Connected objects (IoT, Internet of Things) have gradually invaded our daily life. Smartphones and connected devices, whether they are connected directly or indirectly to the Internet, form a new digital galaxy.
But are we sure we know and master them well?
2 IoT definition
Generally, connected objects are associated with the daily uses of the general public, such as smartphones, connected bracelets, connected watches, household appliances, etc. Connected homes are also at the heart of the IoT topic. More commonly known as home automation, the connected home has become a reality in many homes. The IoT is also a big part of business today. The ease of interconnection, mainly through the Internet, facilitates the development of industrial, medical or recreational projects.
There are many examples of IoT, ranging from a connected insulin pump to machine tools in a factory. The underlying technologies vary depending on the applications, bandwidth and scope required. Their use has become all the more common as they are now even referred to as IIoT (“Industrial Internet of Things”) or “Industry 4.0” for the industrial sector. In the medical field, it is referred to with the term IoMT (“Internet of Medical Things”).
3 IoT advantages
The world of the Internet of Things already surrounds us today, but its evolution is far from having reached its peak.
Connected objects make our lives easier and offer companies new opportunities to improve the customer and employee experience, as well as production processes. Some allow us to improve our quality of life, others can help us stay fit or even save lives.
IoT is generally:
- networked household appliances that can be monitored or controlled remotely;
- smart home components, such as lighting, heating or ventilation units with remote management/monitoring access;
- “wearables” or related fashion clothing and accessories;
- sensor networks;
- connected industrial and manufacturing equipment;
- telematic sensors of networked means of transport;
- other integrated devices connected to the network with computing capabilities.
Our smartphones and computers often draw their intelligence from “IoT” devices, in particular, thanks to the following features:
Some “objects” such as portable medical devices and home security systems have surveillance as their primary purpose. Others are intended for remote sensing and reporting of operating conditions, use or monitoring of other external environmental factors.
Allows remote management or customisation of certain device functions. For example, a vehicle can be started remotely or a home thermostat can be set from the outside.
Monitoring and control capabilities allow device manufacturers to adjust performance and efficiency based on historical operating data in combination with real-time measurements. The diagnosis of problems can also be carried out remotely, triggering preventive maintenance actions thus avoiding breakdowns or accidents (e.g. sensors in aircraft turbines).
Devices can operate autonomously and adapt to environmental and operational factors requiring minimal human interaction.
4 IoT risks
Despite the good security practices and recommendations made available by the organisations responsible for information security or personal data protection, many scandals have arisen following insufficiently protected or poorly managed equipment.
4.1 Information leaks
Information leaks through an unsecured interface
The proliferation of connected devices and their growing interconnection generate an increasing amount of data that is transmitted between devices and then over the Internet. This greatly increases the risk of security vulnerabilities being exploited. An IoT system is like a chain with a level of security that matches the strength of the weakest link in the chain.
We should also be wary of certain interfaces or technologies, such as Bluetooth, that are vulnerable by design. They can be easily compromised and lead to information leaks.
Unfortunately, the risk of information leakage often stems from neglecting the proper use of the IoT object in its digital environment. The reasons may vary:
- purchase of equipment with archaic and insecure communication protocols,
- insufficient IT security configurations,
- weak or non-existent passwords,
- voluntary or involuntary provision of data by the user, but the results are the same: an information leak can endanger entire organisations or the private lives of individuals.
4.2 Denial of service attacks
Connected objects can also be objects of attacks that do not target them directly, but aim to turn them into “zombies” to form networks of remotely controlled “botnets” robots. These botnets are generally used to launch denial of service attacks (DDOS - Distributed Denial of Service).
In case attackers manage to take control enough IoT devices to form a botnet, they can activate them simultaneously to generate an intense artificial data flow and overload networks. This results in the unavailability of information networks or systems, sometimes vital for individuals, companies or communities.
4.3 Mass surveillance
The use of IoT also has risks which can be illustrated by the example of on-board or surveillance cameras such as CCTV (“closed-circuit television”). These camera feeds can be misused to monitor individuals or places for criminal purposes (blackmail, burglary…). Compromises are not the only questionable case of CCTV usage.
On this basis, an undemocratic government could develop a network of cameras allowing its authorities to monitor the population. This practice can be coupled with the use of big data processing tools (e.g. facial recognition) to assign ratings to citizens according to their behaviour.
4.4 Invasion of privacy
Another aspect of surveillance may be the intrusion of third parties into the privacy of citizens or employees. The use of increasingly intrusive connected objects makes it possible to control individuals, whether through the use of cameras, geolocation or by monitoring connected devices. Some unscrupulous managers may see a possibility in this technology to increase the productivity of their employees by applying constant control of the workplace.
5 IoT recommendations
5.1 Default password and accounts
The first precaution to take is to ensure a high level of password complexity. These must contain a mixture of upper- and lowercase letters, numbers and special characters. You can test the strength of your password through free tools such as https://howsecureismypassword.net/.
Default accounts of connected objects are generally known and appear in public documentation. It is, therefore, very easy for an attacker to test these front doors in an attempt to take control of an IoT. When first accessing the configuration settings of the IoT device, it is advisable to create your personal administrator account and then delete the default accounts. This way, attacks on these easy targets can be prevented.
5.2 Physical security
In order to understand the need to physically secure connected objects, all you have to do is ask yourself a question. Would you leave your cell phone unattended on the street? The answer seems obvious, yet in the IoT world, this is not always the case. Connected objects must, therefore, be protected against the risk of theft, sabotage or compromise by a malicious third party.
Let’s be clear, it is not for its own value that a connected object must be protected, but for the data it can contain and for the malicious use that could be made of it by using it to reach other targets. Depending on the situation, when a connected object must be left “in hostile terrain”, it will be necessary to ensure that it does not contain any usable data and that it cannot be used by unauthorised third parties.
One of the major issues is a common suspect in cybersecurity: failing to install software updates (“patches”). It is particularly important to use the patches provided by the suppliers. This is especially important for connected objects which are -by definition- permanently exposed to potential attacks.
If regular and automatic updates can be activated, it is strongly recommended to activate this option, provided that the protocol is secure and the remote site is trustworthy. In the absence of an automatic update feature, it is advisable to check manually and on a regular basis the availability of a software update. This minimises the likelihood of being attacked via known vulnerabilities that can be corrected with regular software updates.
5.4 Preferably buy devices from recognised manufacturers
In order to reduce the risks, it is advisable to choose recognised products from reputable manufacturers. These manufacturers generally have the means to invest in the development of quality products.
5.5 The network
Once you have made your choice for IoT devices, it is important to identify them and to know the properties of these products that you are about to integrate into your computer network.
By taking an inventory of all connected devices and their specific characteristics, normal activities can be separated from suspicious or unwanted activities.
Regular monitoring of the local network (Wi-Fi), connected devices and their activity will also detect possible problems and close doors when they are no longer in use.
5.5.1 Network segmentation
Multiple IoT security vulnerabilities cannot always be controlled. The residual risk that a potential attacker could exploit one of these flaws and thus interfere with the local computer network remains very high.
If other mission-critical applications are hosted on the same internal network, it is strongly recommended to separate this network into several segments. One logical segment or network should host and/or interconnect the IoT devices, while a second dissociated network would be used exclusively for the hosting of critical information systems.
5.5.2 Limiting the number of IoT devices in your network
The more connected objects you put into a network, the more vulnerabilities and potential security holes are introduced. This risk can be minimised by limiting the number of objects connected to the network, by limiting the access rights (filtering) of these objects to the minimum required for their proper functioning and by deactivating objects which are no longer used momentarily or permanently.
5.5.3 Network filtering
Certain network elements (routers and firewall for example) allow filtering the information circulating between two networks or network segments. The filtering can, for example, relate to the source or destination addresses and ports, communication protocols, content, bandwidth or the volume of information.
In the case of network segmentation, it would thus be possible to filter information exchanged between two segments and, for example, only accept connections between devices identified beforehand according to a well-defined exchange protocol.
5.6 If not in use, deactivate the device (turn off) or unnecessary interfaces
Any IoT device integrated into the network has potential flaws and vulnerabilities. A device that is not in use may also be forgotten in inventory or security updates. Therefore, do not hesitate to deactivate any device that is not in use.
Furthermore, an IoT device can have a variety of communication interfaces, the use of which is defined according to the deployment scenario. Again, limit its exposure to potential vulnerabilities. It is recommended to disable or remove the types of interfaces that are not necessary for the proper functioning of the IoT device in its digital environment.
5.7 Disposal of IoT devices
In case of prolonged non-use or obsolescence, IoT devices should be removed from the network and be disposed of. IoT devices often have a memory that stores information or configurations that reveal aspects related to the security of your network. Do not forget to delete this data from the devices.
5.8 Contracts and general conditions of use
As with any contract, careful reading is required. The general conditions of use (GCU) of a connected object can be long and complex, but they are not trivial because they legally bind their users. The same applies to the conditions of use of the online services associated with these objects.
In conclusion, the IoT and the underlying technologies constitute a significant advantage for many sectors of the economy as well as for citizens. However, we must remain particularly vigilant about the sensitivity of the data that is collected, which transmits and which is stored as well as the impact in the event of theft, loss or manipulation of this data.
Connected objects often offer many configurable features, which sometimes makes them fairly complicated to master. But these settings also offer us the possibility of limiting the number of data recorded or exchanged. The same applies to the online services associated with these objects. It is worth taking some time to properly configure your devices and their digital environment to get the best out of them, not the worst.
In other words: prevent the benefits in terms of everyday comfort from turning into a nightmare for our privacy and our freedom.