Why Your Servers May Be the Weakest Link in Your IoT Security

It's important to ensure both device- and application-level security—but don't stop there.
By Geoff Kratz

The IoT world had its first real attack of that kind when hackers turned Samsung smart TVs and refrigerators into e-mail spambots (automated computer programs).

Those types of bots could be used to send out phishing spam to elicit credit or bank card information from people. Those cards and associated PINs or passwords could then be sold in bulk to buyers who would use them to purchase goods online or fence them for cash. The Samsung attack could not have been made on the devices directly because there were hundreds of thousands of e-mails sent by those devices, from around the world. They were attacked either via the Internet, or more likely, via Samsung's servers.

Borrowing from a scene in the film Skyfall (in which James Bond meets a young, bookish Q for the first time), attacking the device is like sending an agent into the field. By attacking the server, a hacker could, like Q, "do more damage on my laptop sitting in my pajamas before my first cup of Earl Grey than you can do in a year in the field." Yes, ultimately, you want to be in the field to take advantage of the compromised device. But doing them all at once scales more effectively.

Secure Everything
Securing the servers and the infrastructure is critical for any IoT implementation. But 'you must also pay attention to the devices, or intervening components like smartphone apps. They still need to be secure as well.

Securing the devices is like locking the front door. Making your apps secure is like locking the back door. They are the most obvious points of entry, and both must be made secure. But not securing your servers is like leaving the garage door open and the inside door unlocked. Sure, the regular doors are locked. But there is still a way in (and a very large way in), and now the whole system is compromised.

Ultimately, you need to secure everything: the devices, the apps and the servers. Doing only one or two of those isn't enough. You have to address all of them. But losing control of the server means losing control of everything.

Geoff Kratz is the lead technologist and co-founder of bbotx inc., a startup in the Internet of Things space. Kratz previously worked for Bell-Northern Research, Microsoft and IBM, and has designed and developed secure transaction-processing systems for the financial industry, as well as iOS- and Android-based applications.

JOIN THE CONVERSATION ON TWITTER
Loading
ASK THE EXPERTS
Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations