NZ pours billions into IoT - so what are we doing to secure it?
The internet of things (IoT), broadly defined, comprises devices and sensors that connect to a service or network through the internet.
IoT is built into everyday consumer and business devices like wearables, security cameras, and temperature sensors. One look on eBay will reveal billions of devices from legitimate companies like Google or Apple and a lot of stealth brands that tend not to attract much attention.
IoT is a big deal in terms of its economic impact. In 2018, analyst firm Gartner predicted that there would be 25 billion 'connected things' by 2021. Of course, nobody knows if IDC was right, but what we do know is that IoT is big business.
New Zealand's part in IoT evolution
Analyst firm IDC predicted in July that IoT spending in Australia and New Zealand alone could reach NZ$20 billion by the end of 2021. And it's clear why. Mobile networks are becoming more powerful - 5G is reaching mass saturation. Satellite and fibre broadband are both more reliable and faster than ever before. As a result, new Zealand is going all-in on IoT innovation. For example:
- Māori dairy company Miraka, located in South Waikato, uses digital microwave radio to transmit voice and data to and from its Mokai dairy plant half an hour from Taupō. Why? Because copper networks are slow, fibre can still be prohibitively expensive to roll out in rural areas
- Nelson-based supply chain firm Core Transport Technologies used Bluetooth-based real-time air cargo tracking for Air New Zealand
- Greater Wellington Regional Council uses IoT for water quality monitoring
- Energy providers will often install smart meters in meter boxes
- Christchurch City Council uses seismic sensors for earthquake resilience
From the commercial side, Spark also has a dedicated 'Innovation Studio' that showcases emerging and market-ready use cases for IoT and 5G. It helps businesses explore the possibilities via ideation, co-creation, testing and workshops. The company also stocks products from vendors like Blackhawk and Netvox.
Spark IoT lead Tony Agar says its IoT business offerings have grown over the last four years as local businesses explore using tech to improve efficiency, productivity, and sustainability. When we asked Tony Agar to explain how Spark selects vendors, his response was straightforward - it's all about what works for its customers.
"Before we put a product to market, we also do a lot of testing of the hardware and undertake due diligence to ensure a new vendor is good at working collaboratively," says Agar.
Technology distributor Ingram Micro takes a similar approach to IoT. Business manager of Networking - IoT, Steve Blackmore, says that IoT comprises sensors, gateways, connectivity and platforms all tied together as a solution that creates, communicates, and analyses data.
"An IoT solution is the sum of its parts, so our approach is to work backwards from the desired outcome to provide end-to-end secure IoT solutions. So we research potential vendors and ascertain the best fit based on hardware quality, breadth of their portfolio, and the ability to integrate. Our vendor partners are best-of-breed manufacturers that fit our uniquely New Zealand requirements."
So Spark and Ingram Micro say they're committed to working with reputable vendors. But are they - and their customers - paying enough attention to IoT security?
IoT: A security conundrum
Trace the supply chain from any IoT device back far enough, and there is an often unspoken element of 'trust' in the security of the hardware, networks and software.
IoT Alliance spokesperson Vimal Kumar says that the range of IoT devices is massive, as is the security built within them. Add in factors like how and where those devices are being used, quickly becoming a recipe for targeted cyber attacks. Additionally, attackers can leverage these IoT devices for different purposes.
Kumar explains, "Primarily, with IoT devices, we see two types of attacks; ones that target the user's data collected by the devices and ones that target the device itself to gain access to the network in which the device operates.
"IoT devices generate and store a large amount of data either on the device or in the cloud. This could be the data a device is generating (such as the commands you give to Google Home or the video captured by a webcam) or the user's account information or credit card information, etc. All of this is of some value to an attacker and a vulnerable IoT device is one way to reach it."
Botnets, which are essentially an army of compromised devices, can also be used to take down websites and other devices on the internet. For example, the Mirai malware is one of the most well-known botnets, targeting Linux-based devices like routers and home surveillance cameras and turning them into an army of bots that conduct distributed denial of service (DDoS) attacks. Attackers can also steal data from IoT devices, use them to gain access into more complex networks, and they could potentially use devices to spy on unsuspecting users.
"Any vulnerable device can potentially become a bot for an attacker, however, IoT devices are especially at risk because we are at a very early stage in terms of IoT maturity," adds Kumar.
A 2021 report from Kaspersky showed more than 1.5 billion IoT device breaches in the first half of the year alone.
Devices are typically compromised because:
- Manufacturers do not embed security into their devices
- Security updates are few and far between (if there are updates at all)
- Ports are left exposed
- Users don't change default usernames and passwords on devices
- Internet-connected networks are compromised (IoT devices operate on these networks).
Another April 2021 report from global technology firm Thales says there are six main IoT security challenges: Weak password protection, lack of regular patches and updates and weak update mechanism; insecure interfaces; Insufficient data protection; poor IoT device management; and the IoT skills gap.
These risks are not enough to stem the circulation of IoT devices in global and local markets. While nothing can stop someone from ordering a security camera from China (except, perhaps Customs), what about the devices currently available in New Zealand?
Spark's Tony Agar says that when Spark provides connectivity to its customers, it understands what kinds of security customers need. The company then designs network services to meet security needs.
"Once the service is up and running, Spark monitors all devices on our networks for abnormal behaviour and will proactively engage with customers when non-standard network events are observed to ensure fixes are undertaken (and to ensure the network remains stable)."
Over at Ingram Micro, the company believes security is everyone's ability, particularly within commercial IoT.
Blackmore says, "Manufacturers are responsible for building their products as securely as possible and providing firmware updates over time to ensure those devices remain secure. Distributors, resellers, and service providers have a duty of care to design solutions that protect the customer's data and data infrastructure. Security is not a product, it is a mandatory feature, acquired by deliberate design, and included in every data creation, communication, analysis, and storage solution."
Ingram Micro's approach determines the different areas in which a device or solution can be secured.
"LoRaWAN for example, is secure by design with authentication and end-to-end encryption being mandatory as part of the standard. Similarly, any network based IoT data whether ethernet, BLE or wireless is secured by Zero-Trust and SASE mechanisms from our existing networking and security vendors."
Ingram Micro states that its IoT solutions are secure by design, so it also ensures that New Zealand businesses operating within the technology channel are aware and educated about different security mechanisms, so they can then make sure their customers are educated. On top of that, the company can provide additional layers of security via a third-party network, data and security vendors.
Dealing with IoT vulnerabilities
Despite protections put in place by manufacturers, distributors, resellers, and us at home, vulnerabilities will remain a significant security challenge. According to stack.watch, there have been 17,145 published vulnerabilities this year, and the number will continue to climb. Of course, not all of those vulnerabilities will involve IoT devices, but they do underscore an essential point: vulnerabilities are an inevitable part of life. Not every device or network can remain secure all the time.
Touching on Spark's approach to security vulnerabilities, Agar says, "We work with vendors when device issues are observed to get them resolved. Typically we do this as part of the Permit to Connect process so we know devices when on our networks will operate in line with the GSMA industry device standards. When a device deviate from standard behaviour, we work with vendors to understand and address the issue."
Ingram Micro's Steve Blackmore says vendor agreements have mechanisms in place to deal with vulnerabilities.
"Our vendors are required to represent and warrant that their products don't contain harmful code and meet information warranties. Should a vulnerability be discovered, Ingram Micro will work with the vendor to assist in any relevant remedial work such as advertisement of new firmware required, or product recall with the vendor contractually obliged to assist with relevant authorities."
Both Spark and Ingram Micro have steps in place to deal with vulnerabilities, and both consider security a priority from the beginning. It is fortunate that such high-profile companies are committed, but will everyone sing to the same tune?
When we reached out to retailer Noel Leeming, we did not get a response. A few other technology retailers also declined to participate. It was similarly difficult to encourage IoT manufacturers to present their thoughts. The absence of manufacturers and retailers from this story certainly leaves much to be desired when looking at the overall approach to IoT in New Zealand.
It is clear that IoT security is not an afterthought, but it is something that legislation is struggling to keep up with. For example, there is little to no protection if an IoT device sold in New Zealand is involved in a breach. Under the Privacy Act 2020, an organisation with a presence in New Zealand must notify the Office of the Privacy Commissioner in the event of a breach. In addition, the Consumer Guarantees Act mandates that those in trade cannot mislead or deceive consumers - this includes misleading people about the security of a product.
Suppose the IoT opportunities for New Zealand's commercial sectors like agritech are as important to the Government as its industry policies suggest. In that case, there needs to be more public discourse about how we secure a technology that many industries may come to depend on for their business - and New Zealand's economy..