A Wake-Up Call for IoT

Welcome to the world of Internet of Things wherein a glut of devices are connected to the internet which emanates massive amounts of data. Analysis and use of this data will have real positive impact on our lives. But we have many hoops to jump before we can claim that crown starting with a huge number of devices lacking unified platform with serious issues of security standards threating the very progress of IoT.

banafa-nov-2

SOURCE: Bain IoT customer survey, 2016 (n=533)

The concept of IoT introduces a wide range of new security risks and challenges to IoT devices, platforms and operating systems, communications, and even the systems to which they’re connected. New security technologies will be required to protect IoT devices and platforms from both information attacks and physical tampering, to encrypt their communications, and to address new challenges such as impersonating “things” or denial-of-sleep attacks that drain batteries, to denial-of-service attack. But IoT security will be complicated by the fact that many “things” use simple processors and operating systems that may not support sophisticated security approaches. In addition to all that “Experienced IoT security specialists are scarce, and security solutions are currently fragmented and involve multiple vendors,” said Mr. Jones from Gartner, he added; “New threats will emerge through 2021 as hackers find new ways to attack IoT devices and protocols, so long-lived “things” may need updatable hardware and software to adapt during their life span.”

banafa-nov-3

A map showing the areas affected by the internet outage on Friday Oct. 21st , 2016
Source: Downdetector

This fear was realized with a massive distributed denial of service attack that crippled the servers of services like Twitter, NetFlix , NYTimes, and PayPal across the U.S. on October 21st , 2016. It’s the result of an immense assault that involved millions of Internet addresses and malicious software, according to Dyn, the prime victim of that attack. “One source of the traffic for the attacks was devices infected by the Mirai botnet” the link to the source code Mirai malware on GitHub is here. The attack comes amid heightened cybersecurity fears and a rising number of Internet security breaches. Preliminary indications suggest that countless Internet of Things (IoT) devices that power everyday technology like closed-circuit cameras and smart-home devices were hijacked by the malware, and used against the servers.

“Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users,” Krebs explained in a post.

What makes this attack so interesting is that the devices hijacked have been networked to create the internet of things. In this case the offender was likely digital video recorders, those set-top boxes that allow you to record live TV and skip the commercials, and webcams, like those used around houses for security. All these devices now moonlight as zombies under control of malicious actors bent on taking down individual websites or even portions of the internet, as with the Dyn attack.

Considering the trend in connectivity, this is really just a taste of things to come. The deployment of IoT is far outpacing any other networked system. Gartner estimated that, by 2020, 50 billion devices will be connected to the internet. That’s 50 billion new accomplices for an attacker to use to take down the servers that are critical to a functioning internet.

Data: Gartner various / Graphic: Telecom TV

Data: Gartner various / Graphic: Telecom TV

Added to this explosion in connected (and potentially compromised) devices is the increasingly sophisticated and systematic nature of recent attacks. Bruce Schneier, an internationally renowned expert on technology and security, has sounded the alarm on this issue very recently. The combination of a dedicated group of actors and a significant increase in the means to attack networks should be a big concern to us all.

Security is not the only problem

A comprehensive study on IoT by The Internet Society (ISOC) revealed critical issues which will have an impact on IoT:

  1. Security Concerns – With so many interconnected devices out there in market and plenty more to come in the near future, a security policy cannot be an afterthought, some of the issues with devices of IoT:
    • Some Devices Are More Secure Than Others.
    • Lack of Updates on Internet of Things Devices.
    • Communications Security.
    • Consumer Education.
  2. If the IoT devices are poorly secured, cyber attackers will use them as entry points to cause harm to other devices in the network. This will lead to loss of personal data out into the public and the entire trust factor between internet connected devices and people using them will deteriorate.

    In order to evade such scenarios, it’s extremely critical to ensure the security, resilience and reliability of internet applications to promote use of internet enabled devices among users across the world.

    Security constraints for IoT are so critical that even analyst firm Gartner came out with some astounding numbers.

    • According to them, the worldwide spend for the IoT security market will reach $348 million in 2016, a rise of 23.7% from $281.5 million in 2015.
    • Through 2018, over 50% of IoT device manufacturers will not be able to address threats from weak authentication practices.
    • By 2020, more than 25% of identified enterprise attacks will involve IoT, though IoT will account for only 10% of IT security budgets.
    banafa-nov-5

    Source: Hewlett Packard’s Fortify on Demand

  3. Privacy issues – The possibility of tracking and surveillance of people by government and private agencies increases as the devices are constantly connected to the internet.These devices collect user data without their permission, analyze them for purposes only known to the parent company. The social embrace of the IoT devices leads people to trust these devices with collection of their personal data without understanding the future implications.
  4.  Inter-operatability standard issues – In an ideal environment, information exchange should take place between all the interconnected IoT devices. But the actual scenario is inherently more complex and depends on various levels of communication protocols stacks between such devices. The OEM’s producing industry ready IoT devices will need to invest a lot of money and time to create standardized protocols common for all IoT devices or else it will delay product deployment across different verticals.
  5. Legal Regulatory and Rights issues – There are no concrete laws present which encompasses the various layers of IoT across the world. The array of devices connected to each other raises many security issues and no existing legal laws address such exposures.The issues lie in whether current liability laws will extend their arm for devices which are connected to the internet all the time because such devices have complex accountability issues.
  6. Emerging Economy and development issues – IoT provides a great platform for enablement of social development in varied societies across the world and with the proliferation of Internet across the various sections of the society in developing countries coupled with lowering costs of microprocessors and sensors will make IoT devices accessible to low income households.

How to prevent future attacks?

There are four interrelated things that need to change if we are to have a chance to combat this growing threat.

  • First, we need to change our culture around networked technologies for example not using default/generic passwords and disabling all remote (WAN) access to our devices.
  • Second, industry leaders need to make security and resilience in digital spaces a priority. When considering overall strategy, whether for an enterprise or a government, cyber strategy must be a key concern.
  • Third, we need to make a serious attempt at prioritizing security in IoT deployments. Security by design, or ensuring that security is built into technology from the beginning for example security at the chip level is a step in the right direction.
  • Fourth, innovators and regulators work together to help align incentives, which are currently behind deploy-first-secure-later approaches, to support security in IoT.

References

  • http://tech.economictimes.indiatimes.com/news/internet/5-challenges-to-internet-of-things/52700940
  • http://www.gartner.com/newsroom/id/3221818
  • http://www.gartner.com/smarterwithgartner/top-10-security-predictions-2016/
  • http://www.mindanalytics.es/2016/03/01/gartners-top-10-internet-of-things-technologies-for-2017-2018/?lang=en
  • http://www.cnbc.com/2016/10/22/ddos-attack-sophisticated-highly-distributed-involved-millions-of-ip-addresses-dyn.html