“Why would I need a digital certificate for my toaster?” Let us tell you.
The Internet of Things (IoT) is growing exponentially. Each day more and more devices are coming online, which opens up new attack vectors for enterprising hackers and cybercriminals. On its face it might sound silly that you need to secure your thermostat or a FitBit. You would be wrong.
Let’s examine the FitBit example, using geolocational metadata foreign intelligence services were able to locate several US black sites thanks to the routes the soldier were taking while they jogged around the perimeters of the camps.
Granted, most IoT exploits don’t have the potential to be a matter of life or death like compromising the location of a black site would, but that doesn’t mean the threat shouldn’t be taken seriously.
Here are five ridiculous (but real) reasons why IoT security is critical in 2018.
Your IoT devices can tell people a lot about you and your property
This ultimately comes down to privacy, most IoT devices need to make contact with an application server somewhere at regular intervals, in addition to possibly reaching other endpoints. And vice versa. You need those connections to be secure or else the device will be transmitting everything in plaintext and it would be trivially simple to eavesdrop on those connections.
You may be asking, “yeah but what is somebody going to learn from my thermostat and smart lights?”
How about whether you’re home. The more unsecured devices you have, the more data points an attacker has. Think about how much information could be harvested from eavesdropping on connections with your car, your smart home, anything that’s online.
Quantum physics, man
Quantum computing is still about 8-10 years from being truly viable. But it’s going to arrive before a lot of these devices have finished their lifecycles. So not only do you need a digital certificate for your IoT devices now, but you also need one that’s going to be quantum-proof when the technology finally matures in about a decade.
Typically, that comes in the form of digital certificates that are underpinned by two algorithms, a modern algorithm like RSA and a quantum-proof algorithm for down the road. This is going to be important because quantum computers will be able to crack RSA encryption easily and that’s going to render most current IoT certificates obsolete. So, it’s not just about having a digital certificate – preferably one with a long validity period – on your IoT devices. You need the right one. One that will withstand the inevitable threat of quantum computing.
Because eventually, the IoT is going to rise up and kill someone
While it’s unlikely to be a Skynet-level rebellion, as more and more critical systems come online—the stakes continue to rise. Not even ten years ago, the US and Israel “allegedly” collaborated on the Stuxnet virus, which physically overheated Iranian nuclear centrifuges as part of a campaign to stunt its nuclear ambitions. Recently there have been attacks on power grids and other physical infrastructure that are connective.
It’s only a matter of time before a connected device is hacked with lethal repercussions. The best way to stave off this reality a little longer is with strong security for our IoT devices—at least off the assembly line. While there’s no accounting for what kinds of threats and attacks will present themselves in the future, there’s no excuse for not manufacturing them to be optimally secure in the now. Unfortunately, not all manufacturers adhere to this mindset, so sometimes an aftermarket fix needs to be applied. Either way, we can’t afford to leave these devices unsecured.
These devices will have long lifespans
While we swap out our phones at regular intervals, other IoT devices could be in service for years to come. People don’t swap out their refrigerators and thermostats quite as frequently. That means that these devices need to be fully secured for now, and with as much as much of an eye toward the future as possible.
As we discussed earlier, part of that is accounting for the incoming quantum threat. But there are other considerations that need to be made too. Strong configurations that only support the latest algorithms and protocols are a must, as is having a mechanism to potentially make updates to these devices down the line. The latter isn’t always feasible given that some vendors are loathe to include that kind of functionality in their devices, but if it’s available make use of it.
Because your devices could be working for someone else
You wouldn’t let someone come into your house and exploit your family’s labor for their own profit, so why would you want that to happen to your appliances and devices? People wonder what a hacker would want with their IoT devices – it’s their computing power. No, the ability to make ice isn’t all that attractive to cyber criminals, but the processing power that can be harnessed as part of a botnet.
Cybercriminals hack thousands of devices and build a botnet of devices they can control with a few clicks. This gives them the power to:
- Launch DDoS attacks against websites and computer systems
- Hack other computers while making it look like the hacker was at your house
- Mine cryptocurrency to make money
- Hide their identity by routing messages and internet traffic through the botnet
Build a botnet big enough, and you have a chance to make some decent revenue in cryptocurrency. This is not what you purchased these devices for. While this activity, called cryptojacking, may not result in latency that is THAT noticeable, it’s still an invasion and unauthorized use of your device. Don’t walk into your kitchen and have to ask, “are you mining bitcoin again, refrigerator?”
“What have I told you about that?”
It might sound crazy, but IoT security is hardly a joke.