Security for the Internet of Things

Oliver Barrett

The Internet of Things (IoT) describes the growing number of physical devices that are being connected up to the internet, the platforms that control them and the networks which give them connectivity. IoT has been made possible by the miniaturization of computing power, which allows a networked version of almost any real life object. Now we have smart phones, smart watches, smart fridges, smart TVs, and a proliferation of other smart devices, and they are changing the way that the physical world interacts with the digital. The economic potential of IoT technology is immense- the report by the NZ IoT alliance  Accelerating a Connected New Zealand projected that a vigorous uptake of IoT technology in NZ could add an extra 2.2 billion dollars to the economy by 2025. This potential gain comes from improvements to agriculture, transport and logistics, smart cities, and digitized national infrastructure. However, like any new technology, the advent of a massively networked world comes with risks that must be identified and managed.

IoT technology risks arise from the range of devices, their ubiquity, and connectivity to the Internet, resulting in an increase of the potential attack surface for malicious actors. Each new device is a potential entry point to a network, and as devices are added, this potential vulnerability will grow. Generally, IoT devices are not secure by design, often having hardwired default passwords, or being unpatchable. Devices, like networked water meters, can be expected to operate for many years on low power, their unpatched software becoming a larger vulnerability as they age. Therefore, there is a fear that public and private networks will contain vulnerable devices that remain on the networks for many years, becoming ever more open doors for malicious actors to exploit. The vulnerabilities are especially concerning, given the expected widespread uptake of IoT in critical industries like energy, transport, and healthcare.

IoT devices can also be linked together in massive botnets. The Mirai Botnet, which took down the large internet utility company Dyn in 2016, was comprised of millions of home routers, connected cameras, and video recorders. The attack bought down many popular internet sites, like Twitter, Netflix, Reddit, and CNN. The malware used was then released to the public, leading to a proliferation of other IoT botnet attacks. The malware worked by trying to access poorly secured devices with a list of default usernames and passwords. The users of these devices were completely unaware that, say, their laptop’s camera was part of the world’s then-largest botnet.

There are some significant security challenges inherent in IoT technology; these problems, however, are solvable, and we must be prepared to address them actively. Every technological innovation contains some element of uncertainty, and IoT is no different. To front foot the problems that IoT presents, the NCPO is engaged with the IoT alliance, an industry and government partnership. Through collaborating with the alliance, and with overseas partners, the NCPO is developing ways to address the challenges described above, so that New Zealand citizens and businesses can feel confident connecting their phones, watches, TVs, routers and industrial devices to the internet of things.