Verizon released its “2015 Data Breach Investigations Report” on April 15, and it says that of the five billion IoT devices predicted by the end of the decade, most will be unitaskers and therefore very difficult to encrypt. The question it asks is whether it even needs to be.
There has not been any substantive breach within the IoT, the report said, so all of its predictions had to be made via conjecture using the best available information.
Some of those predictions are pretty wide-ranging, but they’re also quite conservative. The report predicts increased privacy-related research and exploits from wearables and medical devices. Also that M2M device breaches might become the source of breaches into the larger network and lead to the development of tools like Shodan, designed to take advantages of weaknesses in the IoT.
To avoid vulnerability, the report advocates taking sensible precautions like with any other web-based technology. Perform threat modeling and attack exercises to determine potential attackers and their goals, and then figure out where your sensitive data lives and make sure it’s in a secured area.
Data privacy will be of special concern in the IoT, the report says, because it will be essential to provide privacy protection for everyone in the IoT ecosystem, which can be divided into three levels. Level 3 devices are sensor systems capable of relaying measurements to Level 2 devices, which collect data and transmit organized packages on up the chain. Level 1 devices are fully equipped internetworked devices capable of computation and sophisticated communication and application delivery.
Only data that is absolutely necessary should be gathered, if maintaining privacy is of concern. Furthermore, consent and access control rules should be built in and data should not be transferred to third parties for other purposes without explicit approval. Ideally, all data should be transferred and retained in an encrypted and anonymous format. Finally, safeguards against theft should include keeping Level 3 devices to sensing and relaying capability and Level 2 and Level 1 devices, including the intercommunication channels, should be highly secure systems.
One worrisome area cited in the report is the fact that many of the existing vulnerabilities still are not being addressed, and they’ve been open for years. It said that in 60 percent of breaches, attackers are able to compromise an organization within minutes, but many cyber attacks could be prevented through a more vigilant approach to security.
In short, there’s vulnerability, but no one’s taking advantage yet. Perhaps someone should fix the holes before the flood gets here.
Edited by
Maurice Nagle
