Internet of things products are small, networked and unfortunately have almost always little or no security. Sometimes this is down to a lack of willingness by the manufacturer but it is also partly due to the nature of the product – small and light also means that these devices have few resources for complex security features such as encryption and packet inspection. This leads to vulnerabilities, numerous attack vectors and ultimately to a bot device which can be abused by almost anyone. Following the latest large-scale attacks that primarily use IoT devices as a digital army there is a loud demand from those who want more legislation and governments to get involved. In a hearing before the Committee on Energy and Commerce of the US House of Representatives, the security guru Bruce Schneier stated that “catastrophic risks” would arise through the proliferation of insecure technology on the Internet.
The trend towards greater state surveillance has become even more obvious since Edward Snowden’s revelations. Governments frequently justify such invasions of their citizens’ privacy as counterterrorism or anti-pedophile measures. In recent weeks, two unmissable examples of state interference have been hurried through including an amendment to Rule 41 of the Federal Rules of Criminal Procedure in America and the Investigatory Powers Bill by Theresa May. Both laws permit or legalize massive invasions of privacy. Nobody is questioning the presence of a criminal threat – whatever it may be motivated by. However changes to legislation will weaken the security of many IT products which is already under heavy fire as demonstrated by current events such as the Google hack or attack on Telekom routers in Germany.
At last, influential policymakers are slowly becoming aware of the damages unsecured IoT devices can cause. Recent attacks on high profile targets, exploiting cameras and routers, have attracted a lot of attention. Some of the issues will not likely be solved until manufacturers improve the security of their systems. However, many attack vectors could be eliminated easily with appropriate precautionary measures. Currently, the Federal Office for Information Security (BSI) is drafting a new module to address IoT device security. Although it does not refer to specific manufacturers or technologies, the proposal includes concepts for securing IoT devices so that they cannot be manipulated or accessed without authorization to compromise data and IT security within an organization or to target other organizations.
Another first for 2016: at the weekend, another unprecedented event occurred which left significant numbers of Deutsche Telekom customers with difficulties accessing the internet or no internet access at all. As is now widely known, the outage was caused by a malicious attack – which was not entirely successful − rather than a technical fault. The attackers attempted to exploit the TR-069 protocol used on customer routers and add them to a bot net. 900,000 users are reported to have been affected.
More and more devices in doctor’s offices and hospitals are connected to networks. Diagnoses and therapies are now stored digitally at hospitals, laboratory reports are transmitted over the internet and hospitals and health insurance companies communicate digitally. As these systems process highly sensitive patient data, they must meet extremely high security requirements. This has not always worked in practice with incidents occurring on an annual basis (1). The cost of ransomware attacks – which have recently increased sharply in the health sector – are extremely high. In February 2016, blackmailers demanded USD 5.77 million from a hospital in California.