The S in IoT is for Security: Smart Devices or Dumb Devices?


We are living in a time where technology is playing a large role in controlling how we interact with information, and furthermore, we are changing human interaction forever. This isn’t necessarily a bad thing, but we must dig deeper as to how much control are we inadvertently giving up because of this initiative.

The Internet of Things [IoT] is built on the principles that scalability and availability remain the top priorities of the technologies that can be found under this terminology. The fact that a security layer is usually missing from these devices (by default), is because the essence of security directly conflicts with the aforementioned two principles. By adding a security stack, you drastically reduce the possibility of high availability, as authentication and thorough inspection is required to achieve a level of trust.

Here is an example; you go downtown in any major city and turn on the wireless function on your smartphone. Most companies will offer a free wireless connection as one of many ways to entice you to stay nearby and potentially purchase additional merchandise.

These connections will be open 24/7 and to all devices. Open networks are targets for attackers because of the prize of data that can reside within such a network, and the opportunity of maliciously altering the router for additional gain. By default, weak services and credential pairs are deployed with an off-the-shelf router, as this enhances the ease of setup. It is implied that the end user will take it upon themselves to change default credentials and disabled services once the device is configured – this is a huge assumption and we all know that infamous saying.

Let’s amplify this to smart technologies that can cause potential harm to human life; such as smart-enabled vehicles, thermostats, and drones. We entrust that these very common consumer products will be secure yet still abide by the principles of scalability and availability, but how easy is it to compromise one of these devices? The answer – easier than you might think.

Vehicles that have smart-enabled features employ the use of a Controller Area Network [CAN] bus.

This protocol does not support a security stack to remain lightweight, and thus is susceptible to many types of attacks; namely man-in-the-middle [MITM]. It is again assumed that manufacturers will employ a greater security standard on top of this technology to enhance its overall security resilience.

Thermostats and drones fall into a different yet similar security risk, as default configurations of said technologies are also susceptible to attack. Built on the general assumption that consumers understand cybersecurity risks, is a colossal risk in and of itself. Industry common knowledge still points at the end user being the least educated on risk and thus susceptible to age-old attack vectors, such as social engineering. Releasing technologies with little or zero security in the hopes that the user is aware of how to employ such controls is clearly the wrong approach – yet this is the path we are on.

Stay tuned for a deep dive on the insecurity of IoT!

We must be vigilant, we must be ready, and most of all, we must be educated!

Adam Zimmerman, Security Solutions Architect

CDW Canada

With over six years of experience in the technology industry, Adam’s experience covers information security operations, cyber security advisory, penetration testing, and advanced exploitation. Adam’s primary focus is  helping organizations build strong security practices and prepare for potential attacks.

Adam holds a Masters in IT Security from the University of Ontario Institute of Technology, where he successfully developed a malware classification tool with a security firm based in Ottawa.  Additionally, he has worked on several cyber consulting engagements as a lead security researcher and was able to develop an exploit for the FAA’s NextGen Air Traffic Control Management System.

Adam currently serves in the Canadian Armed Forces as a Second Lieutenant where he holds a  command position as a Troop Commander for 32 Combat Engineer Regiment of Toronto; specializing in mobility denial and facilitation, tactical breaching, controlled munitions disposal, and various humanitarian support operations.