How to Secure the Future of the Internet of Things
The world of security for the Internet of Things just became more complex. IoT devices are no longer a potential threat to their owners; now they pose a significant threat to everything connected to the Internet.
Understanding Current IoT Security Challenges
IoT security has become a growing concern, with risks spanning across various industries and consumer applications. Let’s explore some key areas of vulnerability.
Industrial Controls and Transportation Equipment
For the past year, the cybersecurity and IoT communities have been at odds regarding how to keep devices from harming their owners. Much of the focus emerged around industrial controls and transportation equipment. Vulnerable industrial controls devices could cause cascading effects to power stations, water distribution, chemical plants, heavy machinery, and other industrial facilities, posing a threat to workers or downstream users. There have been hacks, compromises, and stern warnings. Concerned governments are putting pressure and establishing requirements to protect services at a national level.
Vehicle Hacks and Public Perception
Vehicles, most notably airplanes and smart cars, have taken the bulk of the public’s attention. Hacks against Jeep, Tesla, and Volkswagen have shown how doors can be unlocked and total operating control commandeered with steering, brakes, and acceleration taken over by an attacker. A car that is rendered unusable by its owner or made to crash and injure occupants is frightening but apparently trivial if you do not own that type of vehicle.
The public appears to be entertained by these research exploits but not too concerned. The danger may seem beyond the everyday consumer and the effects are likely limited to only those who could afford such conveyances.
Consumer IoT Devices
On the low-cost side, home appliances, wearables, toys, and drones are already a part of the everyday consumer world. But hacking a smart toaster or rice cooker seems harmless, beyond some burnt starch.
The Growing Risk of IoT Misuse
Eventually, we will face more risks than we can imagine. As IoT devices are woven into the fabric of people’s daily lives, we will be at risk of their misuse. In the future, they will begin to control the stoplights on the way to work, the equipment in the emergency room, and control progressively more vehicles on the road and in the sky.
They will also manage the distribution of such necessities as electricity, food, medicine, water, and communications. We will begin to understand how these little technical minions become critical to the smooth delivery of services in our future digital lives.
Industry Response to IoT Risks
This is the space where thought-leading IoT manufacturers are working feverishly. The automobile industry, in particular, has been quick to invest in security to ensure their products do not cause accidents. Such work has begun, but it still has a long way to go in cars and across all the other billions of devices we will weave into our lives and businesses in the next few years.
The Promising Future of IoT Devices
The next generation of IoT devices is appearing and will work to help protect our property, monitor our health, automate our homes, keep our children safe, increase our communication, eliminate time-wasting chores, make us more efficient, and optimize our businesses. A great future to be sure, but it will need to be trustworthy and secure, as our reliance on the smallest elements will ultimately impact the biggest parts of our lives.
These are all known and accepted security challenges in the world of IoT. This is not the end of the security story, only the beginning.
The Evolving Threat: IoT as a Weapon
While earlier IoT challenges primarily affected device owners, a more severe threat has emerged. IoT devices are now being weaponized for large-scale cyberattacks.
Distributed Denial of Service (DDoS) Attacks
We now face a new set of problems with IoT. Unlike the known challenges, in which IoT devices might impact local owners and bystanders, the new threat is a powerful weapon that can be pointed at anything connected to the Internet. Recent distributed denial of service (DDoS) attacks have been fueled by hacked IoT devices, called bots. DDoS attacks saturate Internet-connected devices and services to bring them down or make them unavailable.
The Role of Bot Herders
These IoT DDoS attacks are typically run by “bot herders.” These herders compromise devices and install malware that allows them to be remotely controlled. By pointing hundreds or thousands of devices to flood a target with requests and data, they can overwhelm it to the point it can no longer maintain functions.
There are several anti-DDoS services that offer protection for a price. But the scale of the new IoT-backed attacks, which are larger than anything ever seen, makes protection difficult and costly. Josh Shaul, Akamai’s vice president of web security, warned that if such an attack were sustained, it could cost the victim millions of dollars in cybersecurity services to stay online.
The Decline of PC Bots
Traditionally, PCs were the prime targets to turn into bots, as many people did not bother with installing antimalware products. But over the last few years, PCs have become much better protected and thus difficult for bot herders to consistently control. The other problem is the shift to laptops. A bot is good only if it is online, can receive instructions from its master, and then continuously execute those orders. Laptops do not fit this model well, as they spend much of their time off, to save battery life.
Why IoT Devices are the Perfect Targets
What bot herders really want is a massive number of devices that are easy to hack, are ignored by their owners, and are constantly connected to the Internet. Recent attacks have proven IoT devices are the perfect solution for cybercriminals.
The rise of IoT is a dream come true for bot herders. Most IoT devices are not powerful enough to have any type of antimalware service. A majority of consumer products come with a default login and password that are published by the manufacturer and easily found on the web.
Many stay continuously connected to the Internet and users rarely monitor or update these devices, especially consumers. The biggest factor is around scale. Unlike the hundreds or thousands of PCs that might be in a herd, IoT botnets can number in the hundreds of thousands!
With legions of exploitable devices, attackers are mustering massive DDoS armies and the results of IoT botnets are devastating.
Securing the Future of IoT
As IoT continues to expand, it’s crucial to think not just about current exploits, but how to protect against future threats. Here’s what we must do to secure IoT devices moving forward.
1. Designing and Architecting for Security
IoT manufacturers must take the time to embed security into the architecture, interfaces, and designs of their products. Basic security concepts and capabilities such as compartmentalization of data and code, communication between trusted parties, data protection both in use and at rest, and authentication of users should be established and tested.
Products in the future will get more powerful, store more data, and possess more functionality. This means products should have the ability for security updates, feature locking, build validation, software vetting, and default configurations that follow industry best practices.
2. Secure Provisioning and Configuration
Most IoT devices require some kind of setup and provisioning upon installation. Device identity and authentication are a must, as part of this two-way process. Proper default configurations that adhere to best security practices are important and should be easy for users to understand.
Rules should be in place that do not allow default passwords, require patches and updates to be signed, data to be encrypted, and only secure web connections.
3. Proper Administration and Management
For devices owned by consumers, it is imperative they alone maintain the final say in how the device is managed. Manufacturers and online service providers play a role in provisioning, but the owner must retain ultimate control of what the device will do.
Provisioning is different than administration. For example, during installation of home cameras it makes sense to connect to the manufacturer for the latest patches and maybe even set up cloud storage. But you would not want your home cameras controlled by the manufacturer. They should not have the ability to operate them outside of the buyer’s authority.
Enterprise and industrial devices are typically managed centrally, by the purchasing organization. Entire classes, potentially numbering in the thousands, may be controlled to operate individually or as part of a collective. The same choices and control are required.
How Do We Make IoT Security a Reality?
Securing IoT devices is not just about technological fixes—it requires changes in responsibility and accountability. Here’s how we can make IoT security a reality.
Security and privacy take effort, resources, and commitment. To change from the status quo, we must hold manufacturers accountable for their devices. If they fail to design and architect security into their products, make them liable and stop buying their wares. For critical functions that could put the safety of people at risk, enact regulations and subject them to government penalties.
As part of best practices, manufacturers and service providers must follow secure provisioning and configuration guidelines. Industry consortiums are working to define best practices, configurations, and default settings for different device classes.
The Choice Is Ours
It may seem like a lot to consider, but remember attackers need only find a reasonable vulnerability to exploit. The opportunity is to make the effort challenging enough so they are not motivated to pursue these devices.
We find ourselves in a situation in which billions of IoT products will flood every industry and quickly find their way into our homes, schools, governments, and businesses. We must make the necessary efforts to not bring vulnerabilities with them.
The effects will go well beyond our own lives, data, and devices. They may be turned into legions of bots, which could cause havoc to even the biggest of organizations on the Internet. We could all become victims if we do not work together to make our future technology trustworthy, safe, and secure.