Securing the Internet of Things
The computer industry seems to prefer playing catch-up when it comes to security. When PCs and servers came onto the scene, they were wide open to viruses. It took years for basic safeguards to be developed, promoted and adopted. And mobile security has only recently begun to get attention after a few well-publicized mobile malware attacks.
You would think by now the lesson would have been learned — design security into new technologies from the get-go to avoid huge problems down the road. But once again we’re headed down the same perilous path.
Security Taking a Back Seat in IoT’s Exponential Growth
The Internet of Things (IoT) seems destined to repeat the errors of the past by throwing out functionality with great rapidity, standing aside idly to let its vulnerabilities be exposed, and only then plugging the holes with some kind of Internet of Things security fix. But by then, it may be too late.
Why? The headlong rush toward an IoT world is in full swing, and it’s easy to understand what all the fuss is about.
The IoT enables the automation and real-time synchronization of business processes and devices that were formerly inefficient due to their inability to continuously adapt to environmental variables, inputs and shifts in demand. The permeation and propagation of the IoT holds the promise of convenience, precise response to real-time events and far better resource allocation.
“IoT devices assist businesses in real-time responses to supply-and-demand market effects, they empower patients and healthcare professionals to continuously monitor conditions, and they enable electric grid operators to adjust the production, flow, and cost of electricity according to real-time market demands to ensure the most efficient, resilient, and cost-effective solution,” says James Scott, senior fellow at the Institute for Critical Infrastructure Technology, a Washington DC-based cybersecurity think tank.
The Importance of IoT Security
Intel predicts 200 billion IoT devices will be online by 2020, which is approximately 26 devices per person. But that may be a conservative estimate, and the potential vulnerabilities are troubling.
“Most IoT devices and sensors lack any form of security or security-by-design,” says Scott. “Without layered security of the IoT microcosms, hacktivists can disrupt business operations, cyber-criminals can compromise and ransom pacemakers, and cyber-jihadists or nation-state sponsored threats can compromise and control the grid,” to name just a few of the potential IoT security attack scenarios.
Scott urges that serious attention be given to securing IoT devices according to best practices. That starts by making security a fundamental part of the design of any IoT-related systems, devices, sensors or equipment. If such steps remain a low priority for the next few years, we don’t have the luxury of mirroring what occurred with the mobile phone, server or PC markets — adding security gradually after the fact. There will rapidly be too many IoT devices out there to make that an achievable goal.
Think of it like this: there are millions of cars on the road that need faulty airbags replaced. Yet despite the vast number of car dealership networks on the planet, most simply can’t keep up — there are backlogs of many months everywhere. And that’s just dealing with a scale of millions. Once you leap up to the hundreds of billions, it becomes impossible to address so many individual points.
“Every IoT device has inherent vulnerabilities and exploitable weaknesses resulting from a culture that sacrifices security in the design process in favor of meager savings and in the rush to market,” says Scott. “The overwhelming preponderance of insecure IoT devices in the future will render security an impossibility in the future.”
Internet of Things Security Concerns Loom Large
But with hundreds of companies rushing to create whole new markets, security is lagging badly. Even where responsible market entrants incorporate best practices, they are assailed by cut-rate competitors who slash costs in part by skipping even the most basic security safeguards.
Last year’s DDoS attack on managed DNS provider Dyn brought the danger into sharp focus.
“As was shown in the Dyn attack, we appear doomed to repeat the mistakes we made with PCs and mobile devices in IoT,” says Tom Byrnes, founder and CTO of ThreatSTOP. “Once again, cost reduction has made security an afterthought, if a consideration at all, with predictably disastrous consequences.”
However, the IoT makes this exponentially worse than it was with PCs and mobile devices because of the number and importance of connection points, and the fact that they are not directly interfacing with users who might notice something amiss. The Mirai botnet event showed criminals and nation states how easy it is to use IoT sensors and devices as drones.
IoT Device Security Vulnerabilities
Tom DeSot, Chief Information Officer at Digital Defense, believes it is inevitable that as more smart thermostats, refrigerators, medical equipment and a myriad of other IOT devices come online, the number of attacks will rise steeply. These attacks could be large in scale, or in many cases could be tailored into a targeted attack at an individual or business — suddenly the toaster in the staff café or someone’s personal fitness band is being used to infiltrate the entire network.
What kind of vulnerabilities are we talking about? Some of the primary vulnerabilities that exist today are hard-coded usernames and passwords in firmware, in tandem with the inability of the user (whether it is a person or a company) to update the password. Additionally, there may be services running such as a web server that acts as the user interface that can fall out of date. This leaves the user with no way to update it and exposes the device to external influences.