Things to Think About with the Internet of Things
27 May 2014



It was around 2009 that the term 'Internet of Things' (IoT) was proposed. However, not many people I speak to outside of the tech industry have ever heard the term or know what it is. This limited understanding among general consumers is understandable because on the surface not much has emerged to capture consumer attention. Some people might mention Internet connected TVs or toasters as examples of the IoT but not many understand the depth of this technology. Fewer people appreciate the profound impact on privacy this technology will have. From a security perspective first thoughts may lead us to believe that the impact will be solely on consumer privacy but there is also an inherent and significant threat to business and enterprise.

The concept and implementation of Internet connected TV's and all other electronic entertainment and consumer devices may wet the appetite and drive consumer engagement with the IoT but the marketing and hype will fail to articulate the impact on privacy and security. The IoT is currently perched on the edge of the domestic market and is set to make steady growth with a limited range of consumer products and devices. As we have seen with many social media technologies and platforms, they start with a small user base and then for a variety of reasons grow exponentially in popularity. This scenario often leaves the security industry a long way behind the technology.

We will see kettles and fridges connected to the Internet such that the kettle may turn on when the alarm sounds on a smart phone or the fridge will automatically order the milk. All of that sounds appealing but the IoT if far more than Internet connected TV's and kitchen appliances, or indeed any other Internet connected device. The IoT is primarily the concept of autonomous machine to machine (M2M) communication which is not conceptually new. The IoT is essentially the domestication of industrial data acquisition and commercial process automation. The IoT basically extends this industrial technology to domestic applications and and presents it to the consumer market. In doing so the IoT will have a profound impact on consumer privacy but the side-effect will pose some of the biggest security challenges for businesses with respect to data loss.

If we take a step back and look at the power of current data mining on what are primarily datasets contained within individual enterprises or in many instances shared among business partners or corporate groups. Current data mining facilitates accurate profiling of individuals including their personal preferences, buying habits and many more personal attributes. Social media further extends this profiling to incorporate personal and social relationships, geographic movement and activity. The IoT has the potential to extend this personal profiling further to a highly detailed and time specific record of an individuals life. 'Big Data' may become a thing of the past as the IoT will give us what we might eventually call 'HDdata”'(High Definition Data).

An obvious area of concern is the invasion of personal privacy but as mentioned above, there is a wider and unforeseen impact on businesses. If we look at the IoT from a cyber crime perspective it is immediately apparent that the IoT presents fruitful avenues of opportunity to extend social attack vectors. Social engineering, spear phishing and ultimately exfiltration of data from businesses is set to become more precise and effective. Security policy on the use of social media and in particular business social platforms is not too common in an enterprise. It is not uncommon for professionals to publicly display their profiles including their current role and current place of employment and in some instance the projects they are currently working on. All of this information is highly valuable to cyber criminals and their agents to initiate the first steps of a data theft attack. The IoT will make it possible to infer detailed information about individuals from aggregated data even if an individual does not voluntarily disclose any personal information via any social media platform. Aggregated data from TVs, phones, domestic appliances, cars and heating systems will be sufficient to infer information not only about an individual but the profiles and whereabouts of an enterprises entire workforce. For example an attacker will be able to aggregate and infer detailed information about a companies security operations team or executive team and then leverage that information for an attack. The IoT is poised to bring a whole new dimension to the sophistication of social engineering and ultimately enterprise data loss.

Fortunately the growth and power of the IoT beyond basic household devices will be dependent on carrier and service provider support for domestic IPv6 services. Currently the IoT predominantly utilises IPv4 for communication between what are essentially smart devices. The limitation of the IPv4 address space inhibits the realisation of what the IoT truly is and what it will become. While many of us would like to see swifter progress towards IPv6 availability and adoption, IPv6's slow global progression is fortuitous for businesses. Slow roll-out and limited native IPv6 communication services presents an opportunity for enterprise to apply lessons learnt from the security risks associated with the exponential adoption of social media. Businesses now have an opportunity to educate users and employees now before the IoT reaches the masses. It is also an opportunity for businesses to investigate and research the medium and long term security impact of the IoT on their businesses and to define strategy and policies now. The naive and promiscuous use of social media and business social platforms by employees is the root cause of many targeted breaches initiated by social engineering. In hindsight we would have educated users earlier and implemented robust security policies to address this primary source of cyber reconnaissance.

The IoT is an opportunity for businesses to apply lessons learnt. Implementing a programme of security awareness on the existing impact social media can have on employee privacy and business should be the beginning of an enterprise wide campaign to prime employees on the associated risks of the IoT. The WEBonisation of domestic appliances, devices, heating, cooling, doors, beds, clothes, bikes and cars may become one of the biggest indirect threats to corporate data loss in the near future. It may become such a threat for many other reasons we haven't even thought of yet.

varlogsecurity blog
The place where I share my personal opinion and observations on the world of IT security.

© 2013

Modified heading photo. Original photo by Rick Audet. Creative Commons Attribution