IoT Security: Assessing the Hidden Risks


Imagine a scifi novel, set 50 years into the future. In it, someone is confronted by a forest of Internet-connected devices. Dusty, with faded colours and logos that no one remembers, they continue humming away, their blinking lights dim but still active.

And no one knows what they do.

This is one of Kellman Meghu’s worst nightmares. The head of virtual data security at security firm Checkpoint has been spending a lot of time exploring the Internet of things and understanding the emerging threats as it continues to grow.

Meghu has been in the business a long time. He recalls a Y2K remediation project, back at the tail end of the 1990s. when a company was consolidating its servers. There was one server that no one knew anything about. Eventually, he was forced to unplug the thing and cross his fingers. “Luckily, no one screamed,” he said.

On the IoT, the stakes are higher. There are millions of devices already, and there will be billions more. They will connect our homes, our cars, our energy systems and our water systems together. See Meghu talk to SecTor about them in our video interview here:

These devices will be different to the proto-IoT systems of yesteryear that were installed to manage our infrastructure. Commonly known as supervisory control and data acquisition (SCADA) devices, these were expensive, difficult to install and hard to operate.

Conversely, IoT devices are easy to build using off-the-shelf components, simple to deploy, and far cheaper. They are also often built and deployed in standard configurations, making them easy to attack and compromise by the thousands. When that happens, Meghu worries that the consequences could be severe.

“Someone could die,” he said, musing that we probably won’t make enough noise about that until it’s too late.

Security flaws aside, he also worries about our future governance of the IoT. In our imaginary novel, in a society 50 years hence when people try and work out what these devices do, and how to manage them, what guidance will they have? And what will the ramifications be if they get it wrong?

Meghu also presented at SecTor 2015, in which he details his own attempt to build a home network in a DevOps model. Check it out here: