Why the 'Internet of things' is a ticking bomb

Last week, experts at the annual Black Hat security conference illustrated that the “Internet of Things” (IoT) is  extremely susceptible to attack by exposing 13 previously unknown vulnerabilities in home Wi-Fi routers and network storage systems, the core infrastructure used by “smart” devices. As mass interconnection wires people and homes with unsecured Internet devices, new threats are inevitable, and enterprises will be the prime target.

Your Smart Devices Can Spy on You

When we convert “dumb” devices into “smart” IoT devices, we often make them vulnerable to cyber-attacks. As Mail Online reported last fall, some smart TVs can already monitor your viewing habits and remote control activity to target you with ads. With relative ease, hackers can also access this viewer data, scrape credit card information from apps and pay-per-view TV, and remotely hijack the video cameras built into the front of many smart TVs without even activating the light that indicates it’s recording. As cars, kitchen appliances, and industrial equipment become “smarter,” they too will become susceptible to attack.

Smart accessories such as Fitbit, Google Glass, Pebble and others could also expose tons of personal information to cyber criminals. They collect intimate data about our activity, including geo-location, heart rate, sleeping patterns, activities we enjoy, what we see, who we’ve met, how we talk, and what types of businesses we visit. And interconnected smart devices will give hackers an inroad to a more lucrative target: the enterprise.

The Enterprise’s Blind Spot

IoT devices are so troublesome because they provide intelligence for highly sophisticated “social engineering” attacks, which involve phishing emails and other deceptive tactics. The best way to con people is to have a lot of information about them, and IoT devices help achieve this quickly.

Consider how hackers hit a French multinational organization in 2013. First, they sent a phishing email to a vice president’s administrative assistant, referencing an invoice hosted on a file-sharing service. Then they called the admin, impersonating the VP with perfect French, and ordered her to process the invoice immediately, which downloaded a remote access Trojan (RAT) to her computer. They eventually stole enough info and impersonated enough people to wire a large sum of money to multiple offshore accounts.

These attacks will become harder to stop when hackers can study the VP or administrator’s voice, habits, and preferences for months without being detected – perhaps by hijacking the victim’s smart TV, Fitbit, Google Glass, and other connected accessories.

Expect No Breaks

When consumers carry and wear IoT devices and live surrounded by them, the multiplication of operating systems and software will create more vulnerabilities for hackers to exploit. In general, users don’t auto-update software in a timely manner because they don’t view updates as a security precaution. Thus, attackers will have large windows for taking advantage of known weaknesses.

To deter social engineering attacks, enterprises will need to think about cyber security as creatively as they think about employee benefits. Companies provide fitness centers, work-at-home days, and free healthy food because it pays back in productivity, employee retention, and well-being. Likewise, enterprises may need to offer home cyber security plans to nip social engineering in the bud. Overall, we’ll need to think as creatively as hackers to preserve security and privacy in an interconnected world.

Sarah Isaacs is Managing Partner of Conventus, a Symantec National Platinum Partner that specializes in endpoint and server security, compliance, and data loss prevention. Sarah co-founded Conventus in 2006 after working as a Technical Manager for the central region at Symantec, where she consulted on the implementation of antivirus and client security technology products for numerous corporate and government enterprises. Prior to that role, she served as a Principal Security Consultant at Symantec.