A map of connected devices. | Image: Thingful
Every object you interact with on a daily basis will soon be networked, collecting data, and easily hacked. Internet of Things security is already so bad that simple search engines have indexed and provided detailed information about millions of connected devices around the world, ranging from common wearable devices to home climate systems to public security cameras.
The IoT will power countless new businesses and enrich the lives of consumers. But as 20 billion devices power up over the next decade, the security risks for IoT will be as great as the rewards. “The emotional reaction of security professionals when looking at IoT is to throw up one’s hands, decry how everything is always broken forever, and we’re doomed,” said Tod Beardsley, Rapid7‘s Senior Security Research Manager. “To be sure, there are serious, systemic problems in the IoT space. These problems are real and difficult, but not insurmountable.”
SEE: Three ways encryption can safeguard your cloud files (Tech Pro Research story)
While the Internet of Things is young, the landscape is already populated by millions of connected, data-chirping devices. Two search engines, Shodan and Thingful, were recent subjects of an internet kerfuffle when the services were used to shoot footage inside homes and other private locations.
Shodan is a voyeur’s dream. A quick scan either through paid or free membership using terms such as port:554 has_screenshot:true reveals cameras installed in places ranging from car parks in Japan to bars in France, private lounges in Korea to rabbit cages in Germany.
The massive scale of IoT is a boon and a curse. Beardsley explained that a lack of ability on the part of vendors to produce interoperable secure firmware, web, and mobile applications that encompasses the breadth of IoT presents a number of vulnerabilities. “Consumers are unable to accurately and confidently assess the security of the devices and gadgets they already have in their home,” he said. “These are all pretty massive challenges.”
Beardsley is particularly concerned that IoT attacks could be completely invisible, since most IoT products don’t have strong security or logging controls. “If I’ve compromised your IoT device, you likely won’t even notice,” he said.
Timothy Sparapani, Founder of SPQR Strategies and former Director of Public Policy at Facebook, agrees. “The state of IoT security is very poor. We are learning that most IoT systems are essentially insecure,” he said.
Sparapani explained that little has been done to secure IoT systems because IoT devices were seen as a lower priority by manufacturers and security professionals alike. The focus of data security has been on shutting down attacks that could cause consumers direct harm through loss of personal information, like banking accounts and medical information.
“The greatest vulnerability for both businesses and consumers is that we have not yet developed a [standard] for shipping patches for security vulnerabilities remotely,” Sparapani said.
READ: Cyber defense: Trends, strategies, and best practices (Tech Pro Research story)
In the near future IoT fragmentation will span industries. “We will increasingly rely on sensors on our devices, in our transportation systems, our food production and delivery systems, in our factories, on our farms, and in our homes,” Sparapani said. “If those IoT systems are corrupted by hackers, the amount of chaos could be immense. When we turn over devices to IoT monitoring there will be very few people who have the skills to fix the device in question when it is hacked, and even fewer who are proximate to the devices to physically override their programming.”
Both Sparapani and Beardsley agree that the more business and consumers understand about the IoT security environment, the easier it is to stay safe while enjoying the benefits of a connected world.
What does a strong IoT security model look like?
A strong, mature IoT security profile is really just the basic level security that we enjoy on our traditional platforms: routine, automatic updates to software to patch against shipping vulnerabilities.
As a rule, IoT devices ship without any patch pipeline in place, so if we come across an IoT device that actually does support automatic patching, then I’m pretty happy that I’m dealing with a vendor that has at least thought that part through.
[Business] should base [IoT] decisions in part on security. Do a little bit of legwork on the company you’re considering buying from by checking to see if there have been vulnerabilities published, and fixed, in the past. A company that welcomes, rather than spurns, vulnerability reports, is a company I would much rather support with my buying decisions.
Weak and absent passwords are both common on the internet, and specifically a problem with IoT. Poorly designed IoT devices also lack encrypted communications, which opens up a couple of major issues. One, sensitive personal information is transmitted in the clear, for anyone on the local network and upstream network to eavesdrop on. And two, IoT devices cannot be sure they’re communicating with the real and correct vendor-supplied web applications or mobile apps. Encryption isn’t just about keeping secrets, it’s also about authentication, so an IoT device that operates in cleartext, rather than over encrypted channels, is inherently untrustworthy.
It starts with recognizing that IoT security must be a priority, and that security features must be built into IoT devices by default. The next evolution will be when we build a system to ship code patches to close vulnerabilities and resolve attacks remotely at scale to deployed devices.
What does IoT security look like today, and what does it look like in 2020?
I’m hopeful that we’ll get ahead of the encryption and default/weak/missing password problems, and have normalized patch distribution solutions. With those fundamental elements in place, we’ll be in a good position to ensure that the IoT space stays safe and secure.
In four years we will have seen the breach of IoT systems by hackers, both playful, and those bent on sowing chaos and destruction. We’ll have awakened to the risks of insecure devices, and we’ll be playing catch up.
The benefits of IoT for individuals and for society will be well demonstrated and we’ll be trying to retrofit old devices with new security protocols. If we are lucky, we will have some standardized systems to patch known security vulnerabilities remotely.
READ: IoT and wearables thriving in the enterprise (Tech Pro Research story)
The problems are real and difficult, but not insurmountable, Beardsley said. “Security professionals still have time to get ahead of the coming IoT tsunami. We have expertise on how to engineer better security, how to fix and maintain rapid patch development and deployment, and how to educate both consumers and regulators. We have plenty of work ahead of us, but I’m optimistic we will be able to get a handle on these issues before it’s too late.”