The number of IoT devices (Internet of Things) is increasing rapidly. At present, their estimated number across the world is 27 billion devices. It is predicted that in 2025 the number will be 75 billion. IoT devices have significantly changed the functioning of homes, offices, smart buildings and manufacturing plants as well as environmental surveillance. For example, many household devices such as TV sets, refrigerators, freezers, coffee machines and electric kettles, washing machines, robot vacuum cleaners and lawnmowers, and alarm systems are connected in the Internet of Things. These devices can often be controlled by an application installed to a smartphone or tablet.
The online connections of these utilities also bring along cyber threats. Cyber-attacks through IoT devices can dramatically jeopardise our security and privacy. Moreover, IoT devices can be used, without their owners’ awareness, to perform cyber-attacks against critical infrastructure, for example. This is possible because the cyber security of IoT devices is not always adequate. This due to many factors, such as:
- limited device resources
- trade-offs in cyber security features for cost-saving reasons
- focusing on usability and functionality instead of security
- manufacturers’ contradictory cyber security views and demands
- fragmented standardisation, regulation and implementations
- device interfaces do not always support traditional updating mechanisms
- lack of design expertise
- Manufacturers’ ambiguous liabilities in cyber security violations.
Poor cyber security design and implementation leave vulnerabilities. These may open routes to the network for troublemakers, who are often organised bodies. They can interfere with the functions therein, proceed to other networks through a hacked one, hide there for long periods and use or steal data available in the system.
They can use hacked IoT devices, for instance, to steal credit card data through a fridge that orders foodstuff online, to collect video material through the camera of a robot vacuum cleaner or to tamper with the local heating system.
Poor implementation is illustrated in a software analysis that GCHQ (Government Communications Headquarters, UK) made concerning a 5G system supplier; the report stated that besides the device supplier, anyone could hack the system. Often, 5G has also been referred to as the network infrastructure for IoT devices.
Some manufacturers may also create vulnerabilities on purpose, which they or some other bodies, such as a state, an intelligence organisation or organised crime, can exploit. Vulnerabilities are unnoticeable to the user.
Users should be prepared also for the possibility that a manufacturer collects personal information without permission.
We can respond to vulnerabilities by means of appropriate proactive system design that takes cyber security duly into account.
In such cases, the cyber security functions are constructed at the design phase as an integral part of the system, so that the devices and systems can cope even with elaborate cyber-attacks. Such design draws on knowledge gained about various vulnerabilities, threats, effects of attacks, motives of the attackers, and targets of the malicious actions.
The writer is a Professor of Practice in cyber security in the Faculty of Information Technology, University of Jyväskylä.
Subscribe to the JYUnity newsletter
Get latest articles from The University of Jyväskylä’s stakeholder magazine into your email. You can cancel your subscription at any time.