The Internet of Things (IoT) poses a cyber security risk that could leave businesses and consumers open to both cyber and physical crimes because connected devices aren’t designed with privacy or data security in mind.
That’s according to a new report by application security company Veracode, which suggests that the combination of connected devices, the IoT and cloud software services leads to vulnerabilities that, if left unchecked, could be disastrous if the estimated 25 billion devices are connected to the web by 2020.
The warning comes soon after Chancellor George Osborne announced £40m in investment funding for UK businesses to develop applications for the IoT.
“Businesses are increasingly being breached by attackers via vulnerable web-facing assets; what is there to keep the same from happening to consumers? The short answer is nothing,” claimed the Veracode paper, entitled Internet of Things: Security Research Study.
“Already, broad-reaching hacks of connected devices have been recorded and will continue to happen if manufacturers do not bolster their security efforts now,” it added.
Indeed, one infamous instance of connected devices being hacked occurred last year when it was revealed how Russian cyber criminals enabled people to watch live footage from insecure webcams, baby monitors, security cameras and CCTV.
And according to Veracode, that could just be the start, with the report suggesting that cyber criminals could hack into IoT-connected devices to determine when an individual is or isn’t in their home. They could therefore gain information that they could use to determine when a person is and isn’t home in order to commit a robbery.
The report also suggests microphones could be tapped into to steal private information or to commit blackmail. Veracode therefore warns that while we should be keen to harness the power of the IoT, consumers, businesses and vendors should ensure that it’s done as securely as possible.
“It’s hard to not be excited about what the Internet of Things has enabled and will bring in the future, although that doesn’t mean cyber security should be sacrificed in the process,” said Brandon Creighton, Veracode security research architect.
“We need to look at the Internet of Things holistically to ensure that the devices, as well as their web and mobile applications and back-end cloud services, are built securely from their inception,” he continued.
“Security should not be treated as an afterthought or add-on, or we risk putting our personal information in jeopardy or even opening the door to physical harm,” Creighton added.
It isn’t the first time that the security implications of organisations rushing head first into the Internet of Things has been questioned. Speaking at the Royal Society in February, Christopher Millard, professor of privacy and information law at Queen Mary University in London, warned that the combination of connected devices and cloud services raised “unsettling questions” over privacy.
Edith Ramirez, chairwoman of the US Federal Trade Commission, has also warned on the security and privacy implications of the IoT.
While connected devices have “the potential to provide enormous benefits for consumers”, said Ramirez, she warned that it “also has significant privacy and security implications”, especially surrounding the personal data that the devices collect.
Nonetheless, while there are security implications surrounding the IoT that need to be addressed, there are a number of organisations that have already established a real enterprise use case for the technology.