This May, the global news headlines announced that a penetrating chain of attacks had taken place. Over the course of just 24 hours, 45,000 cyber-attacks had taken place in 99 countries around the world. The ‘WannaCry’ ransomware attack hit multiple organisations hard, created over 200,000 victims, and even left vital operations having to be cancelled in UK hospitals.
There was a time when cyber security and hackers where something reserved only for the Hollywood movies. Today it is a very real and a very threatening reality. Frighteningly the attacks in May are not unique, Ransomware cyber attacks quadrupled to 4,000 per day from 2015 to 2016 and the most recent report from the insurance giants Lloyds of London, estimates the costs of these attacks could reach over $120bn in the coming years, and businesses will need to be ready to cover the bill.
The Internet of Things has evolved at a rapid pace. Coming from the imaginations of academics in the 1980’s, it has now developed to become a reality for millions of early adopters. There are millions more who may not even realise they are using IoT devices in their everyday lives, such as people with Sat-Nav’s and fitness trackers. But this pace of development and adoptions does come at a price, and not just to the end user.
Naturally industry is incredibly keen to develop and to capitalise on this exciting window of opportunity. However, what does the IoT mean to the security and privacy of the people who use it, and who is to blame when things go wrong? If companies and government organizations are struggling to fight off hackers at a rate of 4,000 a day, what does that mean for the future of the IoT and, if you are creating products to be part of theses networks, how to you prevent your organization from shouldering the blame and the astronomical, and understandable, insurance fees getting it wrong could cost?
The light industry has naturally and successfully moved into the IoT and has delivered multiple innovative and smart products in recent years. These smart products are indeed ‘smart’ when it comes to energy efficiently and when it comes to the potential of Li-Fi and data transfer.
These products often sit as part of a larger connected environment, a smart home or smart city for example, and it is here where the problems can start. For example a Wi-Fi-enabled LED lamp can be targeted by hackers; they can then use it to identify a home’s router password and then gain access to anything else connected on the home’s network, such as bank accounts details, emails and personal health data.
Of course there have been a few glitches to date. Launching new technology and new systems would always come with theses, but the time for mistakes is over, the impact of the errors is too great, it is now time for the light industry to get tough.
So, how can the light industry be prepared for, and prevent, cyber-attacks? How can it still develop and grow in the IoT arena while also being secure? What responsibilities to the end users do the light industry need to be aware of, and how can they protect the brands and institutions we all work for, and with?
With cyber security due to be even more in the glare of the media spot light over the coming years and to support the light industry, Trends in Lighting, thought it only right to go straight to the experts, and to get the very best advice.
Ken Munro is an ethical hacker. He has spent around 20 years going deep into industrial systems and products to identify their weakness, flaws, and vulnerabilities. As an ethical hacker he is able to identify the risks and advise on solutions that will make the difference between a success and a failure.
His years of experience in industrial systems naturally evolved into IoT systems and have given him a wide understanding of the IoT, its advantages, what is a reality and how to be a secure part of it. He is also quick to point out its limits.
The IoT has been clouded by those who have created products just for the sake of it, says Munro. Companies create some device or other which they label as ‘smart’, even though it may have limited application, and sell it to an eager and uniformed market. The only people who really benefit from it are the vendors. He does believe that the IOT has a place though. For example in the medical sector, it can be a huge benefit to people who require assisted living, and it can also have environmental advantages such as managing power use in lighting. A defining feature of IoT at the moment is that it’s often just a race to get to market first.
Munro goes on to say, a vendor rushing to get their IoT ‘Thing’ to market can make all kinds of security mistakes that end up affecting their end users. Issues like the loss of personal collateral, such as bank account information, is just one example of the damage that the rush to market can help create. If manufacturers took the time to stop and think about the security and privacy implications of the insecure coding on their device it would be a different story.
Munro has experience of tackling manufacturers about the poor security he has discovered in products, and he has found some responses less than helpful, lukewarm even. He is at pains to point out that it does help to understand their challenges though.
For example, say you are a start-up venture. You have received your funding and are in the middle of creating something exciting which looks like it’ll be of real value to people. Add to that the fact that you need to get that product to market quickly, to satisfy your investors.
It is probable you’ve come from a software background and now for the first time you’re faced with developing hardware. Bear in mind that hardware generally requires a 6-9 month lead time for production and shipping, so you’re hell bent on hitting deadlines and goals, and then I come along! I tell you, politely, that you have a faulty product, but you have already invested everything in it and it can’t be fixed, on time or in budget anyway. What do you do? Do you to carry on shipping or do you go bust? That, says Munro, is a very common scenario. Most will carry on shipping a flawed product rather than face the alternative.
It’s not just IoT start-ups that are guilty of building insecure products though. Across many sectors we still see things that are really not suitable for purpose. It’s a fact that you can rarely get everything regarding security right first time; there is no such thing as perfect. What you can do though is make sure you are prepared, that you factor-in security in the design stage, and that you create agile products that can be updated quickly.
The problem is that manufactures often don’t have security built-in to their development processes, for software or hardware. This is then compounded by legacy products, those that are no longer in production but still in widespread use. Take for example an older design of a light bulb that is still part of an IoT system, but no longer supported by the manufacturer with security updates.
Smart and connected products all rely on software to some degree, but security is still seen as a bit of a grey area by manufacturers. It often comes down to a lack of understanding about security and software, says Munro, and not knowing how to ask the right questions about it.
People decide to make something ‘smart’. They then add whatever the smart functionality is, in the software, and then they say ‘we now have something smart’. Munro’s experience is that not once during this processes has one person thought about software security. The App developers assume the hardware chips are secured, the manufactures assume the App development team have factored security in etc. etc.
While cyber security can sound daunting and expensive, it’s important that people understand why it matters, which is why Munro will be demonstrating what he knows at Trends in Lighting 2017 – to let people explore, with me, the pitfalls and necessity of security. “People need to think it is ‘not just a light bulb’…it is connected!” It’s connected to mobile phones, Wi-Fi networks, and computers and before a user and a customer even know it, hackers can take control of a person’s house, including their bank accounts, email accounts and all their personal data. The responsibility lies with vendors as they are making consumers vulnerable, and they have to protect people in order to protect their reputation.
Delegates at Trends in Lighting 2017 can expect Munro to show them where vulnerabilities lie, and how badly things can go wrong. He will then share some easy fixes and changes they can make to safeguard their products. This benefits the consumer and also prevents company reputations being dragged through the mud following a cyber attack. “And if companies think that they can avoid any adverse publicity they need to think again. The coming EU GDPR demands that after May 25 2018 companies who suffer a breach will have to disclose it publicly. There will be nowhere to hide”.
The GDPR will have far reaching effects on the IoT in Europe. Essentially, if you create anything that is connected to the cloud and that system is compromised then you and your company will have breached GDPR law. So, to reiterate, it means that every breach will become public. As soon as a company experiences a breach in a cloud server they will have to declare it. Brands, manufacturers and vendors will all be publicly exposed. “It could be the driver for secure IoT devices that we’ve all been waiting for, but who knows?” concludes Munro.
Right now, any manufacturer that is specifying the right (i.e. secure) chips in their hardware should be OK, those who are getting products to market that are due to launch in 2018 and have not factored in agility and security are in for a very nasty shock.
Ken Munro from Pen Test Partners, UK will be at Trends in Lighting 2017 to share “Lighting Up the Dark Corners of the Internet of Things (IoT) – Live IoT Hacking Demonstration”.