Views from Down Under

The Demon's in the Internet of Things

This is an opinion piece written using Australian English spelling. Please read at your leisure. There is no denying the outright benefits of The Internet of Things (IoT). The IoT is a Life-Productivity-Enabler. Connecting smart objects with other smart objects, to do smart stuff, makes us a smart world. In embracing the power and advantages of the IoT platform evolution, we should ensure that we take a considered approach to deserve the right to wield the IoT double-edged sword. If you don’t use it properly, it can cause some real damage to the user and our critical infrastructure – whether it is a key part of your home network, or our work intranet. The advantages of the digital revolution have turned conveniences into dependencies. If you’re not convinced, let’s do a thought experiment to get a feel for just how technology has become a critical aspect of our lives: On your way home, after a long day at work, you are waiting at the train station, minding your own business, focused on the profound statements of a friend on your mobile phone. A stranger runs past and snatches it from your hands and runs off oblivious to your shock…everything you know is stored in your phone…your phone is a digital extension of you – it’s your life. Now consider that the smart device driving your life will soon be your front door, your car, or your pacemaker…your “life”. A word that soon comes to mind that is not an obvious expletive: Disruption. If the IoT is disrupted, this could be used to seriously disrupt your life and make for a very bad and disappointing say the least. As with all networked entities, this disruption can propagate at light speed to connected friends, family or work colleagues. On 27 Sep 16, The Hacker News reported the World’s largest 1 Tbps DDOS Attack launched from 152,000 hacked Smart Devices (see For those new to the security world, the acronym “DDOS” expands to Distributed Denial of Service. How is a DDOS attack on 152,000 smart devices possible? In the end it dilutes to something very simple, and very human. It can be made possible through a lack of due care on the part of the Original Equipment Manufacturers (OEM) making the exploited smart devices. In this case, the manufacturers reused the same set of hard-coded Secure Shell (SSH) cryptographic keys, leaving their “smart” devices vulnerable to unauthorised access and manipulation. Once a device with enough level of “trust” is hijacked by a threat actor on a network, it can be leveraged as a pivot point to hijack another “trusted” device, and so on it goes. The threat actor can pivot off a cyber-vulnerability, expand the attack surface through leveraging cyber trust relationships, and use the cyber-infrastructure to launch catastrophic attacks or exploits against cyber-critical infrastructure at decisive moments. Potentially making for an extremely sad day indeed for our customers, shareholders and ourselves. In this instance, the DDOS attack could have been avoided with appropriate security controls implemented by the OEM, such as formal policy to avoid cryptographic key reuse, and validation controls to ensure that devices do not share cryptographic keys. As digitised platforms increasingly converge to improve productivity and value within our business, we will need to continue to work hard to ensure that we have the appropriate security controls implemented to compensate for a potential lack of due care by our technology supplier’s. Noting our necessary and growing dependence upon technology to win productivity gains, we take calculated risks each day to increase value to our business and for our customers. It is important to be aware that when the business embarks on a new project, or deals with external suppliers, that a cyber security professional is at hand to provide appropriate expertise to minimise the enterprise risk profile. Is this true for your business? P.Lo
You must sign in to rate content.


There are no comments yet for this post.

Leave a Comment

You must be logged in to post a comment.