break through the firewall to get the system to work. The big no-no occurs when the IT team doesn't put the firewall back around the equipment, leaving the system open to an enterprising hacker who may eavesdrop on executive meetings.
"They grew up when the phone was just a phone," Kraning says of executives who don't realize the threat that such systems pose. "Most have no insider awareness of IoT and that persists the myth that the problem is not already here." He says mail servers are also potential threat vectors.
IoT security: a victim of market economics?
The enterprise is naturally only a subset of the broader world - one in which the increasing drumbeat of connected devices poses an even greater threat. Gartner forecasts that 6.4 billion connected things will be in use worldwide in 2016 and will reach 20.8 billion by 2020. Protecting those devices, from smart cars to smart hot water heaters to smart TVs, remains a big problem partly because of a misalignment of economics, says security expert Bruce Schneier.
Sign up for Computerworld eNewsletters.