Attackers could potentially intercept, read or change data, Rose adds. "They could tamper with control systems and change functionality, all adding to the risk scenarios," he says.
One simple example of how network-enabled devices can become a security threat is networked printers, says Randy Marchany, CISO at Virginia Tech University and the director of Virginia Tech's IT Security Laboratory.
"Every printer comes with a built-in [Web] server. Point your browser at the device and you get a control screen/page for the device," Marchany says. "By default, most printers have a 'blank' password. You can see the problem with that right away. Yes, you can change that password but that information usually isn't in a 'read me first' page.
Another issue is ensuring that the version of the Web server running is not vulnerable to attack. "It's not an easy thing to upgrade a [Web] server running on a printer," Marchany says. "You have to usually do a firmware upgrade and for that, you're at the mercy of the vendor. So, default built-in services such as a Web server and the inability to patch/upgrade these services are two threats I think need to be addressed in today's environment."
Security incidents involving IoT implementations are already occurring. "Most examples are from a lab or test environment," Rose says. "Although real examples have occurred, few are willing to assign blame to external attackers due to the concern that may cause."
Among the recent examples, one involves researchers who hacked into two cars and wirelessly disabled the brakes, turned the lights off and switched the brakes full on—"all beyond the control of the driver," Rose says. In another case, a luxury yacht was lured off course by researchers hacking the GPS signal that it was using for navigation.
"Home control hubs have been found to be vulnerable, allowing attackers to tamper with heating, lighting, power and door locks," Rose says. Other cases involve industrial control systems being hacked via their wireless network and sensors, he says.
"We are already seeing hacked TV sets and video cameras [and] child monitors that have raised privacy concerns, and even hacked power meters which to date have been used to steal electric power," adds Paul Henry, a principal at security consulting firm VNet Security LLC in Boynton Beach, Fla., and a senior instructor at the SANS Institute, a cooperative research and education organization in Bethesda, MD.
"A recent article spoke of a 'hacked light bulb,'" Henry says. "I can imagine a worm that would compromise large numbers of these Internet-connected devices and amass them in to a botnet of some kind. Remember it is not just the value or power of the device that the bad guy wants; it is the bandwidth it can access and use in a DDoS [distributed denial-of-service] attack."
Sign up for MIS Asia eNewsletters.