PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In today’s part two of a four-part “cyber impact” blog series, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, discusses the impact of the Internet of Things (IoT) devices we’re using and offers his perspective on how we can stay connected while, at the same time, reminding us of the steps we can take to keep a cybercriminal from using the smart controls on our refrigerator to steal our personal data.

By David Dungan

Having the ability to control your fish tank’s thermometer remotely seems like a handy tool with no downsides, right? Well, not exactly.

Because as one very large casino experienced a few years ago, it was that internet-connected thermometer that led to its operations being hacked.

Smart TVs, home assistants, and other Internet of Things (IoT) devices often reach the end-of-life stage, meaning they do not receive updates anymore, without us even realizing it. Around the world, 18.8 billion IoT devices are connected, many of which have reached their end-of-life and are vulnerable to new and existing vulnerabilities. Add to that, recent estimates predict that by year’s end there could be more than 30 billion connected IoT devices globally, with some sources suggesting even higher numbers at 75 billion.

Of course, there have been plenty of other instances involving a myriad of products we use inside at home that have been comprised or because of the access they were able to gain, someone’s personal data or financial information has been stolen.

Buffer overflow and denial of service are two examples of some of the most common cyberattacks against home IoT devices. Given this fact, IoT devices may also be vulnerable to other code injection attacks. Some IoT devices should be avoided altogether, whenever possible, while others must be used cautiously. End-users should also determine which devices are genuinely necessary and how much risk is acceptable.

For example, a company may decide not to encrypt non-sensitive public-facing data because the data doesn’t contain personal, financial, or sensitive information. In doing so, it provides a would-be cybercriminal less of an attack surface, upon which they could use to try to hack those devices with a ransomware attack.

Some of the more vulnerable home IoT devices include:

●       Smart home assistants

●       Smart TVs

●       Smart plug-ins

●       Media players

●       DVRs

●       Cameras

●       Video Doorbells

●       Internet-connected appliances

●       Automated lights, air conditioners, and heaters

For a business, the type of IoT devices that could be compromised encompasses everything from the aforementioned fish tank and the smart coffee machines in the employee break rooms to the automated equipment controls on a company-owned vehicle or piece of machinery.

Essentially, there are two main ways of mitigating the effects of IoT-based attacks: containment and maintenance. The first way of limiting the effect of an attack is to accept the fact that IoT devices are less secure than other devices and it’s best to keep them on their own network. By separating them from the network where your sensitive information is stored, you can reduce the risk of an attack that could, otherwise, result in your device being compromised and your personal and/or financial information being stolen.

The second way of limiting the effect is maintenance. By properly maintaining your IoT devices and ensuring that they are always updated and have the latest patches, you can help in mitigating the likelihood of an attack. This also means that when the devices are considered end-of-life you should either stop using the device or disable its IoT functionality.

Nothing in cyberspace, it seems, is completely safe from being hacked, so it falls to all of us to provide our own line of defense and take the extra (or even the necessary) precautions to secure our IoT devices – including these nine tips as featured in a recent article by Netgear.

For industrial applications, the path to achieving a greater level of security involving IOT devices will also vary depending on the market, segment or business you’re involved in, but it relies on the same principles for educating employees on best practices and proactively managing your assets as a solution for keeping your data and systems secure.

Of course, regardless of the strategy you decide on implementing, just make sure that someone takes a look at the fish tank and, just as you try to do when you’re on vacation, remember that it’s OK to unplug!

NOTE: Be sure to come back and check out Part 3 of our blog series on Wednesday, June 11^th, as David Dungan discusses some of the cyber threats involving the vehicles we drive. He’ll look at everything from the potential risks that exist in the supply chain to the key fobs and electronic control modules that we rely on to stay on the road.