Connected convenience comes with elevated risk
The world has witnessed a new level of convenience and accessibility in the past five years. Specifically, the increasing amount of connectivity between our everyday objects brings effortless ease to previously mundane experiences.
No longer do people need to call up a pizzeria to order pizza, or call a cab company to get a ride -- now they can simply address an Amazon or Google speaker and, thanks to the internet of Things (IoT), the pizza or car will arrive in 30 minutes or less. However, while this unprecedented level of connectivity and integration has made everyday life more convenient, it has also made it more vulnerable -- requiring a new level of awareness individuals must maintain as they go through their everyday activities.
One rote activity leaving the lives of IoT early adopters is the act of turning lights on and off. Thanks to companies such as Phillips, Samsung, and GE, users can now connect their light bulbs, light switches, or both, to a home appliance network that will ensure that the lights adapt to the whim of the user, not the other way around. Thanks to these advancements, users can set schedules for their lights or parameters that focus on room occupancy. After some configuration, users can ensure that lights come on automatically when they are in the room and it's dark outside. Additionally, they can establish rules ensuring that lights turn on, and turn off, at different times of the evening, to simulate home occupancy, even when they are away on vacation. This is incredibly convenient and can potentially deter theft. However, all this convenience comes at the risk of exploitation.
Though the shape of computers has changed -- taking the form of internetworked sensors and appliances -- the fundamental principles of cybersecurity have remained relevant. One of these universal beliefs is that data is subject to a ruling three-pronged tenant of confidentiality, integrity and availability. This principle, summarized, states that ideally data can be kept in confidence (secret), available, and its integrity can be protected from corruption or compromise. However -- as cybersecurity professionals have discovered -- it's near impossible to guarantee all three.
For example, safeguards ensuring that data is kept confidential also make it more difficult for a user to access, thus limiting its availability. Yet, when data is accessible to all, it is clearly not held in confidence. This applies to traditional computers as well as the IoT home networks invading our homes.
With each new device that is installed into our homes, cars, or offices, the risk of compromise or exploitation grows, and our level of vulnerability increases. As many cyber and information security experts will acknowledge, the safest computer is one that is unplugged from the internet AND the power outlet. Yet, as IoT gains traction, users are doing the opposite. ISACA's state of Cyber Security 2017 research shows that the professional community is taking notice, with 59 percent of respondents indicating they are concerned about IoT in the workplace.
Many American homes are now an amalgamation of smartphones, laptops, tablets, and other smart devices such as thermostats and light bulbs. Increasing the number of smart objects in our homes and offices opens us up to larger attack surfaces. Now, instead of trying to hack your laptop, an attacker may try to hack your thermostat. While this example may draw a giggle from some readers, it's worth noting that security experts have shown how to exploit and control a thermostat in less than a minute.
Additionally, researchers have shown how to gain control of IoT hubs, which act as the brain of many IoT home networks. These devices provide valuable data to attackers, such as when you are home, what temperature you like, and potentially, what room you are occupying. The implications are both astounding and frightening.
While a grim picture can emerge, it's important to understand that as acceptance of these products grow, so does the awareness of the potential vulnerabilities that accompany them. Today, individuals are more aware of cybersecurity and privacy protection than ever before. More review sites and research resources are available than at any other point in history -- allowing many users to read about the strenuous testing many of these objects undergo to protect their data and privacy. Through this research and greater understanding, users can make informed decisions about their level of connectedness.
IoT is a double-edged sword. Though these new networks and devices provide individuals an opportunity to live a more convenient life, they also bring new vulnerabilities. It is through understanding these vulnerabilities and raising awareness that users can appreciate their new capabilities, while managing their risk levels.
• Frank Downs is senior manager, cyber/information security, for Rolling Meadows-based IT association ISACA.