This year’s Cybersecurity Awareness Month has served as a refreshing installment of security considerations that are often at risk of going unnoticed or becoming deprioritized. It could be argued that IoT security has struggled to make it to the forefront of security discourse for some time, which is understandable given the competition of prevalent threats. Ransomware extortion, state-associated espionage and influence, and COVID-19 related phishing threats have successfully hijacked this year’s headlines for good reason. However, the pandemic has also brought the security of our Internet-connected devices into the spotlight and the inherent risks they pose, which has been the focus of security commentator grumblings since our mobile phones began talking to our refrigerators.

(Source: NCSAM)

Our October blog series has, once again, been a gentle reminder that while our connected devices are undoubtedly the foundation of a more efficient lifestyle, they pose additional risks. We began by observing these risks: the increase in data used and shared by IoT devices and the rush to market in the ‘smart’ tech industry that can deprioritize security. After addressing high-level mitigation and securing devices both at home and at work, we also touched on the importance of securing IoT devices throughout the healthcare industry, something that is especially important given the additional strain this sector is currently under. But it is also essential for us to look forward and think about what the future holds for IoT security, the implications of which will ring true with all users and industries already covered in our previous blogs.

A peek into what’s on the horizon

Our connected world is growing all the time. Almost all IoT-related articles will open with a discussion of exponential growth in the connected devices space. In case you missed them, there are currently more connected devices than there are people in the world; a lot more, between 20 and 25 billion at present, and this number is predicted to grow to upwards of 50-80 billion by 2030. The average user is now more aware of the IoT and is reaping the benefits from its growth opportunities. Hopefully, with the help of initiatives such as Cyber Security Awareness Month, more of these users become increasingly aware of the security implications. Meanwhile, the IoT’s growth not only concerns the sheer number of devices; it also refers to areas of life and industry that we apply its technology to.

Consumer IoT technology is booming, from wearables to homeware; if people can connect it and speak to it, then they can find a spot for it in their lives. This trend is commonplace, but an efficient and data-driven way of life is also appealing to larger workforces and even national governments. IoT technology has already begun to advance business productivity and provide services and infrastructure in some cities around the world. These smart cities are the future, and the security around their implementation will be as crucial as ever.

In this scenario, we need to highlight that the inherent IoT security risks we have already emphasized and the expanding attack surface, driven by the IoT’s growth, will likely pose more significant and more complex risks when applied en masse.

Smart Cities may seem futuristic, but they’re booming right now

The use and development of the IoT has arguably laid the foundations for the creation of Smart Cities. The connected infrastructure, data recording and accessibility, and the improvements to efficiency in transport and lifestyle are all aspects of Smart City visions in which the IoT plays a crucial part. Indeed, scalable and, most importantly, secure IoT solutions are fundamental in the successful delivery of Smart Cities.

What are they? Well, it is the same notion as all other smart technology, except it’s applied to the digital infrastructure that supports an entire city. This concept might seem futuristic to the layman, but it is already in full flow in some cities, unsurprisingly the Asia-Pacific (APAC) region is leading the way:

  • Singapore is currently rolling out its Smart Nation initiative, a vision that Singapore’s economy will be powered by digital innovation and that “all segments of society are able to harness digital technologies and benefit from them.” Key projects include the creation of a national digital identity (NDI), i.e., the implementation of digital signatures and biometric data as a form of identification; investment in e-payment systems and smart urban mobility, with the trailing of autonomous public transport; and the migration of government and healthcare data systems to the cloud. Essentially this will require IoT technology to be integrated across all core sectors in Singapore.

These are two prominent examples among a list of smart cities that continues to grow in length; similar advancements are occurring across the world, including Dubai, Oslo, Copenhagen, New York, London, and Barcelona, to name a few. What we understand about how the adoption of IoT technology will increase the attack surface (more endpoints equalling more opportunities for compromise) is even more significant for the concept of these smart cities. The security risks that currently impact the smart tech industry will likely develop and grow, especially as cyber threat actors also grow in capability and sophistication. 

Suppose consistent public reporting around IoT vulnerabilities, active exploitation of smart devices, and the regular publication of IoT proof-of-concept (PoC) attack methods is anything to go by. In that case, there is little reason to doubt that aspiring adversaries will explore ways in which to amplify their attacks. Luckily, a scenario whereby an entire sporting event is taken offline, or the sensitive medical data of an entire nation’s citizens are exposed via IoT technology exploitation, remains hypothetical. Still, if the opportunity to conduct a more impactful attack is there, it is highly probable that threat actors of varying capability and motivation will seek to act.

Working in our favor is the likely stronger emphasis on security when a national government implements a new wave of technology compared with a private company competing in the smart tech industry. This concept is especially true (fingers crossed!) when a nation’s data and livelihood depend on that security.

We should focus on 5G safety and security; not conspiracies

At the forefront of our connected future is the fifth generation of mobile broadband network technology, 5G. Offering faster speeds and more robust mobile services, 5G is a natural progression in the mobile arena. However, its enablement of a growing number of connected devices poses similar security concerns. 5G will likely provide the foundations for smart city-style visions, meaning that its security protocols will be fundamental if we are to safely advance further. The rhetoric should undoubtedly be focused on a safe and secure 5G rollout instead of the conspiracies that suggest 5G has anything to do with the spread of COVID-19 (sigh).

(Source: Cagle Cartoons)

Similar to existing IoT threats, researchers have demonstrated how to exploit vulnerabilities in 5G technology, exposing location data and leaving critical networks exposed to Denial of Service (DoS) attacks. If there is one thing we can assess with confidence, it is that if PoCs exist, then threat actors will soon come knocking.

The primary risks for new technology, such as 5G, lie within the complex process of securing the sheer number of devices that will eventually rely on it. This reliance, which will become critical as 5G networks supply more and more sectors globally, makes a comprehensive security approach all the more imperative. The more businesses rely on smart tech, the more likely malicious actors will consider it a desirable target. Collaboration on 5G security measures will be crucial between all the industry areas, from the mobile service providers to end-users.

It’s everyone’s job to #BeCyberSmart

 A secure approach is a shared one. That is, if it is to be an effectively secure approach. The future holds some rather exciting prospects when it comes to greater connectivity. Organizations across all sectors are now inclined to work with their partners and employees to ensure that security is less of a nice-to-have concept and more of concrete culture. This transition means that all users are becoming increasingly empowered to do their part by engaging with security instead of simply expecting it to be handled for them.

Our Cyber Security Awareness Month blog series began by reiterating how individual users can bolster their smart tech security approach. As 5G is the foundation for future connectivity, individual users are also the foundation for a securely connected future. Each subsequent organization, sector, and eventually, each nation, has a shared responsibility to be cyber smart.