The continued lack of IoT security standards and practice of shipping devices with default passwords leave networks open to exploitation.

Australia just completed its largest smart city project ‘Switching on Darwin’ in June. Switching on Darwin sets precedents for using smart technology to improve the livability of cities.

Lord Mayor of Darwin Kon Vatskalis said the introduction of new technologies will “make Darwin a better place” by helping make people feel safer and creating new opportunities for business in the city. 

As the Morrison government commits to tackling the impact of rapidly rising population in already congested cities, and backing smaller cities like Darwin, it will need to take into consideration smart infrastructure and address urban challenges. 

Take the Internet of Things (IoT) for instance. Gartner predicts that 14.2 billion connected things will be in use globally by this year. IoT technology allows digital devices to transfer data over a network without human interaction or interference. Collectively over a vast area especially, IoT can be extremely useful as the technology can collect a large amount of data over time, which is always helpful for informed decision making in city management and planning. 

The A$10 million Darwin project saw the city deploy more than 900 smart LED lights, a network of 138 new CCTV cameras, 24 environmental sensors and parking sensors, among many other connected devices.

The cameras and sensors track the way pedestrians and vehicles move through the city collecting data that is to be used by city council officials to monitor traffic conditions, and optimise routes and manage fleet availability for emergency services. 

However, the proliferation of IoT is now a cause for concern from the cybersecurity point of view. Many IoT devices have pre-set passwords that often go unchanged. They become easy targets for cybercriminals, and a way for them to gain access to the network. Compromised devices may also be infected with a malware and turned into a botnet that can be controlled remotely. Insecure IoT devices present danger before, during, and after deployment.

How then can we better secure IoT devices to ensure that Darwin and other smart cities are resilient to any major incidents and attacks? There are three major security challenges in IoT systems: 

1. Before deployment: Default passwords and settings 

The continued lack of IoT security standards and typical processes such as shipping with default password credentials leave devices open to exploitation. Many IoT devices fall easily when it comes to device authentication, as passwords remain unchanged from their default values. How much work is needed to get these passwords? Researchers at Ben-Gurion University were able to discover passwords for a sample of 16 tested IoT devices in under 30 minutes with a simple Google search.

2. During deployment: Poor installation 

Most IoT devices are unprotected or poorly connected due to obsolete protocols, and this makes them vulnerable to hackers looking to gain access to data. According to a recent Avast study, millions of devices use obsolete protocols such as Telnet, which are known to transfer data in plain text.  In 2016, the Mirai malware took advantage of insecure IoT devices to open Telnet ports and attempt to log in with default passwords. The massive denial of service (DDoS) attack left much of the Internet inaccessible on the United States’ East Coast and interrupted services across North America and parts of Europe to major sites like Amazon, PayPal and Netflix.

3. After deployment: Onboarding pain 

Onboarding of IoT devices can still be a challenge after they are installed, especially for complex wide area installations with large number of devices. In the case of a smart city project, onboarding process for IoT devices can take around 20 minutes each, involving coordination among installation technicians, operational technology teams and IT network/security operations. Factoring in the time and manpower resources is a major undertaking, which puts the scalability of future projects like ‘Switching on Darwin’ into question. 

FIDO Alliance moves to secure IoT devices 

Yes, with great connectivity comes great responsibility. It is time for all stakeholders involved, public and private sector, to find better ways to navigate new security vulnerabilities and privacy concerns. 

At the FIDO Alliance, we believe it is possible to eliminate the use of passwords from IoT networks altogether. FIDO, which standards for Fast Identity Online, is a non-profit group composed of technology industry partners working together to establish standards for strong organizations. Member organizations include technology leaders across enterprise, payments, telecommunication, government and healthcare sectors. 

Just this year, the FIDO Alliance formed the IoT Technical Working Group (IoT TWG) to expand standards and certifications to IoT. The Group will develop use cases, target architectures and specifications covering IoT device attestation/authentication profiles, automated onboarding and binding of applications to IoT devices, and IoT device authentication and provisioning via smart routers and IoT hubs. 

As IoT fast becomes a norm, such industry collaboration and standardization are essential to remove all potential points of failure within IoT systems. 

Australia ranks high in future city readiness according to IDC. In a Future City Internet of Things Readiness Index in Asia/Pacific report put out recently, the country placed second in government readiness and third in business readiness. City planners and technology leaders will need to put their best foot forward and walk the journey together to maintain this high standing as they embark on more smart city projects.