Did you hear about the Target point of sale attack? How about the woman who discovered a stranger was using her Foscam baby monitoring system to talk to her young child?
Both of these examples were discussed at the “Protecting and Defending the Edge” session at the IoT Security Summit in Las Vegas. The summit took place at this week’s IoT Evolution Expo, which runs through Thursday at Caesar’s Palace.
The Target PoS hack is one of the larger and higher profile security breaches of late. The Foscam example is among the more bizarre ones. What they have in common is that both point to the frequent and widespread instance of security breaches.
Indeed, the kind of breach Target experienced is common now, noted Kenneth Lowe, director of business development at Gemalto, one of the session panelists. Vince Rico, business developer manager of the technology partner program at Axis Communications, added that Target had outsourced the management of its point of sale system to a service provider, and the hackers used a key to hack that service provider’s network.
So, in that case, the hackers came in through the network and not through the device. But security holes can exist in a lot of places within the network or at the endpoint. That’s why organizations and their suppliers who are implementing IoT solutions should take a holistic approach to addressing security.
There’s no silver bullet when it comes to security, of course, but there are some basic steps IoT companies and their customers can take to allow for more secure solutions, according to the panel. Some of them are as simple as ensuring that manufacturers of endpoints like cameras don’t turn off the security settings on these devices so they are not secure out of the box.
But getting to a more secure IoT isn’t going to be easy. For many companies, security is an after thought – sometimes coming after they make or install a deployment, and sometimes after they are scrambling to address a breach.
And, as noted above, some device manufacturers and retailers seem to have little if any interest in security. In fact, Clay Melugin, senior partner at RMAC Technology Partners and the panel moderator, started the conversation by noting that most Nest devices have already been hacked, especially if they are purchased from Amazon. He also said that many connected devices are powered by chips manufactured offshore, and that there is now a San Diego company that tests such chips to make sure nothing was added to them in the process.
Melugin also said he’s a fan of crypto, which can be done in software or hardware. If you put a key in crypto, he said, the hacker doesn’t find the private key. With crypto there’s matching encryption on the server side, so every device it talks to it authenticates. Lowe added that crypto does add another layer of protection.
For companies and other organizations with IoT implementations, the appropriate level and type of security depends upon the application and the risk involved should that data or asset be hacked, panel members seemed to agree.
Organizations that want to see how their solutions will stand up against hackers can have companies such as Dell do penetration tests for them. This is essentially an organized hack, also known as fuzzing, in which the tester hits your network with a bunch of packets to see how the network reacts and to reveal holes.
Edited by
Stefania Viscusi
