The Internet of Things is poised to become as revolutionary as the Internet itself, but there are some major threats that must be dealt with first. J.J. Thompson, the founder of the cybersecurity firm Rook Security, spoke with the Cipher Brief about how ransomware could impact the Internet of Things and the need for industry to ensure that networked devices are secure.
The Cipher Brief: Some of our readers may be unfamiliar with the Internet of Things (IoT), can you provide a brief overview of what it is?
J.J. Thompson: The IoT is comprised of devices that are not traditionally considered computers or network devices. These are items such as a networked thermostat for your home, networked security cameras, and even children’s toys. These devices typically include an embedded operating system that allows them to receive configuration updates and send information to a central control system.
TCB: How would you expect IoT devices to be affected by ransomware or similar types of malware? What effect could this have on the development of the IoT overall?
JT: IoT devices are particularly vulnerable to malicious actors due to their design. They are often accessible from the public Internet by default and do not typically have an update schedule. This means that any vulnerabilities that were in place at the time they were manufactured will exist across the entirety of the production line.
Additionally, since they are configured by default to be accessible from the Internet, those vulnerabilities may be leveraged remotely. The base operating systems are frequently modified versions of Linux or the Android open source operating systems. These systems have had numerous vulnerabilities identified and remediated, but an IoT device without an update and patch mechanism will continue to be susceptible to those attacks.
TCB: What can be done to mitigate the risk of ransomware disrupting the development of the IoT?
JT: An easy step to help protect IoT devices is to configure their network access so that they are separated from the network that a consumer uses for day-to-day activities. This will prevent an attacker from being able to pivot from a compromised IoT device into the network where a user will have home computers that are used for banking, social media, etc.
Another step is to ensure that the network these devices are on is not directly accessible from the Internet. For example, if a consumer wishes to use a networked home thermostat, they should use a virtual private network (VPN) or otherwise securely connect to their home network to configure it, rather than connecting to it directly via the public Internet.
TCB: It seems like society as a whole is becoming much more heavily networked. Given that trend, is there a role for the government in helping to address threats to the IoT? How can government and industry better work together in this area?
JT: The burden for securing IoT devices rests predominantly on industry to ensure that the applications and devices that they manufacture are adequately secured and have an ongoing update and maintenance schedule. It is frequently the case that an IoT device will have no update or patching plan from the manufacturer. This allows the IoT production company to save money by not maintaining a support plan for its clients.
Source: The Cipher Brief