The Internet of Things and the Security of Us
The risks posed by the Internet of Things are still not fully understood. Devices that connect to the Internet without proper security are trouble waiting to happen.
- By Brian J. Dooley
- December 13, 2016
With 6.4 billion devices already deployed and 32 billion expected by 2020 according to Gartner, the Internet of Things (IoT) is coming to a neighborhood near you. That means a potential explosion in security issues from Internet-connected devices.
The nature of these devices, their risks, and their inherent exposure to security issues remains little understood. Recently, the massive attack on the Dyn DNS server revealed that sections of the network could be shut down with a distributed denial of service (DDoS) attack created using a robot force, called a botnet, of 100,000 Internet-connected devices.
Internet-connected devices include laptop and desktop computers, smartphones, and tablets as well as an increasing array of items such as Fitbits for health, smart watches, smart televisions, security systems, baby monitors, payment devices, and a wide range of industrial process components (such as security cameras, remote actuators, drones, cleaning equipment, tools, and large-scale control mechanisms for power grids, gas lines, and manufacturing processes).
The connection to the Internet vastly increases the power and adaptability of these devices. This can give enterprises an important and often critical edge; it can aid people in their daily routines; it can make it possible to remotely manage equipment and reduce personal and employee workloads. The extreme advantages also lead to a competition to roll out the latest and greatest connected devices as quickly and cheaply as possible, with subsequent lack of attention to security details.
The Security Problem
For low-end connected devices, security is almost always an afterthought. User instruction on security is generally lacking or poorly explained. People do not understand the risks either at the consumer level or within the corporate environment. Frequently, default passwords are the only protection in place. This has been known for a long time, and there are many freely available methods for accessing and attacking devices.
In previous years, such exploits remained relatively harmless. In the present day, the proliferation of devices and the growing sophistication of analytics provide an open playing field for threats, both on the network and in the physical realm. A DDoS attack is the simplest and most obvious because it merely uses a botnet to simultaneously attack a network point with thousands of devices. Such attacks can be used to impede access to services during an emergency, to thwart security systems, to create an event that enables another exploit, or to gain control of other devices by overloading their systems and forcing a reset.
A DDoS attack is only one possibility, however. Gaining control of physical devices presents more harrowing issues as demonstrated by last year's successful attempt to gain control of an automobile. Devices that act within the physical world can be used to create unforeseen attack vectors for other exploits. Unlike a simple network attack, physical components mean that actual physical harm may be caused or events in the external world can be affected.
As we move into the IoT era, security breaches become more likely and the consequences become more dire. Attacks are becoming more sophisticated, with more layers and deeper strategies. Some are undertaken by governments or criminal gangs that have access to the latest technology and resources, enabling them to employ software and actors on a global basis.
Measures of Self Protection
What can organizations do to protect themselves in this growing and evolving situation? We spoke with Reiner Kappenberger, global product manager (big data/Hadoop) at HPE Security, about this issue.
"In the Internet of Things, the problem begins with the devices themselves. The recent attack on the Dyn server made use of vulnerabilities in a few common devices from a few companies; the devices were hacked and code for controlling them (called Mira) was used to create a huge botnet that enabled the attack. If these devices had better security included from the beginning, the attack could not have taken place."
The IoT is also particularly vulnerable due to older devices with out-of-date software. "The life cycle for today's devices is not that long," says Kappenberger. "In a few years, the old product is at the end of its life from the support standpoint. In the home environment, this often stops a year after purchase. ... Nobody is updating the DVD player, webcam, or IoT device. In a few years it becomes available to hackers for sophisticated attacks, because security has never been updated, even if security measures (such as provision of a reasonable password) have been taken. Smart TVs are a new threat, with their included cameras and more sophisticated processors."
Another issue is that security in the IoT space remains proprietary and fragmentary. This is characteristic of an emerging technology, but IoT devices are no longer emerging. Vendors should be coming together to create uniform systems that eliminate loopholes in security and provide a more secure environment.
Protecting Corporate Data
Although current discussions revolve around consumers and the billions of devices that have been deployed, companies also need to defend themselves. Consumer devices will continue to enter the workplace as new functionality is developed. These devices will be inherently risky; measures might be taken to ensure they are hardened, but small and limited-function devices will always have weaker security than their more capable cousins.
"If everything is on the same network and I can infiltrate one device, I can get to them all and reach company data," says Kappenberger. "It's important to keep devices on a separate network. Otherwise, it is possible to open the company network to serious harm. For smartphones, companies frequently use mobile device management software; if devices used for corporate data are compromised, it is possible to wipe that data remotely. The IoT is still an unknown, so devices need to remain on a separately managed network to ensure they do not interfere with company business or risk opening the network to intrusion."
It is also important to bear in mind that IoT devices are different. Intrusion protection for these devices requires additional rules. It is important to change passwords, rotate passwords, and have well-known and understood policies. Some companies providing devices are already forcing users to change passwords regularly.
Finally, businesses need to protect the sensitive, private data collected by IoT devices with end-to-end encryption and a data-centric security approach throughout the IoT infrastructure. Organizations should encrypt communications as well as commands and values on a field level, going from the device to the infrastructure and remote control element. This removes risk (even if an attacker is able to impersonate the infrastructure) and enables maximum protection against remote takeover of an IoT device -- the biggest threat to IoT security.
Always Be Prepared
We are in the dawning era of this threat; however, it could develop very swiftly as new attack software such as Mira becomes more widely available. Mira and its cousins are being provided openly on the Internet. This means that any individual or organization can obtain the software. We have already seen this in the development of malware, where sophisticated open source kits are used to create complex viruses with selective payloads.
This type of sophistication will add to the threat as memory and CPU sophistication continue to improve for tiny devices. Access to innumerable devices is also aided by big data and by the continuous increases in low-cost bandwidth availability.
Within this changing environment, devices achieve a new importance. Those that have never been updated and sit on the Web are trouble waiting to happen. It is essential to consider which devices are actually likely to access the system and to ensure that all networks are protected from DDoS attacks through filtering and other measures.