We can list the threats of IoT under three categories; Privacy, Security and Safety. Experts say the security threats of the Internet of Things are broad and potentially even crippling to systems. Since the IoT will have critical infrastructure components, it presents a good target for national and industrial espionage, as well as denial of service and other attacks. Another major area of concern is privacy with the personal information that will potentially reside on networks, also a likely target for cyber criminals.
One thing to keep in mind when evaluating security needs is that the IoT is still very much a work in progress. Many things are connected to the Internet now, and we will see an increase in this and the advent of contextual data sharing and autonomous machine actions based on that information, the IoT is the allocation of a virtual presence to a physical object, as it develops, these virtual presences will begin to interact and exchange contextual information, [and] the devices will make decisions based on this contextual device. This will lead to very physical threats, around national infrastructure, possessions [for example, cars and homes], environment, power, water and food supply, etc.
As a variety of objects become part of an interconnected environment, we have to consider that these devices have lost physical security, as they are going to be located in inhospitable environments, instantly accessible by the individual who is most motivated to tamper with the controls, attackers could potentially intercept, read or change data; they could tamper with control systems and change functionality, all adding to the risk scenarios.
Threats are real
Among the recent examples, one involves researchers who hacked into two cars and wirelessly disabled the brakes, turned the lights off and switched the brakes full on—all beyond the control of the driver. In another case, a luxury yacht was lured off course by researchers hacking the GPS signal that it was using for navigation.
Home control hubs have been found to be vulnerable, allowing attackers to tamper with heating, lighting, power and door locks, other cases involve industrial control systems being hacked via their wireless network and sensors.
We are already seeing hacked TV sets and video cameras [and] child monitors that have raised privacy concerns, and even hacked power meters which to date have been used to steal electric power, adds Paul Henry, a principal at security consulting firm VNet Security LLC in Boynton Beach, Fla., and a senior instructor at the SANS Institute, a cooperative research and education organization in Bethesda, MD.”A recent article spoke of a ‘hacked light bulb,'” Henry says. “I can imagine a worm that would compromise large numbers of these Internet-connected devices and amass them in to a botnet of some kind. Remember it is not just the value or power of the device that the bad guy wants; it is the bandwidth it can access and use in a DDoS [distributed denial-of-service] attack.”
The biggest concern, Henry says, is that the users of IoT devices will not regard the security of the devices they are connecting as being of great concern. “The issue is that the bandwidth of a compromised device can be used to attack a third party,” he says. “Imagine a botnet of 100,000,000 IoT devices all making legitimate Web site requests on your corporate Web site at the same time.”
Experts say the IoT will likely create unique and in some cases complex security challenges for organizations. As machines become autonomous they are able to interact with other machines and make decisions which impact upon the physical world. We have seen problems with automatic trading software, which can get trapped in a loop causing market drops. The systems may have failsafe built in, but these are coded by humans who are fallible, especially when they are writing code that works at the speed [and] frequency that computer programs can operate.
If a power system were hacked and they turned off the lights in an area of the city. No big deal perhaps for many, but for the thousands of people in the subway stations hundreds of feet underground in pitch darkness, the difference is massive. IoT allows the virtual world to interact with the physical world and that brings big safety issues.
What can we do?
While threats will always exist with the IoT as they do with other technology endeavors, it is possible to bolster the security of IoT environments using security tools such as data encryption, strong user authentication, resilient coding and standardized and tested APIs that react in a predictable manner.
Some security tools will need to be applied directly to the connected devices. “The IoT and its cousin BYOD have the same security issues as traditional computers,” says Randy Marchany, CISO at Virginia Tech University and the director of Virginia Tech’s IT Security Laboratory. “However, IoT devices usually don’t have the capability to defend themselves and might have to rely on separate devices such as firewalls [and] intrusion detection/prevention systems. Creating a separate network segment is one option.” In fact, the lack of security tools on the devices themselves or a lack of timely security updates on the devices is what could make securing the IoT somewhat more difficult from other types of security initiatives, Marchany says. “Physical security is probably more of an issue, since these devices are usually out in the open or in remote locations and anyone can get physical access to it,” Marchany says. “Once someone has physical access to the device, the security concerns rise dramatically.”
It doesn’t help that vendors providing IoT technologies most likely have not designed security into their devices, Marchany says. “In the long term, IT executives should start requiring the vendors to assert [that] their products aren’t vulnerable to common attacks such as those listed in the OWASP [Open Web Application Security Project] Top 10 Web Vulnerabilities,” he says. IT and security executives should “require vendors to list the vulnerabilities they know exist on their devices as part of the purchase process.
Security needs to be built in as the foundation of IoT systems, with rigorous validity checks, authentication, data verification, and all the data needs to be encrypted. At the application level, software development organizations need to be better at writing code that is stable, resilient and trustworthy, with better code development standards, training, threat analysis and testing. As systems interact with each other, it’s essential to have an agreed interoperability standard, which safe and valid. Without a solid bottom-top structure we will create more threats with every device added to the IoT. What we need is a secure and safe IoT with privacy protected, tough trade off but not impossible.
Comments on this publication