IoT Moving Into 2020

 

The term “Internet of Things” was coined in 1999, gaining significant traction in 2011 after a report by Gartner added it to a list of emerging technologies. As more companies worked on advancing and creating new applications for IoT, the technologies involved gained ongoing global coverage. In its inception people often referred to the IoT as “embedded internet” due to its increasingly pervasive nature and presence in many aspects of our lives. Of course with any emerging technology there are associated risks, and these threats will grow and evolve as the technology does. In this article we will look into these risks, where IoT is moving, and the ways in which organizations are mounting defenses for their networks.

 

IoT is an umbrella term to include all devices with IP addresses connected to the internet. There are presently five types of IoT applications.

These include:

  • Consumer IoT–e.g. Light fixtures, connected thermostats and alarms, and systems such as Nest

  • Commercial IoT–these applications include healthcare and transport, connected pacemakers and other medical implants or wearables, and vehicle to vehicle communication

  • Industrial IoT–including network connected control systems, smart agriculture, and big data

  • Infrastructure IoT–this aspect of the IoT deals with network connectivity of smart city applications such as surveillance cameras, facial recognition, and traffic analysis devices

  • Military IoT–including application of IoT technologies in the military and police, to include network connected robotics and wearable biometrics for police and infantry

 

The technology underpinning the IoT allows users and systems to connect seamlessly to a wide array of networks and expands connectivity between physical and digital systems. With organizations and governments prioritizing this move into the cloud, the technology and protective measures must race to keep up with demand.

The number of IoT devices worldwide have been growing at a rapid pace from the late teens:

  • 2018–7 billion IoT devices

  • 2019–the number of devices more than triples to over 26 billion

  • 127 Devices are connected to the web every second

  • By 2025–more than 75 billion devices are expected to be connected

 

In the year 2020 it is predicted that 93 percent of enterprises will adopt IoT technology, 90 percent of cars will be web connected using IoT technology, and 3.5 billion cellular IoT connections will be installed.

 

According to the 2018 Open Web Application Security Project (OWASP), the most significant vulnerabilities for IoT technology include:

 

  1. Weak, guessable, or hardcoded passwords—such as short, simple, and publicly available passwords.

  2. Insecure or unneeded network services—which are installed on the device and may expose data such as sensitive and financial information to theft and eavesdropping.

  3. Insecure ecosystem interfaces—external interfaces that connect to the device. The connection may compromise the device and its components.

  4. Lack of secure update mechanism—such as un-encrypted data moving from outward sources towards the device, and poor security monitoring.

  5. Use of insecure or outdated components—such as open-source and third-party components that weren’t scanned for vulnerabilities.

  6. Insufficient privacy protection—failure to protect private information that is stored on the device and connected ecosystems.

  7. Insecure data transfer and storage—such as the lack of access control and encryption during the movement of data.

  8. Lack of device management—on devices deployed in production; results in poor security support.

  9. Insecure default settings—the inability to fix insecure settings creates exploits in devices and systems.

  10. Lack of physical hardening—creates a larger attack surface, which threat actors can leverage to take control of a device or system.

More IoT components mean a greater attack surface is exposed. The more points connected to the network, the greater the risk. Endpoint Detection and Response (EDR) tools can be employed to monitor endpoints and send alerts for critical security events. It is also important to scan devices before allowing connection to your network in order to prevent the introduction of vulnerabilities. Vulnerability scans on a regular basis help to ensure the health of the network.

It is also important to segregate network infrastructure to allow least exposure to the internet. This can be done by creating a dedicated network for IoT with limited access.

Moving into the new decade we can expect IoT devices to become more and more embedded in many aspects of our lives, both personal and professional. The technology enables a move towards digital transformation with many industries moving into the cloud. From the protection of personal devices to the defense of an entire network, it is critical that IoT security be taken seriously. With more connectivity comes increased risk of exposure. The more we entangle the physical and the digital, the more real the results of an attack or security leak become.

Sublethal Remote Camera Guns

 

A company out of South Africa has introduced a unique product for those looking for an alternative to human security presence. The Sublethal Remote Gun is a non-lethal weapon mounted and connected to a camera that allows the user to engage an intruder without being on-site. These remote weapons are designed to fight back against intruders while keeping the user safe. Here we will take a look at the specifics of this security alternative.

 

The primary weapon is a paintball gun using nylon rounds. It is designed to be similar to the rubber bullets used in riot control – causing extreme pain without being life threatening. It is not recommended to use regular paintballs, but frangible solid casing pepper balls can be used. The magazine holds up to 155 rounds just under the size of a US quarter. The gun is difficult to disable and in most cases is mounted on a pole of nearly 20 feet, able to fire down the pole to protect itself from tampering. In the event that real ammunition might be used against the gun to disable it, upgrades to the casing are offered to make it resistant to small arms fire.

The gun is very easy to use and requires only a few minutes of training. Because of this, every controller has a key to lock it down and prevent young children from accessing it. During power outages, the sublethal gun has a battery that can keep it running for 3 days, depending on level of use. Under tests the gun often lasts up to 7 days on a deep battery cycle. A solar panel and solar charge controller can also be fitted to ensure the gun remains functional during an outage.

 

The system is built to be modular but it has not been tested with a lethal firearm and the company does not endorse or assist with such a modification. Although the weapon is designed and sold in South Africa primarily for defense of farms, many other possible installations are suggested by the manufacturer. These include what may be a somewhat optimistic list to include everything from households and businesses to server rooms and casinos.

As a deterrent, the gun has some advantages over a human with a lethal weapon. By engaging from a distance, the risk of physical harm to the user is removed and gives the defender a disproportionate advantage. The intruder stands little chance of winning a fight against a machine and being repeatedly struck by riot suppression rounds is highly demoralizing. Furthermore, the legal risk of using a firearm on a criminal is eliminated. In South Africa, if a criminal intruder is killed the police force must open a docket for murder against the homeowner. This will result in confiscation of their firearms for ballistics tests and a requirement for them to appear in court. Especially if the criminal was unarmed, the property owner may unfairly face significant jail time simply for defending themselves and their land. The sublethal gun requires no license and has a low chance of permanent injury.

 

In the long term a remote gun like this is orders of magnitude less expensive than a human security guard. The guns can be used as a force multiplier to reduce these costs and engage several armed intruders. Especially in the case of farms and homeowners, this may be the only type of weapons system appropriate and affordable. Most do not have the resources to employ 24 hour security.

The up front cost is $1499 per system to include the weapon, controller, rounds, and hardware to mount. Paired with alarm activation on a cell phone or other mobile device, the gun can be made more useful, as unfortunately it is not automatic and requires the user to operate it. The gun works on the cellphone network and does not require WiFi. Through GSM, 4 alarm zone inputs can send an SMS message to the user when triggered. These relays can be used to activate sirens, flood lights, pepper spray dispensers, gates, smoke dispensers and more.

 

While the manufacturer designed the gun as an answer to the problem of crimes against farms in South Africa, it does seem that delivery outside of the country can be arranged. This would of course mean self-installation would be required. The utility of the gun is certainly up for debate, but as an addition to existing security measures and for its relatively low price there is an argument to be made for its use. As an answer to the desire for a remote weapon attached to a camera, the gun might be seen by many as a half measure. Perhaps in the future such a system could be made to detect human presence in off-limits zones and fire automatically.

 

Year 2020: Security Threats in the Coming Year


Moving into a new year, we can expect the trends in information security from the last several years to continue to evolve and affect the methods criminals will use in exploits and the industry’s defenses against them. A few of these, such as the continued migration to the cloud, mobile technologies, and the use of machine learning affect the methods employed by both sides. With a shortage of skilled professionals in cybersecurity and the rapid advance of software development, we can expect serious competition for our data and information security. Here we will take a look at what experts in the field are saying lies ahead in the coming years.

Ransomware

A major method of attack in 2019 was ransomware. While previously online “gangs” would target institutions such as banks in massive multi-million dollar attacks using banking trojans, moving forward it is expected that the focus will shift to smaller attacks on small to medium sized businesses. This is due to it being easier to anonymize smaller attacks, with the profits easier to launder because of less interaction and sharing with physical street gangs in the laundering process.

Phishing 

Phishing will remain an important method in initiating attack, with mobile increasingly becoming the primary vector for phishing attacks aimed at stealing credentials. While conventional secure email gateways are adequate in blocking phishing emails and dangerous URLs, these methods often neglect to defend  mobile attack vectors from account takeover attacks. Personal email, social network accounts, and SMS/MMS messaging can be vulnerable to these attacks.

The Cloud

With business infrastructure increasingly making the move to the cloud, the focus of attackers will follow. This comes with the expected consequence of making attacks more difficult, requiring more sophistication and frequency of attacks which will increasingly rely on luck rather than careful planning and execution. A benefit to corporations using cloud infrastructure is redundancy for data storage and a greater assurance of server up-time. This migration to the cloud should improve security for most, although what attackers will be able to do with machine learning attacks on the cloud remains to be seen.


Having been talked about for several years now, 5G mobile technology will begin to be adopted across major metro areas in late 2020. This increased bandwidth and speed will give rise to a number of new IoT devices and create an uptick in edge computing. With IPv6 adding so many new devices, each one posing a potential risk as an attack vector, companies will need to reevaluate and rethink their threat models. The traditional infosec issues of authentication, confidentiality, authorization, availability and data security will be magnified with the huge build-out of 5G and must be accounted for with an updated risk paradigm.


As for authentication methods, we can expect a move from two-factor (2FA) to multi-factor (MFA), to include biometrics. Implementation of one-time authorization codes (OTAC) will help to provide 2FA circumvention of phishing attacks. Organization are expected to adopt these practices to address credential theft and maintain regulatory compliance, especially those holding highly sensitive data. They will have to contend with more specific phishing attacks leveraging machine learning to optimize attack campaigns. Once done by hand, phishing lures of the 2020s will be tested by AI algorithms in order to improve conversion rates. Phishing domains will even be generated and registered by algorithms independent of human intervention.

Social Engineering and OS Issues

As has always been the case, often the weakest link in the security chain is the human element. We can expect to see an increase of insider attacks in 2020. These occur when an attacker either offers to money or extorts sensitive information from someone working for an organization. This can be achieved through compromising social media accounts and using social engineering methods. This is a low-tech way of breaking security, but often one of the most effective. Some attackers may offer considerable sums of money or cryptocurrency to insiders depending on the target’s position in the company.


One final thing to consider is that Microsoft will be ending support for Windows 7 in the middle of this January. Any businesses and other end-users still using the OS will face the issue of no longer receiving patches and updates, even in the event that a security vulnerability is found. It is expected that at least one significant attack will leverage a Windows 7 end of life vulnerability in the same way that attackers did when Windows XP support came to an end.


These themes will shape the security landscape of the next few years. The interplay between the security professionals and infrastructure meant to protect organizations and those who seek to steal their data will continue to evolve, shaped by emerging technologies. Those organizations best able to defend themselves will be those who anticipate and prepare to resist new and enhanced methods of attack.

STST Inc. is South Texas’ source for professionally designed and integrated security and access control systems.

To set up an appointment to get a quote on your project,

Call us at 210-446-6306

or send an email through our website:

www.securitytechnologyofsouthtexas.com/contact-us/

Moving Into 2020: Video and IoT Trends

             As 2019 comes to a close and we begin to look forward to the next decade, we can now reflect on the year and the trends that have begun to influence both video surveillance and the physical security industries. December tends to be the start of a lull in business, including for the end user. Many businesses can be reluctant to make new purchases in security, or of any kind at the close of the year, and so those in the security industry also feel this slowdown. Still, this time offers us the chance to look forward and prepare for the coming year and beyond.
Here we will look into the security trends we expect in the near future.
—————————————————————————————————————————————————————————-
Cybersecurity for IoT
            IoT device security will continue to be a major focus, as it has been throughout 2019. Threat actors will continue to target IoT devices at the enterprise level in order to attack business infrastructure. In fact, more than 30 percent of denial of service attacks are targeting enterprise IoT devices already. Because these threats continue to evolve, the IoT and physical security industries must make an effort to keep up with cybersecurity trends and take measures to implement defenses against these threats. Still, many integrators continue to ignore this aspect of the field simply out of a lack of knowledge and a failure to properly gauge the severity of the threat.
             One of the best solutions here are automated tools, which are more advanced than ever. These tools can seamlessly integrate IoT hardening without  requiring a significant level of cybersecurity knowledge. These tools can give a complete asset inventory, secure those assets, and then insure compliance through ongoing monitoring. Automated tools also offer reports to the end user which can be helpful in filling in security gaps and determining where weaknesses and potential breaches in infrastructure are at. It is critical for the modern integrator to adopt such hardening tools to implement security from the beginning and throughout the life cycle of a system.
—————————————————————————————————————————————————————————-
Device Monitoring
               With IP cameras and other IoT security devices continuing to proliferate and expected to grow to billions of connected devices with IPv6, the demand for services that can assure and track physical security assets will grow alongside them. These device monitoring services track physical assets, monitor the performance of physical security and help with life-cycle management. Real-time management can be achieved through software platforms offering remote connections. These platforms help security integrators to assure system compliance, increase system up-time and performance, all while lowering the overall cost of maintenance. Such services also offer the benefit of RMR to the integrator through remote monitoring service contracts.
—————————————————————————————————————————————————————————-
The Cloud
                      Much has been said about cloud computing, and it is perhaps one of the most important pieces of the modern internet, allowing off-site data storage and processing using the resources of cloud service companies rather than requiring traditional on-site server setups. Ease of use, reduction in cost, and the simple fact that cloud computing has been critical for the last several years all lead to the end-user wanting these services.
                      Decision makers want to move hardware off premises and are looking for cloud-based solutions to video, access control, device management and monitoring. This demand will increase with time as the cost of entry goes down and cloud computing becomes the gold standard for IoT security platforms. Access control software will be hosted in the cloud, with the data from IP cameras and other security infrastructure fed into it, processed, and stored.
                     There is the issue of upstream bandwidth limitations for some larger commercial security and surveillance deployments. But with 5G coming in the early 2020s, and storage becoming cheaper every year, this is something that will likely be solved in time. In the very near future however, expect some video storage for larger facilities to remain on-site along hybrid solutions involving the use of the cloud for analytics and event video archiving.
                      Another advantage of the cloud is that it streamlines software updates for applications and firmware. Failure to manually manage such updates has historically been a problem in maintaining a hardened network. The cloud allows both these updates as well as new features to be deployed rapidly and securely, all while reducing the costs for integrators.
                        These are all security themes we can expect to continue to grow into the coming years, and the opportunity to remotely service security systems through improved wireless and cloud infrastructure will be leading the way. We can expect the key security changes of the last 5 years to be predictors, ultimately leading us to an age of extremely fast and hardened wireless security that is fully scalable and as cost efficient for both the end-user and integrator as possible.
—————————————————————————————————————————————————————————-

STST Inc. is South Texas’ source for professionally designed and integrated security and access control systems.

To set up an appointment to get a quote on your project,

Call us at 210-446-6306
or send an email through our website: