Wireless and Digital Services

IoT security risks are real but will not stop its growth

By Tim Winchcomb - Last updated: Wednesday, July 19, 2017

Innovative digital revolution of internet of thingsIn 1981 the first mass outbreak of a computer virus, the Elk Cloner, took place, infecting Apple II computers via floppy disks. Even though it relied on the manual sharing of disks to replicate, public ignorance of the new threat meant it spread quickly. Today there are about 18 billion computers and electronic devices connected to the internet, viruses can spread near-instantaneously from one to the next and systems can be targeted by hackers from anywhere in the world. In the United Kingdom for example, just under half of all businesses discovered at least one cyber-security breach in the past year, according to a UK government survey.

Three trends have been converging to create the perfect storm threatening on-line security, and these are no less relevant for IoT devices than for PCs:

  1. The increasing amount of connectivity, data and value created by connected systems

As each of us has an increasing number of internet-connected devices, the amount of data generated by them is increasing even faster. Cisco forecasts that in the USA the average number of devices per person will exceed 12 devices in 2020, and that global internet traffic will reach 2.3 ZB per year (that’s the small matter of 2,300,000,000,000,000 MB).

Our report on the future of IoT, published by Ofcom in March 2017, estimates that the number of IoT connections in the UK will rise from 13.3m in 2016 to 155.7m in 2024. Although the value of each byte of data is very low, the overall value of all this information and connectivity to businesses and individuals is very high. The potential gains from criminals exploiting security weaknesses are increasing even more.

  1. The increasing complexity of systems introduces more vulnerability

Complex supply chains and interconnected ecosystems mean that no single person or organisation has a complete picture of the system, its constituent parts, the individual threats within each component and the systemic threats that arise from the combination of the separate parts. As this complexity increases it becomes even harder to find and remove security vulnerabilities from a product or service.

A system is only as secure as its weakest link, and it is a well-understood truth that human users are often the most vulnerable part of the system – as demonstrated by the typical example of an infected USB memory stick being left in a company car park. In the same way, a system is only as secure as the weakest part in its whole architecture.

  1. The increasing commoditisation of criminal services

It is getting easier for criminals to exploit security vulnerabilities and to make money from them without having to mastermind the whole process from end to end. Code which exploits holes in security can be purchased and botnets are available to hire by the hour. An entire ecosystem exists which offers criminals a full business model enabling them to make money.

But IoT will prevail

Better awareness from users and technology developers will help, but is only one part of this battle. End-users are increasingly aware of the importance of changing default passwords and of the phishing techniques used against them. Developers and suppliers are more aware of the reputational risk of having vulnerabilities in their products revealed. Brands can be damaged by negative press coverage of security loopholes or potential leaking of users’ personal data, as both Yahoo and Samsung have found out.

Advances in artificial intelligence and machine learning capabilities offer methods for detecting and defending against security violations. Monitoring the ‘pattern of life’ of communications from devices, such as the quantity of data, its destination and time-of-day routines may reveal compromised devices through any changes or suspicious destinations detected. A system that learns in this way can offer protection against as yet unknown threats and can itself adapt as the sophistication of exploits increase in response. This is similar to the way that our own human immune systems are constantly detecting and adapting to new threats in the form of new viruses, which have themselves evolved and adapted to human defences.

In general, the ‘pattern-of-life’ communications of IoT devices are more predictable: sensors are likely to send their readings in the same format to the same destination every time and may do this on a regular schedule. Actuators may adopt less predictable patterns, but are still likely to be much more consistent than the communications of a PC being used by a person.

The Elk Cloner was just the first computer virus to cause a mass outbreak, and there are reported to be over 390,000 new malicious programs discovered every day. Although decades later the threat is very much still with us, and the constant battle between virus-writers and anti-virus techniques continues, it has not stopped computers becoming established as a central part of our personal and professional lives. In the same way, IoT will continue to develop and although security will continue to be a serious threat, it will not prevent the long term establishment and success of this hugely promising innovation.