The IoT Security Imperative

With the current state of IoT security, we might call it the Internet-of-Vulnerable-Things. It’s all the more alarming because of the types of physical machines/systems that are increasingly network-connected–traffic lights, airplanes, nuclear power plants, and other critical or potentially lethal systems. In part one, we discuss the nature of the challenge.

“Having your computer hacked might be disruptive to your life. Having your car hacked might end your life — If past experience is any guide, it unfortunately may take some disastrous breaches occurring before the proper level of investment is made in these areas [of IoT security]. We expect to hear a lot more about IoT security.” — Excerpt from The IoT Impact

When Hacking Threatens Lives —

The above prediction is starting to come true — recent headlines were made when two researchers (thankfully friendly and with the driver’s consent) hacked into a Washington Post reporter’s Jeep Cherokee ¹ and took control of it from miles away, while he was driving at 70 MPH on a busy interstate highway in St. Louis. From the comfort of their living room, the hackers were able to take over control of not just the A/C, the radio, and the windshield wiper/washer systems, but cut power to the engine and later (under safer conditions) showed they could slam on or disable the brakes, at will.² Thankfully, no one lost their life in this case, but it is pretty scary to imagine these tools in the hands of violent criminals or terrorists — or for that matter, any rebellious or troubled geek with a grudge.

It’s not just cars at risk. We’ve already seen hackers taking control of everything from airplanes to baby monitors (and everything else in a ‘smart home’) to steel mills, traffic lights/traffic control systems, nuclear power plants — unfortunately, we could go on all day with this list of IoT-enabled systems that have already been hacked.³ So far, we haven’t seen a ‘911’ scale IoT hack that really gets the nation’s or world’s attention. We hope we won’t — but the risk is clear and present.

Thus the makers of IoT systems — i.e. the makers of devices, platforms, systems, applications, and services that are connected to the internet and control actual physical machines and environments — all have a higher level of responsibility for ensuring security. Their moral obligation,⁴ with regard to security, is stricter than for providers of traditional software and services that do not directly control physical devices, vehicles, and systems. The bar for security is higher for IoT systems, while the challenges are greater.

A Plethora of Attack Surfaces

In addition to having potentially much higher physical consequences for breaches, IoT systems also have more attack surfaces and vectors (i.e. potential paths and points of compromise), especially in IoT systems with thousands or millions of heterogeneous, unsophisticated devices attached to them. Keep in mind that many of these devices are legacy devices that were not originally designed to be network-connected and hence lack any security at all in the original design. When retrofitted into an IoT system, security is often a bolt-on afterthought. Consider the “Smart X” — i.e. a smart home, smart office building, smart factory, smart city, smart farm, and so forth. Each of these may have hundreds to many thousands (or in the case of a smart city, literally millions) of very heterogeneous devices in them from many different manufacturers. For example, a typical smart office building would have elevators, security surveillance systems, fire sensing/alarm and suppression, lighting, heating and cooling, telecommunications and networking systems, access control, and many other systems, each of which could come from myriad manufacturers who all make many different models. In a smart building, all of these devices are being integrated together — sometimes through a master controller and sometimes more directly. These are federated systems of systems and machines, requiring federated systems of trust. They are subject to the weakest link — a hacker could seek out the device with the weakest security and execute their entry there.

While the end devices may represent the most glaring potential vulnerabilities, an IoT-enabled product or service offering has many attack surfaces and potential points of vulnerability, such as:

IoT Devices — There are a huge range of types of IoT devices — everything from a simple passive RFID tag to an appliance or a PLC controller, all the way up to a large complex machine such as an airliner or mining truck. There is also tremendous variation in the level of security available on the device itself — such as whether or not it even has encryption capabilities, and if so, the type and strength; then building on that, does it support secure boot and cryptographic verification of updates, built-in firewall or IPS, and so forth. As mentioned above, legacy devices can present a particular challenge. Then there is the challenge of managing huge volumes of devices and ensuring that the security has been properly configured on them, as well as ensuring that none has been compromised and quarantining any that have.
IoT Gateways — Some of these are repurposed legacy gateway devices with varying degrees of network security (e.g. firewall) built in. These now need to provide bi-directional security between the network and device, so that malicious hackers on the internet can’t access the devices, and a compromised device can be detected and prevented from infecting or attacking the rest of the network.
Cloud Software and Data Centers — Most IoT systems include a cloud infrastructure and/or data center element that represents another potential attack surface. The providers of this infrastructure need to implement comprehensive security including strong physical security at the data center (e.g. fencing, guards, etc.), rigorous employee background checks and continuous security training, and a strong security technology infrastructure (e.g. firewalls, intrusion detection, etc.)
Mobile Devices — Most IoT systems also interface with mobile devices that are subject to various threats such as phishing and malware. IoT services may include mobile applications that could run on any of a variety of platforms, which, depending on the sophistication of the user and protections installed on the device, could be completely compromised. The system needs to be able to operate in those environments, while allowing IoT functionality to work, but without compromising the security of the network.
Users and Administrators — The biggest security vulnerability in almost any system continues to be people. Social engineering techniques such as phishing, baiting, pretexting, quid pro quo, and other techniques are often the quickest and easiest ways for hackers to gain access into secure networks and systems. Providers of IoT service can create strong security policies and require their own employees to go through regular training and testing of their compliance, as well as include social engineering as part of third party vulnerability assessment and penetration testing. It is much harder to impose that type of diligence on their customers, the users of IoT-enabled products, so systems should be designed with the assumption that the end users’ devices and accounts may be compromised.
Wireless Interfaces — Most IoT applications today have one or more wireless interfaces in their end-to-end architecture, such as Bluetooth, RFID, IR, ZigBee, WiFi, cellular, satellite, WiMAX, or some combination of wireless frequencies and protocols. Wireless links have an inherent security disadvantage in that the hacker can be at some physical distance from the device or network being hacked and often can deploy their own intercepting device surreptitiously. The actual security on many wireless networks is weak or non-existent. IoT security architectures should assume that these links are easily compromised and exposed to man-in-the-middle attacks.

The Weakest Link

All it takes is one weak link in the chain for hackers to begin an exploit. Thus, securing IoT-enabled products and services requires a multi-layered and multi-dimensional approach. Building very strong security in some areas, while doing very little in others (such as protecting against social engineering) is an invitation to trouble.

In Part Two of this series, we consider the needs of someone building IoT-enabled products or services who wants to make sure they have included sufficient security protections. We examine what security capabilities and attributes to look for when evaluating an IoT platform.

_ _ _ _ _ _ _ _ _ _ _ _

For more research on the Internet of Things, see our IoT library.

_________________________________________________________

¹ The vulnerability they identified has since been fixed by a patch released by Chrysler in June 2015. — Return to article text above
² They were also able to take control of steering while the car was in reverse gear and were working on taking control of steering in forward gears as well. — Return to article text above
³ Some of these examples were done by white hat hackers trying to raise the alarm bells and demonstrate vulnerabilities to be addressed. Others were malicious hacks by outright enemies or criminals with hostile intent. — Return to article text above
⁴ There are efforts to make the obligation legal as well, such as proposed legislation to require better cyber security in cars sold in the U.S. — Return to article text above

To view other articles from this issue of the brief, click here.