It seems we’ve learned little from the security woes associated with our credit/debit cards, identity theft, and personal computer hacks. Already, few are unscathed as we immerse more of our dealings and data online. Now, it seems, we are scrambling to rapidly enable all of our devices to be open to the same fate. While the Internet of Things revenues will surpass a trillion dollars in the near term, what really is the current state of affairs regarding security of connected IoT devices?
First, the IoT is being sold as the ultimate in connectivity, and that is true. What is also true, however, is that what it really represents is the movement of information between devices without human intervention. And, if those devices have any security vulnerabilities, well, it doesn’t take much to see what the result will be.
This Should Hopefully Scare You
If you are tasked with designing IoT devices, and think that good enough means just that—it doesn’t. In 2015, HP Fortify conducted a study of IoT home security devices. The results are dismal. The effort found that in a small sample of IoT devices such as home thermostats, remote power outlets, garage door openers, and home alarms there were 250 vulnerabilities that included such severe conditions as remote code execution, vulnerabilities to Heartbleed, denial of service (DoS) and cross-site scripting capabilities.
What We Are Not Doing Right?
Top down, we aren’t looking at the challenges from a big-picture view. We create smart sensors, but don’t enable them to be upgraded with patches or more security once in place.
We also consider the device to be an IoT entity unto itself—rather than a multi-faceted and highly connected item that provides indiscriminate access—both good and bad. You not only have this device, but you have whatever network access, authentication and the Internet in each and every device.
A project called the OWASP Internet of Things Top Ten Project, created by HP in 2014, looks at the top ten IoT security challenges of ten devices and how to prevent them. Findings include:
- There were an average of 25 vulnerabilities per device.
- 70% of the devices, when combined with cloud and mobile apps, provide the means to identify valid user accounts through enumeration.
- 90% of the devices yielded at least one personal information gem.
- 60% of the user interfaces employed were vulnerable to a range of web flaws.
While the study involved home IoT devices, corporate devices are just as vulnerable.
We check our online banking statements regularly, opt into a variety of security measures that warn us when someone is tampering with our credit, and try to create passwords not based on the birthdates of our children, or our addresses. And, while the media, retail and banking institutions report breaches, we haven’t made the connection between this type of security hack and the vulnerability of our physical devices. Unfortunately, we often don’t hear of the successful breach of our ‘things.’ The breaches, however, are happening.
From nuclear facilities that reported 19 successful cyber attacks from 2010 to 2014 to a breach of Germany’s steel plant that saw systems compromised to the extent that major damage occurred to the dramatic increase in U.S. power grid system attacks that saw more than 150 successful attacks between 2010 and 2014 of the U.S. DoE computer systems, these hacks are large. What, about, however, the ability to infiltrate the infrastructure of buildings or hospital records and patient systems, or even the control of smart weapons? Yes, they have all already been hacked.
In a world where bottom line is boss, IoT products are being churned out as fast as possible to both ensure income streams and also establish expertise in a huge industry that’s pretty much up for grabs. Hype is pushing development forward at breakneck speeds while placing developers in impossible deadlines—ones where adding security is destined to be an afterthought.
No matter the device, the scenario plays out so that the inherent vulnerabilities in one device and in every competitive device as well. The previously mentioned HP study indicted that 100% of the devices used in home security had such vulnerabilities as password security, encryption and authentication.
In addition, not enabling proper development, we’re also putting the emphasis on the wrong syllable as to security basics. We use six-character passwords that are often not sufficiently complex, and while my water company locks me out if I mess up 3x while trying to gain access to their site to pay my bill, not all systems do use a lockout scenario after failed attempts.
Another open door made blatantly clear with the study involves mobile application interfaces where 50% of the systems show account harvesting risks. In addition, to interfaces there are properly configured transport encryption risks—whereby many cloud connections show vulnerabilities, like continuing to add Wi-Fi enabled devices to local area networks (LANs) without enterprise-level security protocols in place. While major operating systems make it difficult to exploit a system, most IoT devices are built on a more basic OS.
One of the biggest challenges, however, is that there is little in the way of security that can be added to device designs as an afterthought. How will it be possible to take unmanaged heterogeneous devices that come in all shapes and sizes and are ready to spill their information guts and provide network access—ensuring security along the way?
Smartphone use between 2007 and 2012 grew 10x. With this rate as a yardstick, approximately 80% of Internet connections by 2025 will originate from a mobile device. Most data by then will be cloud based and global participation will be extremely high.
Microsoft recently established a Cyber 2025 Model and then looked at underlying challenges. Many involved the inconsistencies of governments as to policies and standards that promote or hamstring innovation. The world will be connected and cooperative or protectionist and disjointed.
Cybersecurity that enables true global IoT use will fallout of this environment, policies and standards—and it isn’t all that promising to date. There is no one-size-fits-all approach yet, and creating one may not be possible.
In the meantime, the onus is on the innovator and the companies that are developing devices. As to adding what will be mandatory to enable true Cybersecurity to these devices, with millions of things dangling and with most ignoring the danger, we’re just not ready for prime time yet.