A False Sense of IoT Security?
May 05, 2022I have multiple Google Alerts keeping me apprised about announcements regarding radio frequency identification (RFID), Near Field Communication (NFC), Bluetooth Low Energy (BLE), real-time locating systems (RTLS) and other Internet of Things (IoT) technologies. Google Alerts lets people receive emails when new results for user-specified topics show up in Google Search. I receive daily alerts about product releases, pilots, deployments, standards and other developments, allowing me and RFID Journal reporter Claire Swedberg to find interesting angles to write about.
Typically, the articles I see in Google Alerts depict the IoT sector and the innovative technologies it encompasses as enjoying an era of unprecedented growth. Every now and then, though, the alerts cause me to raise an eyebrow. One of my alerts is for the term "Internet of Things" with the word "market" filtered out to avoid my being deluged with a plethora of websites promoting market reports—which can be useful, don't get me wrong, but they seem mass-produced on conveyor belts, considering how many new ones are announced every month. Today's alert was filled with alarming reports regarding a lack of IoT security.
An article from Digital Information World, titled "The Internet of Things Was Attacked Over a Billion Times in 2021," claimed the interconnected nature of common household appliances, smart devices and digital assistants (Alexa, for example) "is something that many experts are warning against," on the grounds that "this is the sort of thing that could potentially end up creating many more vulnerabilities that malicious actors can exploit." The article cites a report from SAM Seamless Network indicating more than a billion cyberattacks occurred last year, 900 million of them focused on the IoT, which the article paints as a very insecure environment.
Google Alerts also pointed me to a ZDNet story, "This Unpatched DNS Bug Could Put 'Well-Known' IoT Devices at Risk," covering a warning from researchers at IoT security firm Nozomi Networks. The warning pertains to a popular library for the C programming language for IoT products that is vulnerable to Domain Name System (DNS) cache-poisoning attacks, due to a 10-year-old bug that cannot be patched. Researcher Andrea Palanca, the article explains, discovered the DNS implementation of uClibc and uClibc-ng C libraries "generates predictable, incremental transaction identifiers (IDs) in DNS response and request network communications," affecting "a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure."
Beneath that headline, meanwhile, was a story from Federal News Network titled "Hackers Find More Than 400 Vulnerabilities in DoD's Industrial Base Companies." The U.S. Department of Defense invited HackerOne, a crowdsourced group of bounty-hunting ethical hackers, to identify vulnerabilities in its contractors' IoT-based networks. "Over one year," the article reveals, "the hackers probed 41 companies and found more than 400 vulnerabilities that needed mitigation." It's encouraging to see the Department of Defense proactively addressing and preventing holes in its security, but it's also a bit scary to think the U.S. military could be so vulnerable to attack.
These are just a sampling of the alarming articles in today's Google Alerts—and lately, they've been popping up with increasing frequency. How accurate, in your opinion, does reporting on Internet of Things security tend to be? Is the IoT a dangerously insecure smörgåsbord for criminals to steal sensitive data from business and individuals? Do such articles amount to alarmist fearmongering and worst-cast scenario clickbait? Or is the truth somewhere in the middle—that threats to the IoT are undeniably real, but that the picture isn't nearly as grim as it's being painted?
Either way, what can be done to educate consumers and companies about the products they buy so they can protect themselves? With so many IoT devices in use, and with so many more on the horizon, it's something to think about. Where do you weigh in on this issue? If you have an opinion about the security (or lack thereof) of the Internet of Things, you are welcome to post it below.
Rich Handley has been the managing editor of RFID Journal since 2005. Outside the RFID world, Rich has authored, edited or contributed to numerous books about pop culture. You can contact Rich via email.
Exhibitors at RFID Journal LIVE! 2022 will offer a variety of Internet of Things solutions. To learn more, visit the event's website.