What does the future of IoT look like?

Why are IoT devices so popular, what’s driving all the excitement around them? 

More and more manufacturers are finding that they can deliver and monetise services on connected devices. The devices themselves become a platform on which much more profitable software and services can be delivered to customers, including new introductions that don't require the significant investment and risk of building new hardware platforms. It provides a faster and more secure way of providing services to customers which otherwise would not have been possible before.

With so much hype around IoT, what impact do you think it is having on businesses? Why do so many of us feel the need to be connected? 

We have come to rely on connected devices, from smart TVs to connected industrial machines, IoT is designed to make our lives better and more efficient. More and more people, and businesses, use IoT devices (as seen in the figures above) and it is becoming more apparent that organisations will need to embrace them in order to conduct their business and stay relevant. This includes being connected to their customers as well as their suppliers – a business who isn’t connected is now considered outdated and possibly can’t keep up with the same demand other businesses who use IoT devices can. 

IoT allows people to have clarity into parts of their lives that they weren’t able to before the existence of connected devices and IoT. Connectivity makes everything in our lives easier and to be able to monitor parts of our home, for instance, can only be seen as a benefit. The more businesses and organisations use connected devices to connect to their products and their customers, the more consumers will feel the need to be part of a connected world.

The connectivity of our devices gives us the ability to derive new value from existing investments. When we buy a device that is not connected, that device serves its known purposes through its life. With connected devices, new services and new uses can be realised with lower investment in software and service changes. Additionally, connectivity to our data provides value to consumers and businesses alike.

Why do connected devices need to share data? 

Connected devices use the IoT to connect the device to the data. So sharing this data is all done through the IoT. Through IoT, businesses have more access to the data they own and the performance of the products they have which means it is easier to make any necessary changes that need to be made. It also means teams within a business can better communicate with each other which reduces the time spent on trying to navigate around business needs and changes and instead increases productivity.

The data connected devices share can be used for a multitude of purposes, and devices that collect data enables beneficial services and value, such as the sharing of WiFi or bluetooth between one connected mobile and another. This is just one beneficial cause of sharing data, without which, the ease and sociability which it provides, would be lost. IoT creates and sends data so that it can be consumed by the consumer. 

Why should organisations be concerned about the potential for cyber-attacks targeting IoT devices? 

The trouble with IoT is that there are often many devices connected to one system and as these IoT devices contain such a vast amount of our most sensitive data, it is an attractive target for attackers. 

Despite all the advantages of IoT devices, there are many security risks that organisations should be aware of and concerned about. Connected devices have multiple unique factors that make them appealing targets for cyber criminals with a number of vectors that can be utilised to enable an attack. This includes the device hardware and firmware, specifically in a greater form-factor, inter-system connectivity.

Depending on the use case, an attack can be devastating (such as medical, automotive, or industrial use cases). Furthermore, attacks to steal data en masse can create longer term impacts to security and privacy that are not obvious at the time of the loss.

How do cyber criminals attack connected devices? 

Cyber criminals attack these IoT connected devices through multiple avenues including the device software, the device controller, as well as the communication to and from the device. Therefore, these three areas should be the principal targets for security teams. As they are the most vulnerable to attacks, it is essential that teams are vigilant when securing them. They should also ensure they continue to uphold this security throughout the software process in order to maintain that their device, and therefore their customers, are safe.

By targeting a device’s communications systems or the interfaces between systems, cyber criminals may be able to acquire keys and other data that is primarily used for authentication and identification of legitimate controllers. Furthermore, if the connected device uses standard cryptography to enable secure communications, then getting access and stealing the keys, will allow the cyber criminals to keep attacking systems the connected device is authorised to connect to. 

What are the attack vectors associated with IoT devices? 

Vectors, in many cases, are not well protected.

They can be run in isolation for reconnaissance activities including reverse engineering software and hardware to mount targeted attacks at vulnerabilities of the system and connected systems that will expose data or produce unintended behaviour. The result of this can be devastating. Lack of security with this system means that attackers can come and go as they please and continue collecting data. This is evidence that securing connected devices is critical in order to secure data- without such measures in place, systems will be infiltrated by bad actors, and data will be stolen which means customers trust will be gone, the business reputation lost, and possible a hefty fine will be issued to the organisation.

What can organisations do to protect themselves and defend their IoT devices from cyber threats? 

One way an organisation can protect themselves from cyber threats is to protect their software which is governing IoT devices by ensuring it is equipped with the capability to detect malicious behaviour which may be affecting the code. By implementing this into the software, there should be detection of unforeseen debugging, as well as identification of actions such as instrumentation and interference with the device and controller software.

Application code can implement a variety of defensive actions which slow or frustrate an attacker. Employing code level security is the first step to ensuring safety. By executing code obfuscation, attackers will be hindered in their ability to recognise legitimate intellectual property or cryptographic keys that are embedded in an application source code. Teams should also apply additional security tools to discourage any attacker who may manage to break through the initial security barriers. A layered security approach is beneficial to the entire team and the business because it ensures all areas are covered and secure. Each layer prevents attackers from accessing your company’s data so to be lax on securing your connected devices will only have detrimental effects to your customers, and therefore your business. 

A useful way to alert a team to an attack is to hide triggers within the code that will automatically close when malicious activity is detected. The benefits of this level of security can be seen in connected devices such as vehicles, medical equipment or hardware such as drones because it will protect the software from being corrupted and used to cause any physical harm.

In your opinion, what does the future of IoT look like? 

The future of IoT will start to look more and more like today’s mobile ecosystem, where connectivity is required for functionality and software drives the experience and value. Hardware and platform consolidation will make way for centralised application distribution and updating. This will lead to platform vulnerabilities and opportunities for cross-application (and device) threats.