Are IoT (Internet of Things) devices security time bombs waiting to explode, or just benign and hugely-beneficial technological advances? As ever, the truth is somewhere in between, but there is a very simple test you can apply to assess which end of the spectrum a device sits at: ‘It depends’.
IT decision-makers were asked to identify the main barriers when implementing or exploiting an IoT initiative: Device or data security was named as a factor by 39 percent of respondents, (the biggest consensus of the survey), while 34 percent named a lack of clarity of purpose or understanding of the benefits (seewww.computing.co.uk)
Which sums up the entire debate in a single sentence: “We have reason to be afraid of the potential threat this technology brings, while also asking the question – Do we need to internet-enable all these things?”
WHAT HAS HISTORY TAUGHT US ABOUT IoT DEVICES
Why is there an IoT threat to worry about? Our familiar computing platforms – regular PCs/Tablets/ Smartphones and everyone knows that these ‘things’ all run software. They also need updates and to be set-up, aka configured.
We also know that the very nature of these ‘soft’ devices renders them susceptible to malware and hacking, and consequently, we expect manufacturers to factor in security to their design. Likewise, the consumer has an appreciation that there is a need for good ‘security-hygiene’ to be observed.
Now consider the IoT world. There is nothing new in basic electronic devices having configuration settings and software (often in the form of firmware). Any TV, cable box, broadband router, heart monitor, industrial control system etc. will be driven by a firmware brain. These devices are seldom if ever patched, upgraded or hardened against misuse: They are ‘fit and forget’ boxes and considered harmless.
Where the problem has arisen is with the convergence of two developments intended to improve the functionality of these more humble non-computing devices. Both the internet-enablement of more devices, together with the increased adoption of more function-rich application runtimes/environments, including full operating systems, has rendered these things much more vulnerable to misuse. And in a meshed-network world where everything has access to everything else, the potential for harm has increased exponentially, as the rapid and widespread of WannaCry showed.
A seminal moment where the IoT threat became real was last year’s Mirai malware attack that took down some of the most popular websites including Twitter, Spotify, and PayPal. From connected security cameras to DVRs and Smart TVs, the Mirai attacks were perpetrated by millions of cheap connected devices.
Mirai took advantage of security vulnerabilities found in IoT devices to launch a massive DDoS attack. Mirai worked by binding IoT devices to form one huge connected network – a BotNet – then used this to deluge websites with phony requests, overloading the sites and knocking them offline.
As soon as the ‘I’ was added to all the ‘Things’, the threat of misuse or malicious takeover became real, leading to the bi-partisan IoT security bill being introduced recently.
If the spectrum of things at risk covers fridges through to cars, then we do indeed have a potentially massive problem – Gartner estimate there will be 13.5 billion devices by 2020, while Cisco says 50 billion.
ARE ALL IOT DEVICES EQUALLY POTENTIALLY DANGEROUS?
So when assessing the potential threat posed by our things, what determines the ‘It depends’?
Key questions are what is the potential for harm posed by the device, and what is the relative sophistication of the device in terms of:
It's connectivity/access (both how can it be infiltrated, and if it was compromised, what else could it get at/provide access to?)
Its functional capabilities (what harm could it do if compromised, either directly or indirectly?)
and finally, its cyber-anatomy (does it run a full operating system – Windows, Android, Automotive Linux, does it have a filesystem and configuration settings?)
There also needs to be a measure of how much consideration has been applied to securing the device during its design and manufacture.
So the risk presented by an IoT device depends on several factors relating to both the design and also how the device is used and where it is deployed.
How much damage could a rogue IoT device cause?
The classic cliché of the IoT world is the smart toaster or internet-controlled fridge, even though these examples pose a relatively minor threat compared to those devices with more computing power or those deployed in say, critical infrastructure situations.
By way of illustration, compare a smartphone to an internet-enabled refrigerator. The smartphone can potentially do far more harm (it handles confidential data, banking credentials, passwords, it has a camera/microphone that could be abused, and it provides an ideal staging post to hack other devices, with a full operating system and both Wi-Fi and cellular internet access).
However, by its nature, the smartphone is known from the outset to be potentially vulnerable, and not just by the manufacturer but the third party app providers and the users all appreciate that security is paramount.
Therefore security measures are built-in and crucially, enabled and operated. Updates to protect against new vulnerabilities are applied automatically, and security beyond passcode protection is augmented with data encryption and cryptographically-signed software.
By contrast, the fridge just gets unboxed and powered up. It most likely uses universal plug and play connectivity to make it easy to network and because there was little or no consideration to the need for security during its design, it is highly prone to compromise. But what harm can a fridge do? A Stuxnet-style takeover isn’t going to do too much damage – although the milk will go sour if the fridge thermostat is overridden.
However, it is likely that there will be some form of automated online account in existence that may be leveraged to order goods and supplies. As apparently impotent as it may seem, the fridge just might be a launch point to that valuable online re-ordering account facility that keeps the fridge stocked. It could also be harnessed within a DDOS BotNet or used to access other devices in the home, including the broadband router, alarm system or a home computer.
Perhaps the greater concern is when we get to industry-specific devices, for example:
Medical equipment in a hospital (the ransomware heist at the Hollywood Presbyterian Medical Centre was a more traditional IT system attack but a direct infiltration of patient support systems would be a terrifying prospect).
Building Control Systems/Smart City infrastructure – access control to offices and warehouses, alarm systems, heating and ventilation, traffic management systems.
Power Station SCADA systems – the NERC CIP initiative has long recognized the need for protection of energy company infrastructure, but the potential for damage is so great that this is one of the most critical cyber-security weak spots, and it’s real, based on recent reports coming from Germany.
Military systems – it goes without saying that the control systems used for military applications need protection for everyone’s sake.
Any other industrial control systems, used in the petrochemical, oil and gas, pharmaceuticals, water supply, rail network, air traffic control, unmanned drones…
Something must be done about these Things, but what?
`Moving forward, there will be more consideration placed on built-in security to the devices themselves and the way in which they use the internet. For example, removing any direct access to the device in favor of an indirect access architecture provides an inherently more secure model. A master-slave model for IoT deployments whereby any updates or configuration change is applied to the slave, ‘on premises’ device via a secure, cloud-based master system offers strong, built-in protection. If we know that there should never be any unexpected changes to the core software of the things attached to the internet, then change detection/system integrity monitoring is hugely important whether it is your fridge, heart monitor or power-plant control system.
Similarly greater emphasis on penetration testing/vulnerability assessment for IoT devices will become more prevalent, with Tesla leading the way in the automotive sector. In fact, greater adoption of all time-honored security best practices such as system hardening, change detection, File Integrity Monitoring, breach detection, and audit log analysis should all be applied to any ‘thing’ vulnerable to cyber-attack.
For the legacy devices already in place and for the new devices being produced where security isn’t perceived as being important by the manufacturer, or crucially, by the consumer, the IoT problem is going to be with us for a long time to come.
So where to start? In terms of pragmatic action to deal with the potential threat posed by these ‘things’, first, understand what you have. Regularly scan for all network-connected devices and identify what they are. Anything new needs to be checked for how it operates, what its functions/capabilities are and how it can be secured. Changing default username and passwords is always Step One of any hardening program, but disabling UPnP services where possible and firewalling where not, should be key. Thereafter system integrity monitoring is a key practice in determining if any suspicious activity has taken place that could be the start of an IoT-based hack.
Do all of this, and you might just keep that milk fresh.