As the number of connected devices continues to rapidly grow, we are looking at billions of tech products entering the market in the next few years. But what does this mean for user security, and how can retailers be confident in the security aspects of new tech they sell? Laura Barnes asks the experts…
Within the next three years, it is predicted that there will be more than three times more networked devices on Earth than there are humans. That’s according to Cisco’s Annual Internet Report analysis and forecast, which forecasts that there will be 29.3 billion networked devices by 2023, up from 18.4 billion in 2018.
With literally billions of new internet-connected devices in our very near future, cybercriminals have an abundance of avenues to explore. So how are security vendors and tech manufacturers ensuring new tech and future technologies are as secure as they can be? And which emerging tech is in need of the most robust security from the start?
“Any technology that has the potential to touch the lives of humans needs to have security built-in by design, but if we had to single out one area it is the security of AI,” Fiona Boyd, head of cyber-security operations at Fujitsu EMEIA, tells PCR.
“It is seen as an enabler for many things including cybersecurity, but there is a surprising lack of focus on the security of AI itself; AI security is a problem as AI models are still fairly insecure and therefore vulnerable to attack. Malicious hackers could conceivably exploit this to intervene in the training process of an AI device or system and use this to their advantage. For example, an AI system that analyses behaviours could be taught to ignore certain ones that it should be observing, potentially creating a fundamental flaw in a physical safety or security system.”
Marcus Whittington, COO at SentryBay, agrees that AI is the one to watch, along with its offshoot technologies: “There are so many emerging technologies and all of them are in need of security, but to pick out those we would want particular attention to be paid to: artificial intelligence, driverless cars, 5G, IoT, intelligent apps, robotic process automation and big data.”
Tom Gaffney, principal consultant at F-Secure, explains in more detail why devices connected to Wi-Fi are such a fruitful target for cybercriminals.
“We are in a transformative age, with waves of innovation in connectivity and computing. Faster Internet connections are connecting cities, homes and communities with unprecedented speeds. The faster speeds are driving always-on connectivity for a panoply of new devices from industrial control to assembly lines and basic consumer goods like toasters and fridges,” he tells PCR.
“The explosion in these devices was driven by several megatrends: 1. Ubiquitous connections, and Wi-Fi everywhere. 2. Improved silicon, that meant computing devices fit on the smallest of objects and can include Wi-Fi chips, plus sensors and actuators. 3. Massive reduction in the cost of data storage and machine learning and that can process data on a massive scale.
“This has led to a situation where there are more connected devices on the planet than there are humans. What makes it an issue in security is that many of these devices are not made with security in mind and they don’t have standard security practices,” explains Gaffney.
“For example, a third of IoT vulnerabilities come from these consumer goods having either no password, or a default password, which users are not encouraged to change. Many of these devices don’t have a software update policy meaning vulnerabilities can’t be patched.
“Hackers are targeting these IoT devices and we’re seeing the results. Our security cloud monitors attacks around the globe and the significant shift we’ve seen in recent months is that, in terms of volume, there are more attacks coming from devices running Linux than Windows. This is a first and is directly driven by this explosion in IoT devices which use the Linux platform.”
Security from the start
So, what are manufacturers doing from the start to try and keep these devices as secure as possible from the get-go?
Fujitsu’s Boyd says that the importance of cybersecurity in networked devices is being recognised by manufacturers and regulators; in fact, the UK government even recently announced plans to legislate minimum security standards.
“Whilst this is a positive step, manufacturers wanting to implement effective ‘security and privacy by design’ need to ensure that the devices regularly prompt users to follow good cybersecurity practices,” she says. “This includes simpler processes such as regular prompts to change passwords, through to more sophisticated approaches that constantly update software to ensure the device is protected.”
SentryBay’s Whittington agrees: “There are secure coding practices which are useful and are now widely used, but getting the architecture optimal from a security standpoint initially is the most important factor. If the application is to be used widely it often requires “interoperability” which in itself sometimes leaves vulnerabilities for attackers to exploit. This was a fundamental issue in Windows OS and a lot of other applications that are required to work alongside other software.
“Unfortunately there is as much invested by highly talented and resourced cybercriminals in breaking technology as there is by vendors in making it more secure. Fundamentally, if the architecture can be designed with security in mind, that is the best defence – then testing those defences regularly with penetration testing and white-hats is also important.
“Because the applications often require input of data from end-users from a multitude of sources/devices, and the fact that data is so valuable to cybercriminals, then there are often vulnerabilities that relate to both the data input as well as the application itself,” he says.
F-Secure’s Gaffney notes that it is also important to focus on the secure of the home network these devices will be connected to.
“Historically as an industry, we’ve supported customers through point solutions on the device itself. This is still the best level of protection you can get but it doesn’t scale for the connected home devices.
“We will never make anti-virus for a toaster, so we see the best answer is to provide protection through the home gateway by providing a security agent that runs in the router to protect the network in the home. This, combined with endpoint security for personal devices (mobile phones, tablets and laptops) offers the best level of protection against the various threats,” he tells PCR. “And the seamless bit is the important here – the most important element is making it easier for customers to centralise security for the end-user by reducing the need to run multiple security products, to merge protection.”
Selling with security confidence
With many examples of emerging technology being rushed to market without proper attention paid to security, what can retailers and resellers do to ensure the new tech they are selling to customers is as secure as it can be?
“Often security is an after-thought, to be rectified in later versions of a product,” says SentryBay’s Whittington. “The IoT field has seen this pattern on many occasions. Retailers and resellers need to question what security practices and testing have been undertaken on the solution, and actually see the results of those tests. They need to understand what the roadmap is and whether the software is being developed with security concerns in mind.
He adds: “They should also consider how the software is planning to be improved or adapted to deal with the proliferation of data; data input, storage and transfer; types of endpoints (and the implications of this on application and data security) and how users will use the application in every use case.”
F-Secure’s Gaffney believes that the first thing retailers should do is ensure the products are coming from a reliable supplier.
“Testing security solutions is complex but there are some good independent test houses (such as AV-TEST) that run transparent tests against security companies products and provide a reliably independent view on whether a security product is performing the job it’s supposed to,” he suggests.
“Of course, references for the security are essential as well, the security market has seen a lot of innovation in recent years with many new entrants to the market, so one consideration should be looking at stability and funding of any potential supplier so you can have confidence the services will still be available in years to come.”
Fujitsu’s Boyd points out that security and privacy are expected by consumers, noting that anything that a retailer or reseller wants to sell has to provide the necessary levels of security that a customer wants, and “perhaps has not even considered”.
“Retailers need to understand what levels of security the products they are selling offer across all aspects of usage. Wearable fitness trackers that monitor health are a prime example; whilst the physical hardware may be secure, that device does not fulfil its purpose without the cloud-enabled part of that offering.
“The data being generated by that device can potentially be tied to an individual and reveal sensitive information such as the wearer’s location and the state of their health.” She warns: “If the cloud platform that holds that data is not secure and sensitive, then if data is leaked, retailers could be left with unwanted stock of the devices as demand is impacted.”
For more security-themed articles, click here
PCR’s 30 Under 30 list 2020: Nominate yourself or a colleague now! All details here.
Read the latest edition of PCR’s monthly magazine below: