Community

Unsecured IoT, Unlimited Vulnerabilities

Len Shneyder

We’ve all heard the phrase “we live in a hyper-connected world.” We have access to vast stores of information and applications through a device in our pocket. More and more of our personal and even biometric data is actively being crunched in the cloud to deliver insights into how our bodies tick.

However, the Internet of Things (IoT) is not without its challenges. By bringing more devices online, (giving them an IP address and making them addressable) we are actively increasing the surface area of a hackable world.

The explosive growth of IoT has been matched with an explosive growth in device abuse. The connected devices that delight us with knowledge about our habits and patterns have the ability to undermine our privacy, lay siege to our identity, and in the most extreme cases cause real, physical harm through cyber warfare.

IoT’s Feedback Channel

Gartner forecasted that 322 million wearable devices would be sold in 2017. The massive 48% jump from 2015 is due in part to the popularization of wearable technology as a lifestyle. As technology is integrated into our daily lives through routine, or as habit, we’re being turned into micro-bio-data-generating machines.

The devices and their connectivity range from the very small, to things with screens and interactive features. What we’re probably not thinking about is the multitude of devices needed to have a feedback channel.

What good is a measurement if you can’t see it or learn what it means? These devices are generating a ton of transactional email through our phones and other “output” monitors so that we realize the value of measuring our daily activity.

Email and IoT generated messaging present unique opportunities for phishers and fraudsters.

Each mailstream generated by a new wearable needs to be secured because phishing is most definitely on the rise.

According to the APWG (Anti-Phishing Working Group), phishing attacks jumped 65 percent between 2015 and 2016.

Infinite Connections

Events in my home generate emails and push notifications alerting me to movement or when my dog walker brings my dog home after a romp at the park. At night, millions of people wear a Fitbit to sleep so they can monitor, record, and analyze their sleep patterns.

Children’s toys are being super-charged with digital capabilities, animatronics, and they can be accessed remotely for greater interactivity through Bluetooth and other communications standards.

My sous vide cooker has a wi-fi and bluetooth connection so it can tell my phone if the temperature of the water bath changes, or when it’s ready for the food to be immersed. My iPhone’s GPS, combined with a chest strap, turns into a total body workout tracker that records my route on Strava and how much I suffered climbing up the Bay Area’s hilly terrain.

Marginal Security

Every device added to the burgeoning IoT is essentially capable of collecting and transmitting Personally Identifiable Information (PII). The makers of these devices are moving fast to try and introduce ever smarter, and ever more sensitive devices that run the gamut from biometrics to home automation and automotive connectivity. However, these devices all introduce new security risks and challenges into what is already an insecure environment.

Perhaps the most famous compromise of an IoT-like device wasn’t an IoT device at all, but rather an air-gapped network. The Stuxnet virus crippled an Iranian nuclear enrichment facility—a computer virus actually caused massive damage in the physical world. Stuxnet was an example of cyber warfare that we only imagined possible in the movies. On a smaller scale, but infinitely more tangible, was the leaking of millions of voice recordings of children and their parents through a connected teddy bear.

Each IoT device is essentially an endpoint that can be accessed via API or some other means to send and receive information.

What is extremely appealing to phishers and hackers is the nature of IoT devices: always on and taking advantage of the fastest connection available.

Every single device requires that the endpoint is secure to ensure that it can’t be compromised and absorbed into a botnet capable of mounting a DDoS attack or other forms of malicious content. Since most of the devices are manufactured overseas, there is little, if any oversight on how these devices are built, or the kinds of services being run on them.

Increased Awareness

Security-minded organizations like Arbor Networks are mining honeypot data to measure the exploitation activity around IoT. Similarly, the Messaging, Malware, Mobile Anti-Abuse Working Group (M3AAWG), is beginning to take very seriously the threats implicit in an exponentially connected society.

In April 2017, M3AAWG announced a new IoT special interest group to coordinate members’ efforts in resolving abuse issues from compromised IoT devices. The new special interest group will develop reputation guidelines and processes for device manufacturers in addition to raising awareness about the dangers of unsecured IoT.

Security First

Like submarines, and their “run silent, run deep” characterization, IoT, as a burgeoning technology subsector, needs to put security at the forefront of the march toward more innovative device manufacturing. There’s no question that IoT is enriching our lives. We can all agree that from the mobile phone, to watches, to fitness trackers, we’re all a little smarter because of it—however, security protocols and policies need to keep pace.

As an output, messaging needs to be secured as part of the overall protection of data that these devices are sending to and from on a daily basis. IoT has grown the amount of data we’re comfortable opening up to the outside world and our comfort level with externalizing details about our routines. But at the same time, we need to make sure that bad actors aren’t getting in and using that data against us.

If you want to learn more about other email-specific scams and how you can protect yourself check out Phishing, Doxxing, Botnets and Other Email Scams: What You Need to Know. 

Author
Len Shneyder is a 15+ year email and digital messaging veteran and the VP of Industry Relations at Twilio SendGrid. Len serves as an evangelist and proponent of best practices and he drives thought leadership and data-driven insights on industry trends based on the massive volume of email SendGrid delivers on behalf of their customers. Len is a longtime member of M3AAWG (the Messaging, Malware, Mobile Anti-Abuse Working Group) and served on its board in addition to Co-Chairing the Program Committee. He’s also part of the MAC (Member Advisory Committee) of the EEC (Email Experience Council) where he serves as the organization's MAC Chair. The EEC is a professional trade organization focused on promoting email marketing best practices. The EEC is owned by the ANA (Association of National Advertisers), a nearly 100-year-old organization where he also sits on the Ethics Committee. In addition, Len has worked closely with the ESPC (Email Sender & Provider Coalition) on issues surrounding data privacy and email deliverability.