The Internet of Things (IoT). Sounds innocuous doesn't it? A bit like 'days of our lives' or 'the life of dogs'. Sure, convenience flows from IoT (a bit like having a dog who can make an espresso) but there are pitfalls (say if the dog can't tell ground coffee from cayenne). We take a closer look at IoT: what it is, what you need to know, and how to reduce the chance of getting bitten.
The Internet of Things is a mysterious world, often discussed in hushed tones but what exactly is it? IoT describes the expanding array of internet-connected electronic devices being added to TVs, cars, fridges, medical devices, dog collars and a lot, lot more. Because we do have the technology, there’s a rush to embed sensors in all kinds of devices, and equip them with wireless communications capabilities.
An obvious benefit for vendors is the ability to monitor their devices and solve problems or upgrade firmware remotely. Say your car has a fault in the
engine management system that the dealer can’t identify. Remotely, savvy techies from HQ can run tests, analyse data and tell the dealer what the problem
is and how to fix it. And maybe install an upgrade or fix for the latest firmware.Very convenient for the vendor and for you.
Great Technology - or Heaven for Hackers?
IoT clearly has the potential to make life easier. The downside is that these devices communicate via IP networks which opens new points of entry for hackers,
mainly because connections are anything but secure (we come to reasons below). Could they disable your pacemaker or cause your car to crash? Probably.
‘Smart buildings, HVAC and even physical security technologies are now connected,’ The SANS Institute summed up the state of affairs recently. ‘The latest wave of “things” … includes but is not limited to automobiles, airplanes, medical machinery and personal (implanted) medical devices, and SCADA systems (windmills, environmental sensors, natural gas extraction platforms, hydro systems ....’
Smart Devices for a Smarter World
The Internet of Things makes many promises, from smart cars that read e-mails to you as you drive, smart fridges that remind you to buy milk on the way home, to smart medical devices that let your doctor keep check on you from afar. ‘Entire cities in South Korea are already rushing to link their infrastructure to the web to make it more efficient and improve services,’ says an article headed Home, Hacked Home in the Economist.
The possibilities are mind-numbing, and the implications for security and privacy even more so. The urban myth of your fridge being hacked and sending your friends spam emails has become reality: in late in 2013 an IT security company reported that an internet-connected fridge had sent out more than 750,000 spam and phishing emails over the Christmas break.
The Samsung ‘Family Hub’ as a fridge
The Smart Office?
It’s not just our homes we need to worry about: Recently Cylance security researchers Billy Rios and Terry McCorkle demonstrated how easy it was to gain access to the air-conditioning system in one of Google's Australian offices. The researchers found an unpatched version of Tridiums’s Niagara software, which is widely used for managing building control and HVAC systems (Heating, Ventilation & Air Conditioning).
They wrote a custom exploit to extract a configuration file from Niagara, which contained the user names and passwords for authorized users, and soon had 'a third-floor map of the office that showed details of its water and HVAC systems.’ The researchers said hundreds of businesses across Australia were just as susceptible to attack through vulnerabilities in their building control systems.
Security? Not their Problem
‘The “Internet of Things” holds great promise for enabling control of all of the gadgets that we use on a daily basis,’ Michael Osterman of Osterman Research told The Guardian. ‘It also holds great promise for cyber criminals who can use our homes' routers, televisions, refrigerators and other Internet-connected devices to launch large and distributed attacks.’
That warning is echoed by Keith Bird from Check Point who says that securing these devices isn’t easy, because they won’t run traditional anti-malware solutions. He says ‘security relies on users changing passwords and other settings away from defaults, and ensuring the devices are not left open (as WiFi networks often are).’
The reality is that the devise manufacturers don’t see it as their responsibility to build security into them. The automotive industry is just one example: security analyst Sarb Sembhi makes the point that ‘computer-based systems in cars … are at a level of complexity that is similar to the technology seen in planes some 15 years ago.’ He added that ‘vehicle manufacturers do not regard the security of components as part of their job.’
Our Health under Threat
Security analyst Josh Corman underscores that point, saying: ‘There is a big difference between the internet of things and other security issues … If my PC is hit by a cyber-attack, it is a nuisance; if my car is attacked, it could kill me.’ Hype or reality? Modern cars use microprocessors to control and monitor not just engines, but also traction control, suspension and steering systems.
Medical devices such as pacemakers can be hijacked too, as Barnaby Jack of IOActive showed recently, ‘to deliver a deadly, 830-volt shock from someone on a laptop up to 50 feet away.’ The US Department of Homeland Security released an advisory to manufacturers and healthcare organizations warning of security vulnerabilities in the firmware of approximately 300 medical devices from around 40 vendors.
The medical appliances included surgical and anaesthesia devices, ventilators, drug infusion pumps, defibrillators, patient monitors and laboratory equipment. The vulnerabilities were caused by hard-coded default passwords in all 300 devices.
Default passwords are the Achilles heel, because they grant these devices privileged access to the networks they’re connected to. That means they afford hackers the same privileged access once they’ve cracked the passwords. More recently, the FDA issued an Advisory for Cybersecurity on Medical Devices, which stresses that ‘hospitals and health care facilities should evaluate their network security and protect the hospital system.’
A recent IDC study found the number of everyday objects connected to the internet and able to automatically record, report and receive data is approaching 200 billion, with 7% (or 14 billion) of devices already connected to and communicating over the internet. CISCO forecasts that, by 2020, the number of connected devices will grow to 37 billion and comprise 10% of the world's data.
Gartner analysts make another important point: that the IoT will soon start ‘to overload data centres and open up the enterprise to greater security risks.’ The obvious question is: How are you going to cope with this rate of proliferation in smart devices? Who is going to monitor them, secure them and update their firmware?
More challenges are arising in the form of wearable technology like Google Glass, health & fitness tracking wrist bands and smart watches that can order take-away meals with a simple voice command from their wearers.
‘There's a huge question of what the security implications of connecting these kinds of devices to the corporate infrastructure will be,’ says security strategist Sean Newman. ‘For the IT team that is already defending their organisations from ever more sophisticated cyber criminals, wearable technology is just another attack vector that needs addressing.’
Implications for Privacy
Computerworld cites a recent White House report on big data that discusses the capability of sensors and smart meters to ‘turn homes into fish tanks, completely transparent to marketers, police -- and criminals.’ The report warns that a ‘sea of ubiquitous sensors, each of which has legitimate uses, make the notion of limiting information collection challenging, if not impossible.’
‘As organizations use technology to move to an “always on” environment, users become part of the information infrastructure through the use of their personal mobile devices ...’ warns Angela Orebaugh from Booz Allen Hamilton. ‘In essence, users become nodes on the IoT.
Orebaugh cites a fitness monitor as an example: it generates information about the wearer which the supplier of the device could share with other companies for micro-targeted advertising. ‘As a society is constantly monitored for its vital signs,’ asks Orebaugh’s colleague Ed Covert, ‘is it simply becoming data points to insurance companies?’
‘We'll probably see a whole new set of attack vectors,’ says Javvad Malik at 451 Research, ‘ranging from the CEO who was kidnapped because his fitness tracker told the attackers all of his movements and times for the last six months.’
What’s the Answer?
Clearly, you should be paying as much attention to securing your smart fridges, TVs and cars as you do your PCs, tablets and smart phones. The trouble
is, you can't install security software on all the microchips in your environment. The guys at Cylance say there re 3 steps you can take:
- Invoke the ‘Guest Network’ option to create an isolated wireless network that broadcasts itself as a separate Wi-Fi access point. These networks allow wireless devices to connect to the Internet but prevent them from accessing the rest of the network.
- Enable automatic updates on devices, to make sure you’re up to date and not exposed to public vulnerabilities.
- Change Default Passwords. Most IoT devices ship with a hard-coded administrator password and, and here’s the rub: many won’t let you change it (even if you were technically able to do so. More Here.)
So, IoT is a problem everyone knows about and writes about but no one wants to be the first to fix it. (A bit like like the dog who makes great espresso, but everyone know he'll swap cayenne for coffee if you give him a Schmacko.)
It's unlikely that vendors of IoT gadgets will release security patches or regular updates with the diligence and regularity of say Microsoft and Adobe,
so the security problem probably won't just go away. Until there is a agreed security standard for these devices and penalties for manufacturers who
fail to comply, IoT will probably remain heaven for spies and hackers. Welcome to your nightmare.
- Trackback Link
- Post has no trackbacks.