In part three of this four-part cyber security webcast with SearchCompliance.com, infosec strategist and CISO Demetrios Lazarikos talks about IoT security issues and the fear surrounding IoT vulnerabilities.
There is a lot of fear, uncertainty and doubt generated from IoT security issues, Lazarikos said. "Some organizations have been embracing this technology, saying, 'What can I do next from a business standpoint?' But there are controls that have been either bypassed, or for whatever reasons, missed during the product release cycle."
A look at recent news stories can reveal just how far hackers are able to go if they manage to exploit IoT security issues, Lazarikos said. One IoT exploit example includes a smart refrigerator hack. "What we've seen from the cybercriminal ecosystem is [hackers] want the data that is used on the refrigerator," Lazarikos explained. Hackers don't care about using a smart fridge as a means of a DDoS attack, but target the user information contained on the fridge itself.
According to Lazarikos, one of the most prominent IoT security issues is the problem with individuals using the same login credentials for everything. "My experience has been that most individuals use the same user ID and password for multiple websites," Lazarikos said. "Because of that, most individuals would then use the same user ID and password on their IoT devices or their appliances."
This was the problem that left smart fridges vulnerable to hacking. If a hacker manages to get access a user's credentials, such as their Google account information, there is a chance that their Google account credentials are the same as their online bank account credentials. "If I was able to acquire a user ID and password from this refrigerator ... I could use that user ID and password to log in to the bank," Lazarikos said.
The final IoT exploit that Lazarikos discussed was the case of a remotely hijacked car. A software bug was discovered in some Jeep Cherokee vehicles that allowed hackers to remotely hijack the car via the internet and control its steering, transmission and even the brakes. After the hack was made public by two cybersecurity experts, Jeep recalled 1.4 million affected vehicles.
"A lot of these technologies have to go through some rigorous vetting with regulators, so for medical devices and for automobiles, there is a lot of time that has to be spent in looking at how that device or how that system will be approved and rolled out, Lazarikos said." He pointed out that due to the large amount of time it takes for these systems to gain approval from regulators, such as the Department of Transportation or the FDA, companies must keep this long timeline in mind if a problem were to come up and a security vulnerability is detected.