Are IoT (Internet of Things) devices security time bombs waiting to explode, or just benign and hugely-beneficial technological advances? As ever, the truth is somewhere in between, but there is a very simple test you can apply to assess which end of the security time-bomb/benign-gadget spectrum the device sits at: ‘It depends'.
IT decision-makers were asked by a publication to identify the main barriers when implementing or exploiting an IoT initiative: Device or data security was named as a factor by 39 percent of respondents, (the biggest consensus of the survey), while 34 percent named a lack of clarity of purpose or understanding of the benefits.
Which sums up the entire debate in a single sentence: “We have reason to be afraid of the potential threat this advance in technology brings, while also questioning the value of the ‘advance' – do we need to internet-enable all these things?”
What has history taught us about IoT devices
Why is there an IoT threat to worry about? We have our mainstream computing platforms - regular PCs/Tablets/ Smartphones and everyone knows that these ‘things' all run software including third party apps. They also need updates and to be set-up, aka configured.
We also know that the very nature of these ‘soft' devices renders them susceptible to malware and hacking, and consequently we expect manufacturers to factor in security to their design and production. Likewise the consumer has an appreciation that there is a need for good ‘security-hygiene' to be observed.
Compare all this to other ‘things'. There is nothing new in more basic devices also having configuration settings and software (often in the form of firmware), such as TVs, cable boxes, broadband routers, heart monitors, industrial control systems etc. These are seldom, if ever patched, upgraded or hardened against misuse: They are ‘fit and forget' boxes and considered harmless.
Where the problem has arisen is with the convergence of two developments intended to improve functionality of these more humble non-computing devices. Both the internet-enablement of more devices, together with the increased adoption of more function-rich application runtimes/environments, including full operating systems, has rendered these things much more vulnerable to misuse. And in a meshed-network world where everything has access to everything else, the potential for harm has increased exponentially.
There are two stand-out seminal moments where the IoT threat became real
- the Stuxnet attack on Iranian Nuclear facilities where malware was used to take-over control systems, leading to the destruction of critical centrifuge equipment
- the chilling demonstration last year showing why the IoT could be a colossal problem, now known as the Chrysler Jeep Hack, where key systems such as engine management and braking systems were shown to be accessible using an external cellular connection
As soon as the ‘I' was added to all the ‘Things', the threat of misuse or malicious takeover became real, leading to the FBI issuing the following warning recently.
If the spectrum of things at risk covers cars through to nuclear-material centrifuges, then we do indeed have a potentially massive problem – Gartner estimate there will be 13.5 billion devices by 2020, while Cisco say 50 billion.
Are all IoT devices equally potentially dangerous?
So when assessing the potential threat posed by our things, what determines the ‘It depends'?
The assesment needs to take into account the potential for harm posed by the device, together with the relative sophistication of the device in terms of:
- Its connectivity/access (both how can it be infiltrated, and if it was compromised, what else could it get at/provide access to?)
- Its functional capabilities (what harm could it do if compromised, either directly or indirectly?)
- and finally, its cyber-anatomy (does it run a full operating system – Windows, Android, Automotive Linux, does it have a filesystem and configuration settings?)
There also needs to be a measure of how much consideration has been applied to securing the device during its design and manufacture?
The classic cliché of the IoT world is the smart toaster or internet-controlled fridge, even though these devices pose a relatively minor threat compared to those in industrial situations.
But by way of illustration for this point, compare a smart phone to an internet enabled-refrigerator. The smart phone can potentially do far more harm (it handles confidential data, banking credentials, passwords, it has a camera/microphone that could be abused, and it provides an ideal staging post to hack other devices, with a full operating system and both Wi-Fi and cellular internet access).
However, by its nature, the smart phone is known from the outset to be potentially vulnerable, and not just by the manufacturer but the third party app providers and the users all appreciate that security is paramount.
Therefore security measures are built-in and crucially, enabled and operated. Updates to protect against new vulnerabilities are applied automatically, and security beyond passcode protection is augmented with data encryption and cryptographically-signed software.
By contrast, the fridge just gets unboxed and powered up. It most likely uses universal plug and play connectivity to make it easy to network and because there was little or no consideration to the need for security during its design, it is highly prone to compromise. But what harm can a fridge do? A Stuxnet takeover isn't going to do the same amount of damage – maybe the milk will go off if the fridge thermostat is overridden?
However, it is likely that there will be some form of automated online account in existence that may be leveraged to order goods and supplies. As apparently impotent as it may seem, the fridge just might be a launch point to that valuable online re-ordering account facility that keeps the fridge stocked. It could also be used to access the broadband router or any other device in the home, including alarm systems or home computers/smart phones. This threat is real and applies not just to home networks, but banks too, which unfortunately cost theBangladesh Central Bank US$ 81 million (£56 million).
Perhaps the greater concern is when we get to industry-specific devices, for example:
- Medical equipment in a hospital (the ransomware heist at the Hollywood Presbyterian Medical Centre was a more traditional IT system attack but a direct act on patient support systems would be scary)
- Building Control Systems/Smart City infrastructure – access control to offices and warehouses, alarm systems, heating and ventilation
- Power Station SCADA systems - the NERC CIP initiative has long recognised the need for protection of energy company infrastructure, but the potential for damage is so great that this is one of the most critical cyber-security weak spots, and its real, based on recent reports coming from Germany
- Military systems – it goes without saying that the control systems used for military applications need protection for everyone's sake
- Any other industrial control systems, used in the petrochemical, oil and gas, pharmaceuticals, water supply, rail network, air traffic control, unmanned drones…
Something must be done about these Things
Moving forward, there will be more consideration placed on building-in security to the devices themselves and to the way in which they use the internet. For example, removing any direct access to the device in favour of an indirect access architecture for devices provides an inherently more secure model. A master-slave model for IoT deployments whereby any updates or configuration change is implemented on the slave ‘on premises' device via a secure, cloud-based master system offers strong built-in protection. If we know that there should never be any unexpected changes to the core software of the things attached to the internet, then change detection/system integrity monitoring is hugely important whether it is your fridge, heart monitor or power-plant control system.
Similarly greater emphasis on penetration testing/vulnerability assessment for IoT devices will become more prevalent, with Tesla leading the way in the automotive sector. In fact, greater adoption of all time-honoured security best practices such as system hardening, change detection, file integrity monitoring, breach detection and audit log analysis should all be applied to any ‘thing' vulnerable to cyber-attack.
For the legacy devices already in place and for the new devices being produced where security isn't perceived as being important by the manufacturer, or crucially, by the consumer, the IoT problem is going to be with us for a long time to come.
So where to start? In terms of pragmatic action to deal with the potential threat posed by these ‘things', first understand what you have. Regularly scan for all network-connected devices and identify what they are. Anything new needs to be checked for how it operates, what its functions/capabilities are and how it can be secured. Changing default username and passwords is always step One of any hardening programme, but disabling UPnP services where possible and firewalling where not, should be key. Thereafter system integrity monitoring is a key practice in determining if any suspicious activity has taken place that could be the start of an IoT-based hack.
Do all of this, and you might just keep that milk fresh.
Contributed by Mark Kedgley, CTO, New Net Technologies