However, the firm also believes that after the year 2023, connected cars will be the most prevalent in the Internet of Things market.

The figures

Next year, CCTV will account for 70% of the 5G IoT endpoint installed bases. This said it’s thought the number will drop by over half to just 32% by 2023. It also implies that the number of CCTV cameras installed across the world will grow from 2.5 million in 2020 to 6.2 million in 2021 which will rise to 11.2 million in 2022.

The results are also a comment on the increased use of CCTV and security issues that may occur due to this.

Stephanie Badhdassarian, senior research director at Gartner, comments on the use of 5G in CCTV. She said: “Cameras deployed by city operators or used to ensure building security and provide intruder detection offer the largest addressable market as they are located outdoors, often across cities, and require cellular connectivity.”

Connected cars impact on the IoT market

Connected cars are forecast to have 19 million installations in the next three years and will account for just over a third of the IoT sales.

“The addressable market for embedded 5G connections in connected cars is growing faster than the overall growth in the 5G IoT sector,” said Baghdassarian.

“Commercial and consumer connected car embedded 5G endpoints will represent 11% of all 5G endpoints installed in 2020, and this figure will reach 39% by the end of 2023.” The researcher added.

Other technologies that Gartner feels will play a part in the IoT markets, is fleet telematics devices which will total 5.1 million and is part of the 11% previously mentioned.

The post IoT market will be dominated by CCTV in the next three years appeared first on DevOps Online North America.

An invasion of privacy, an insecure channel for exploiting the individual, an unnecessary form of automation, a super gateway for powering botnets… All of these accusations have been levelled at the Internet of Things (IoT) and with some justification. The ludicrously poor security of these devices has laid them wide open to attack.

We have seen data sent in the clear, rather than via SSL, allowing an attacker to intercept communications sent from the device to the cloud-based service. We’ve seen easily hackable online user accounts, allowing the attacker to enumerate passwords using the forgotten password feature.

We’ve even seen websites that allow user account deletion without the need for authentication. Yet adoption continues apace and no one, it seems, has stopped to think who is ultimately responsible in the event of an attack orchestrated over the IoT.

DDoS attacks

The massive Distributed Denial of Service (DDoS) attacks carried out against Brian Krebs, OVH and Dyn last autumn served as a wake-up to call to an industry that continues to ignore warnings. Security researchers had long been predicting the potential for the computing resource of the IoT to be hijacked and used for harm.

In the case of the DDoS attacks, Mirai malware (originally developed to attack DVR devices) was used to enslave other devices via the dated and seldom used Telnet protocol. This resulted in a botnet battery capable of launching attacks that peaked at over 1Tbps.

The publication of the Mirai code has now reduced the threat of attacks using this vector (the proliferation of botnets that are now all seeking to use a finite resource has a self-limiting effect) but the incident has served to illuminate the difficulty of attribution and retribution.

Sloppy security

While Mirai and the attackers behind it (who, interestingly seem to have been DDoS Mitigation Service providers) were clearly to blame, the security mechanisms used by these devices also drew criticism. In fact, if you look at Mirai itself, it carried out perfectly legitimate actions to access the device. It was the use of the redundant Telnet protocol, and default passwords that were seen as a sloppy security practice.

Even in those cases where device passwords are routinely changed, it’s often possible to find these online. For instance, CCTV log-in credentials are often shared by installers, the long supply chains associated with the IoT are in themselves a weak spot enabling data leakage or device tampering.

So should manufacturers be held to account? IoT devices differ from their dumb counterparts in that they can be updated with Over-The-Air (OTA) updates from the manufacturer.

This can effectively extend the lifespan of the product but also means that responsibility for their product no longer simply extends to a twelve month warranty period. Instead, they’re facing a responsibility for securing each device for years, or at least until they decide to no longer support the device and declare it’s end-of-life.

The landscape changes. New vulnerabilities are exposed in protocols, frameworks and hardware all the time, so the manufacturer will have to patch the device itself by issuing an OTA update or if the integrity of the device itself is in danger, a product recall may be in order. That’s a costly undertaking but a product recall also has other implications. By announcing a recall, the manufacturer could be said to have legally accepted that their devices are part of the problem and this could see them open to litigation.

Angry mob

The potential for a manufacturer to be sued is increasingly likely due not least to consumer angst. Avoidance tactics such as those used by VTech which altered it’s T’s and C’s to try and avoid being held to account after a data breach a couple of years back have seen consumers begin to question the trust they place in manufacturers.

In the EU and in the US, consumer lobbyists are now taking on the toy industry, filing complaints to the relevant national authorities on what seems to be obvious breaches of several consumer laws including an abuse of privacy. Vivid Imaginations Toy Group’s My Friend Cayla interactive doll has a litany of issues including the ability for an attacker to easily intercept and join-in communications between a child and the toy. That means any random stranger within Bluetooth range of a child playing with their toy can interact with the child.

If such actions are successful they could well pave the way for lawsuits and this, in turn, will see manufacturers seeking recompense from their partners, such as software providers. If the developer has failed to observe tried and tested security best practice, there’s little doubt they too will be held to account.

But what about the communications layer? Could even network carriers be implicated? In the case of the Mirai attacks, is the manufacturer to blame for the malware taking out some Domain Name Servers? What about if such a botnet were to take out major social networks? Where do the device end and the network begin, particularly if the issue is with the protocol and not the IoT device as such?

Uncharted waters

Legally, we’re in uncharted waters and the authorities can’t draft legislation fast enough. In the UK, we’ve seen the Investigatory Powers Bill and the Digital Economy Bill. The former will compel all ISPs to keep a record of online activities and which services devices connect to, while the latter is paving the way for web blocking.

In addition, the General Data Protection Regulation due to be adopted in May 2018 will increase the powers of the individual to access data and file complaints. Across the pond, amendments to Rule 41, a statute that regulates search and seizure for the US Department of Justice, grants the authorities the power to seize computing equipment and user data. This is expected to see a clamp down on the use of anonymising software and will also empower the authorities to seize IoT equipment.

In light of these events, manufacturers may want to want to take another look at their cyber liability insurance policies. Do these cover an IoT compromise? How far does the policy extend? For now, I suspect claims relating to IoT and DDoS will be far beyond the capacity of today’s insurance markets and that leaves manufacturers facing a stark choice: address security issues now or be prepared for some potentially ruinous lawsuits further down the line.

The pressure from consumers and the authorities alike mean that the time is running out for IoT vendors. For too long there’s been a tendency to grab market share at any cost but there’s now a real impetus for the industry to self-regulate. Unless manufacturers step up and embrace standardisation we will see more of the types of attack launched back in September. Except for next time they might not harness IoT resource to attack a web provider, they might take down the critical national infrastructure or even wipe out the Internet of an entire country.

Written by Ken Munro, Partner, Pen Test Partners

The post Bearing the blame: who’s responsible when IoT gets hacked? appeared first on DevOps Online North America.

The product will be designed to help companies investigate compensation claims for accidents on their premises.

The product could save British firms up to £800million in fraudulent accidents, because companies cannot effectively investigate and defend claims because they are usually able to store CCTV footage for only 30 days.

Gary Trotter, co-founder of Ocucon, said: “Any organisation that captured large amounts of CCTV data, including local authorities and transport companies, could benefit from the product.

“Typically, businesses are restricted to saving 30 days of surveillance footage purely because of the sheer scale of the data.

“However, the threat of litigation and fraudulent claims — many of which are received after 30 days has passed — has resulted in increasing numbers of businesses needing to store security footage for longer.”

Trotterer also noted Ocucon is the first cloud-based software system that processes and transmits unlimited amounts of CCTV footage into the cloud.

Written by Leah Alger

The post Ocucon partners with Google Cloud to store CCTV appeared first on DevOps Online North America.