Cybersecurity Experts: Internet of Things Punches Holes in Web Defense

Webcams may guard our homes against burglars, and Fitbits may protect us against the flab we’d put on without exercising.

But the proliferation of such connected devices is also perforating the Web with millions of holes that hackers can drive through, network security experts reported as the annual RSA Conference on cybersecurity got under way at the Moscone Center in downtown San Francisco this week.

Webcams, routers, sensors, tablet computers and smartphones all provide entry points that cyber-invaders can use to flood a business network with an overwhelming tide of messages, shutting down service, Santa Clara, CA-based network security company NSFOCUS said in its twice-yearly Threat Report.

What makes these devices such tempting targets? They’re often operated around the clock; they frequently have weak passwords; and they may never be upgraded or replaced once they’re put into use, NSFOCUS says. Their networks also have enough bandwidth to pass along malicious information traffic.

The businesses now most frequently victimized by attacks that result in a denial of service are the ones most engaging to consumers: online retailers and media companies. But online game makers are the fastest-growing group of hacker targets, NSFOCUS found in its analysis of breaches in the second half of 2014.

Cyber saboteurs may be trying to help a competing game company, or they may be setting up their victims to pay blackmail to prevent a repeat attack. When a game slows down or stalls, online players may lose patience and switch to another game, eroding the company’s profits, NSFOCUS says.

The cybersecurity company expects an exponential increase in attacks worldwide as innovative Internet of Things companies add billions more connected devices to the global market. The breaches may spread to many new industries as they begin using connected devices to do things such as monitor utility operations, measure patients’ vital signs in the field, and keep self-driving cars in the right lanes.

As NSFOCUS reported its findings, the non-profit trade organization Cloud Security Alliance released its own report to help early adopters in the Internet of Things arena understand the security risks and grapple with them.

However, the alliance warned that more research must be done before anyone fully understands the vulnerabilities created by connected devices well enough to design fully effective security systems.

“In the absence of this research, organizations will be forced to make substantial architectural decisions without sufficient data to understand the risks and identify appropriate mitigations,” said Cloud Security Alliance executive Luciano Santos in the report.

The alliance is now conducting this type of research to discover the distinct kinds of exposure that will come with the use of connected devices in various sectors, which could include banking, policing, homeland security, manufacturing, and energy. Cyber villains could some day hijack devices to achieve a host of dangerous ends, such as injuring someone wearing a medical device, stalking, opening locked doors, silencing alarms, creating false online profiles, and stealing from bank accounts.

In the meantime, the organization offered some recommendations to businesses already planning to use connected gadgets and sensors. For example, the alliance advises them to get involved early in the design of the devices they plan to link to their networks, so that security safeguards can be built in from the beginning. As innovative companies have rushed to bring their devices to market, many have left out key security elements, such as authentication procedures for users and routes for upgrading the device with patches and new versions of software, the Cloud Security Alliance said.

Trending on Xconomy