According to Tannenbaum, this particular hotel reverted to physical keys, eliminating that problem, but this likely complicating the hotel’s room management system.
The problem goes far beyond hotel keys and consumer video cameras. Connected production and inventory equipment has been the norm in the enterprise for decades. Many of these devices perform simple functions, reporting stock withdrawals or receiving manufacturing instructions. But they’re all part of the IoT, even though they may have been in operation before they were connected to global internet, and certainly before rise of international cybercrime.
Many of these devices have little or no built-in protection, cannot be updated remotely, if at all, and in many cases they don’t even appear to be connected to the internet. But that doesn’t mean they’re safe from a malware attack.
An example that clearly points this out is the IoT attack perpetrated by the Stuxnet malware. This attack bridged the airgap between the internet and uranium centrifuges being used in the Iranian nuclear program. In this case the malware was spread by infected USB memory sticks. But it demonstrates the danger of assuming that a connected device can be protected by the lack of a network connection.
The fact is that any smart device can be compromised and it doesn’t have to be very smart. Those machine controllers running the Iranian centrifuges and those hotel door locks are actually pretty dimwitted in terms of their capability, but they could be taken over because the key code system was connected to the internet, which made them vulnerable enough.
Likewise, it’s easy to suggest that it’s up to the manufacturers to keep their devices updated with new security features, but that’s not always possible, especially with older devices where remote updates were never contemplated.
This is why services like Orbit can help a bad situation. While they’re not perfect, they do a lot to overcome the limitations of IoT devices as they’re usually sold and they have the potential to solve the update problem even for devices that can’t be updated.
But there’s also a way for business to take a longer term approach to IoT device security. If you establish an IT policy that all connected devices that are acquired by your organization must meet a specific level of security, then you will be more likely to have a secure network.
Eventually there may even be more IoT devices that are designed to be secure. But in the meantime, you have to work with what you’re got, so maybe it’s time to look at protective measures such as Cloudflare Orbit.