Man-In-The Middle Exploits and the IOT

There are roughly 25 billion smart devices and objects busily gathering data and beaming information back to their respective motherships (and business partners). That’s up from 7 billion things a mere five years ago.

And five years from now? The consensus is that 50 billion things will be interconnected, merrily gathering data, making our lives easier and transforming the world into a malicious hacker’s magic kingdom.

Unfortunately, research by OpenDNS confirms that internet of Things devices do create new opportunities for attackers to remotely exploit organizations. According to the OpenDNS report, 23 percent of organizations surveyed have no controls to prevent unauthorized devices from connecting to the corporate network. OpenDNS also discovered that some computing ecosystems hosting IoT devices weren’t patched against old, well-known vulnerabilities such as FREAK and Heartbleed.

The US Federal Trade Commission (FTC) has signaled its strong interest in bringing privacy enforcement to the so-called Internet of Things (IoT) with the release of its “voluntary standards” report.  We put those two words inside quotes because while the standards are voluntary right now, it’s a safe bet that they will be used in courtrooms as a basis for determining whether a manufacturer abided by industry best practices.

The FTC defines the IoT infrastructure as “the ability of everyday objects to connect to the internet and to send and receive data.”

In addition, the FTC worries about how secure all of this data is and wants Congress to consider legislation to enforce security standards. But the agency also really wants to establish some guidelines on what companies will be doing with the data that they collect from devices.

The report notes that the FTC studied 12 mobile fitness apps and found that the apps shared data with 76 separate entities. Such data should not be usable by insurers to set health, life, car, or other insurance premiums, nor should it be utilized to make hiring, credit, housing, or other types of economic decisions.

Congress shouldn’t consider implementing IoT-specific legislation at this time, the FTC says, but should focus on implementing legislation concerning data security protections ASAP.

“In the future, the Internet of Things is likely to meld the virtual and physical worlds together in ways that are currently difficult to comprehend,” noted the FTC report. “Staff believes (data security) legislation will help build trust in new technologies that rely on consumer data, such as the IoT. Consumers are more likely to buy connected devices if they feel that their information is adequately protected.”

“Such legislation should be flexible and technology-neutral, while also providing clear rules of the road for companies about such issues as when to provide privacy notices to consumers and offer them choices about data collection and use practices.”

Not everyone agrees, including FTC commissioner Joshua D. Wright, who stated in a dissenting opinion that it was counterproductive to establish “industry best practices and recommendations for broad-based privacy legislation without analytical support to establish the likelihood that those practices and recommendations, if adopted, would improve consumer welfare.”

Wright added that “though an agency’s recommendations regarding industry best practices do not carry the force of law, there is a very real danger that companies may reasonably perceive failure to achieve those practices or to adopt such recommendations as actionable. Where an agency’s recommendations regarding best practices are not supported by cost-benefit analysis, firms may respond by adopting practices or engaging in expenditures that make consumers worse off.”

Obviously, this issue is far from settled and the discussions will continue for the foreseeable future. It’s likely that the generally accepted best practices and ways to protect collected data will come from industry trade groups, while privacy and permission concerns will eventually be determined by local, national, and regional data privacy regulations.

If you’re concerned about the impact that all of these “things” can have on your organization’s security profile, especially if your company is BYOD, our Security Awareness Training helps boost an organization’s information security posture by increasing employees’ understanding of security threats and the damage they can cause. An educated workforce is one of your best defenses against security breaches.