Light Dark
April 24, 2014 By Erkang Zheng 3 min read
CISO
Endpoint

Earlier this year, smart refrigerators and televisions were being hacked and were subjected to greater cyber attacks, according to NPR. Also, according to Extreme Tech, it was recently discovered that a Tesla Model S can now be located, unlocked and burglarized with a hack through its connected iOS app. In my own household, we have accumulated a sizable pool of smart devices (smartphones, tablets, smart TVs, streaming media devices, smart thermostat etc.) — 18 of them, to be exact — that can be exploited; and this is not to mention the hundreds of apps running on some of them. You’re welcome, Mr. Black Hat.

I conducted a “smart” calculation of my own. What’s in your household?

Smart Devices: Risky Convenience

These connected smart devices provide us with an unprecedented level of convenience at our fingertips, yet they contain a treasure chest of personal and sensitive information that poses a security threat for simple everyday tasks that we take for granted.

A major theme that emerged from this year’s RSA conference in San Francisco was the growing abundance of personal electronics and smart devices that have embedded software and processors. Internet-connected cameras, industrial meters and sensors, home automation controllers and smart appliances all pose privacy and security risks for consumers and manufacturers. In the case of connected cars and health monitoring devices, these risks can be catastrophic and life-threatening.

3 Ways to Think Like a Hacker

This proliferation of smart devices has caused a renaissance in thinking about security. Attackers often look for vulnerabilities to gain root access on the device. Using this access, attackers can target communications, imaging and location data, install more malware or steal sensitive and confidential information.

Because many mobile platforms are not natively designed to provide comprehensive security, hackers have a strong incentive to develop new techniques or create mobile-centric malware specifically for these devices.

We understand the dangers of mobile device security. But how can manufacturers and enterprises protect themselves? While there may not be a silver bullet solution for mobile device security, organizations and individuals should start to think like hackers and use this approach to protect their smart devices by considering the following:

  1. The Path of the Attack: While mobile devices can certainly pose new threats to personal and enterprise data, it’s important to understand the likely avenues of attack and protect against them instead of viewing the whole mobility issue as a general threat. For example, it may be more efficient for attackers to directly attack the portal to which the mobile application connects and gain access to the entire data repository rather than “pick the pockets” of a multitude of mobile devices. Leveraging threat modeling to understand the specificity of potential attacks can put you back in the driver’s seat in combating these new waves of attacks.
  1. Check Your Inventory: You need to know the kinds of vulnerabilities that may exist on a specific device. Analyze the device’s physical and logical architecture, device driver, communication channels and storage containers, and take a hacker’s approach in order to uncover security issues through penetration testing and source code analysis of a device’s operating system, kernel module and applications. Just as importantly, the testing should be standardized so that it is repeatable as changes are made to the device and its software.
  1. Use Emerging Technologies: Hackers are discovering the benefits of compromising both business and personal data contained within mobile devices. Sandboxing, containerization and trusted transactions are all emerging technologies that promise to provide enhanced protection and to open up the willingness of security and IT executives to further enable mobile applications in the workforce.

The security of mobile devices has become a top concern for many IT executives. While manufacturers continue to embrace this unstoppable trend of embedding intelligence into every possible device and connecting devices to each other and the Internet, this level of sophistication also renders the devices targets for exploitation and security attacks.

Having the convenience provided by these connected smart and embedded devices should not come at the risk of the devices being attacked for malicious purposes or, worse, at the risk of physical damages or life-threatening incidents to their users. Such risks must be identified and mitigated before it is too late.

To learn more watch the on-demand webinar: Securing the Internet of Things

 |  |  |  |  | 
Erkang Zheng
Cybersecurity Strategist, IBM Security Services

More from CISO
May 14, 2024

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature