by Bharat Mistry
The Internet of Things promises to transform the way we live and work. Billions of smart, internet-connected devices will make us more productive, happier and even healthier. But there are risks. For enterprise IT managers and employees alike, there’s a real danger that the commercial pressure to release to market IoT products and platforms will override all other considerations, leading to major privacy and security gaps.
Those concerns are no longer theoretical as a new piece of research showed last week. It should provide serious food for thought for IoT players, end users and IT bosses.
The research from Context Information Security actually focuses on Bluetooth Low Energy (BLE); the newer, lower powered version of the data transfer standard developed for use in a new set of applications and devices. It’s featured in iBeacon – a new Apple platform already being used by the likes of BA, House of Fraser and Virgin to fire updates and information at customers as they walk into range. It’s also present in may IoT devices including wearable technology such as FitBit and JawBone. Because it’s small, low powered and requires a regular stream of updates, BLE is the perfect protocol for these wearables.
Now BLE works by constantly sending out so-called “advertising packets” to devices it identifies by their MAC address. It was intended by those behind the protocol that devices would use “different, randomly generated MAC addresses” so that anyone trying to track a specific device would not be able to for any length of time. However, according to the research, while most devices studied did use a random address, it was fixed. On some occasions even the device or user’s name was visible.
As if that wasn’t enough, the researchers claimed that it’s possible to detect Bluetooth packets half a mile away using a “high gain directional antenna”. After spending just half an hour outside Canary Wharf underground station, the research team had “discovered” 149 devices, including 26 FitBits, two JawBones, two Nike products and many iPhones.
Why should I care?
Apart from the privacy issues that arise from wearables broadcasting potentially sensitive personal health and other data over unsecured channels, there are serious cyber security questions to be answered. If an individual can identify and track your movements, or the movements of senior executives, from half a mile away, it opens up the possibility of hackers carrying out “physical crimes” such as blackmail or robbery.
There’s also the potential for them to use information about a particular user, their location at specific times of the day and any related data that might be generated to help with social engineering. Think that’s too convoluted? Think again. If cybercriminals have taught us anything over the past few years it is that they are a determined and resourceful bunch. Social engineering is one of the favoured tools of the seasoned hacker. If a targeted attacker is prepared to research a victim’s work and personal life online to make their spear phishing email look convincing enough to open and click into, they can surely put in time to monitor an employee via their IoT device.
What should we do?
We should clearly all be more cautious about IoT devices, and the data they collect and transmit. Trend Micro polled 800 IT leaders in Europe and the Middle East a few months back and found that 90% said their security policies would need to change to account for wearable devices. More than half claimed their firms needed to limit what kind of data these devices were allowed to capture.
But time’s running out. Some 79% said they had seen the use of wearables in the enterprise increase. There’s a real risk that, just like smartphone and tablet-related BYOD, IT managers find themselves in the impossible position of somehow having to secure a plethora of disparate device types which are taken for granted by employees. IoT raises serious security and privacy concerns, potentially exposing businesses to greater risk.
For starters, IT managers should consider the following:
- Do a quick audit to see what employees are using
- Do a risk assessment on these device, the data they collect and how they transmit that data
- Create policies around what data can be collected
- In highly regulated/sensitive environments it may be advisable to institute a total ban on certain types of wearable tech
The Internet of Things is sure to be a major theme of this year’s Infosecurity Europe conference in London from 2-4 June. Now in its 20th year, the show will host over 15,000 industry professionals from over 70 countries worldwide and more than 340 vendors – including Trend Micro. So if you’re attending, come down to our STAND D60 to find out more.