Securing the Internet of Threats
As many as 50 billion devices will connect to the Internet by the end of the decade, sources, including Cisco, report. These devices are familiar to us, things we never before associated with Internet smarts-homes, railways, buildings, and bridges. They will be able to monitor, communicate with, and respond to their environment as it changes. This kind of networking is known as the Internet of Things and for all the problems it stands to solve, it will also cause plenty of headaches. In fact, it's quickly turning into what security guru Eugene Kaspersky has referred to as the "Internet of Threats."
The existing wireless infrastructure is still in its infancy, and the industry has yet to come up with common interface solutions and security standards. It's still grasping at proprietary implementations with companies frantically installing firmware updates and protocol stacks. Far from fixing anything, these patches often make it easier for hackers to wreak mischief—fragmentation invites attacks against a device's infrastructure on multiple fronts, from client applications and cloud services to the firmware and application layer residing on host processors.
At the end of the day, manufacturers and software makers know a Band-Aid approach isn't a cure. A survey of IT professionals and executives from energy, retail, and financial services organizations in the U.K. and U.S. found that fewer than one in four had confidence in the security configuration of Internet of Things devices already present on enterprise networks. Another report, conducted by HP Security Research last year, found that 70% of the most commonly used IoT devices, such as smart thermostats and home security systems, contain serious security vulnerabilities. During a test of various home automation hubs, Symantec discovered multiple security flaws that it said could allow attackers to access not just the hubs themselves but the devices connected to them. At large organizations, wireless communications between local controllers and endpoint devices, often considered uninteresting to hackers, become much more interesting targets when they're tethered to the web. "You now have a direct channel into the local area network using that Wi-Fi," says Paddy Srinivasan, VP and head of products at Xively.
Put another way, hackers don't want to hack industrial ovens so much as they want to attack the corporate network precisely through them.
Consider what happened after security consultant Jesus Molina checked in at the St. Regis hotel in Shenzhen, China, in December 2013. Making use of one of the complimentary guest iPads, Molina promptly found a way to sneak past the porous system protocols and configurations of the hotel's network. Before long, he had taken full control of the thermostats, lights, televisions, and automated window blinds—as well as the electronic "Do Not Disturb" signs outside the rooms. (Molina blogged all about it.)
To be clear, no one is offering a proven solution. But plenty of smart people are trying. We gathered leaders expert in IoT for a discussion about its risks and rewards. The list included Gus Shahin, chief information officer at global design, engineering, and manufacturing company Flex; Chris Czub, security research engineer at Duo Security who has a decade of experience in the field and is scheduled to deliver the keynote address at the 2015 Build IT Together conference on May 13th; Thomas Lee, professor of electrical engineering at Stanford and an entrepreneur who's considered a leading authority in the IoT world; Kent McMullen, senior director of IoT at Symantec; Patrick Nielsen, senior security researcher at Kaspersky Lab and a decade-long advocate for and researcher of secure software development whose work is widely cited by academic and government organizations; and Mark Stanislav, senior security consultant at Rapid7, a consulting firm specializing in security data and analytics solutions. The following is their virtual roundtable conversation.
The Reality of IoT Security Risks
We're going to see people encountering the same issues that developers have been dealing with for decades. Authentication bypass, poor transport security, and privacy concerns around data collection are all present in traditional computer applications and IoT.we The big differences that I see are twofold: the potential physical accessibility of the devices and misguided assumptions about the necessity for security.
The current state of IoT is very much a Wild West in the technologies and platforms utilized to create these devices. Vendors are forgetting or completely bypassing a lot of security due to cost or complexity. For example, data that you would expect to be encrypted, such as API calls or video/audio data, aren't.
A malicious actor with physical access to a device has more options open to him as opposed to a situation where he only has network access to a server. Many people also don't understand the impact poor IoT device security can have. For example, saying, "So what if somebody hacks the office smart fridge?" without recognizing that it could grant someone a persistent foothold in an organization's network, which could serve multiple purposes. One of those purposes could include giving attackers somewhere to gather data on employees; another could give access to a relatively unmonitored device from which other attacks could be launched. While the smart device itself may not contain anything high-value, the network access it offers and the lack of understanding and monitoring of IoT devices make them attractive targets.
Historically, every step forward in technology is followed by a corresponding hacker strategy to make a profit or disrupt a service within the first 12 months after it is introduced. We saw this with computers going online, and it has continued with ATMs, smartphones, and point-of-service devices. With IoT devices, we expect that the learning curve will be even shorter for hackers, based on their growing sophistication. We've already seen hackers gain control over POS, insulin pumps, and connected cars.
The sheer scale of IoT will create an "attack surface" of unprecedented size. One of my former DARPA colleagues, Dan Kaufman, was recently featured in a 60 Minutes segment ("DARPA Dan") that highlighted some IoT dangers. He and his team were able to startle CBS correspondent Lesley Stahl repeatedly as they took over key systems of her car remotely as she drove. To say she was a bit nonplussed is an understatement.
We're only just now figuring out how to handle security updates seamlessly on traditional devices. The vast majority of consumer electronic devices that aren't phones, laptops, or tablets don't receive updates automatically, and in many cases it isn't even possible for a normal user to update the device's firmware herself.
Never mind anything else. The very first step toward IoT security is one vendors must take: They have to be able to push out updates when issues are found and fixed. Otherwise any device is just a ticking time bomb ( unless the vendor is able to produce a device that is secure right out of the gate, which would be virtually unprecedented).
Over the past two decades, connected computational tools and services have touched more facets of our daily lives and this trend will expand aggressively in the years to come. As computing power continues to extend its footprint, so does the potential for security vulnerabilities and risks as every device in our homes, offices, and vehicles will be connected to the Internet. Going forward, it is imperative that every IoT device is designed, manufactured, and implemented within a holistic practice of "security by default." Every vendor is ultimately responsible to ensure that its device is not the weakest link in the cybersecurity chain.
The Hacker Threat to Critical Infrastructure
Our research shows that critical infrastructure is among the top IoT devices most at risk of being hacked in 2015. It has surfaced as a key area of vulnerability considering the implications to national security, and the Shodan search engine illustrates just how easy it is to find data from unsecured devices, including large-scale refineries and traffic lights.
SCADA (supervisory control and data acquisition) systems used in industry and utilities present juicy targets for hackers. There is real potential for compromise of these systems to cause serious economic damage, or disruption to a utility service.
Anything that is controlled by a computer can be maliciously controlled by somebody who has compromised that computer, or, in many cases, is simply able to interact with it. That applies to electrical grids, manufacturing plants, centrifuges, cars, smart TVs, etc. You can consider a smart car an Internet-connected industrial control system on wheels. It's not like we didn't have computers in electrical grids and automobiles before; we just didn't worry about their security too much because they weren't connected to the Internet. That's what's changing at a dramatic pace, and we aren't ready for it.
The impact of loT will not just drive the development of exciting new connected devices, but it will also facilitate the connection of existing devices, appliances, and infrastructures that were never originally designed to be secure from external malware and hackers. While having access to real-time and predictive data analyses in public utilities, transportation, and government agencies is extremely valuable, it also exposes the real threat that these facilities can be attacked and controlled by malicious outsiders. It's not a question of if such an attack will occur, but when and how—we must anticipate and plan for the worst possible scenario and begin taking action now.
If there's a connection to the outside world, there's almost certainly a way in. That truth applies in general, not just to the IoT. So if critical infrastructure systems are connected to boxes that ultimately connect to the larger Internet (and many are, to allow remote monitoring, say), they are theoretically vulnerable. With a trillion devices, the network becomes especially porous, so there is certainly plenty to worry about.
It's imperative for industries to implement basic security hygiene, like using strong passwords, running only signed code, and encrypting data.
Separating Concerns From Hype
While security researchers often cover this kind of topic in their work, we don't see a lot of examples of "real-world catastrophe" being exercised. That's great, of course, but much like anytime a critical situation occurs, people will ask, "Why wasn't someone aware of this sooner?" There's definitely real risks and potential harm. We just don't either hear about the situations when they happen, or those who could do it don't find enough value to try—yet.
While it is certainly human to react emotionally to cybersecurity concerns exposed by media hype, these threats are ultimately very credible and we must not underestimate their significance or potential impact. Currently, there is significant disparity between the awareness of threats and how security is implemented and managed, especially for critical infrastructure. The greatest challenge going forward will focus on balancing the productive operation of infrastructure with the cautious diligence and expense required for security protection and response. In all cases, cybersecurity will be an incremental investment that cannot be disregarded or treated as an afterthought.
The biggest IoT security risk is that many connected devices aren't built with security in mind. Most don't use strong passwords, encrypt communications—or they use signed code—and some are even open to well-known web-application and firmware vulnerabilities.
It's important to note that there's a greater chance of vulnerability in larger devices with longer shelf lives, such as home appliances. The hardware on a phone is likely to be updated and replaced every few years. However, for a dishwasher or refrigerator, consumers probably wouldn't make a software update that will do something two minutes faster on a machine that they think works just fine. Vendors are trying to automate updates, but it's a challenge.
While there haven't been many publicly published attacks on infrastructure systems, the threat is real and I predict we will see them being manipulated more in the future. Incidents like Stuxnet or the German steel mill hack are hints of what could come. Part of the reason that we haven't seen many attacks on these systems is that they're largely opaque, expensive, closed-source commercial systems, and it's difficult to get experience working with them.
Researchers are now starting to look at things like aviation systems used by the FAA, automated traffic-control systems, and large-scale industrial controllers to understand their current state of security as well as how best to keep them safe. There's definite risk here, and industry and utility organizations could use the collaborative efforts of helpful researchers to prevent more serious attacks from happening in the future as malicious actors learn more about these systems.
I don't think the threats are exaggerated. IoT security is currently a complete mess that will take a long time to fix. That doesn't mean, however, that vulnerabilities in IoT devices necessarily pose the greatest risk: It's quite possible that you have several vulnerable IoT devices in your home right now, but if you're also running an outdated browser on your laptop, that's by far the most likely avenue through which you will be compromised, one because you're much more exposed, and two because your laptop has much more interesting information than, say, a Wi-Fi-enabled light bulb. But don't underestimate the light bulb.
What Smart IT Organizations Can Do About Vulnerabilities
First and foremost, every company that develops, manages, or leverages IoT devices must be completely transparent and prompt about sharing recorded security events and vulnerabilities. Only through such an open and interactive forum can this significant cybersecurity challenge be fully understood and abated. From a CIO perspective, IT organizations will need to partner and collaborate with their IoT vendors to ensure that suitable security standards exist and are thoroughly implemented. IoT will dramatically change company security priorities in the future as the associated threats will become more complex and have greater consequences on data, assets, and, most important, the safety of all employees.
If vendors aren't taking security seriously, we'll see them thrust into the spotlight following a real-world example of a data breach and misuse of personal data. Beyond basic hygiene, vendors should think about security as part of the design by embedding it at the time of development, including the ability to update the devices as required, run security gateways, and use advanced security analytics to ensure environments are monitored.
IoT devices are going to be hard to keep out of most offices, just like mobile phones have been. Someone is going to plug a connected light bulb into her office one day, and nobody in charge of security will probably even notice or blink an eye. IoT device management is not a solved quantity, like knowing your PCs are all up-to-date. The more these devices come onto the network, the more firmware you need to update, the more mobile apps need patching, and the more network connections transmitting insecure data there are to wrangle. It's a really bad logistical problem for a large organization to try and solve right now.
Currently, vendors of IoT devices are preoccupied with getting to market quickly, to keep sync with the breakneck pace of the consumer market. But that haste is antithetical to thoughtful consideration of security. On the positive side, I'm hearing much more concern about security from those same vendors. There isn't a consensus yet on what to do, but there's definitely a growing feeling of urgency.
Ultimately, the "right" way to solve these issues is to put pressure on vendors to give security the level of consideration that's needed for the world we're building.