iot-security
Security

How Secure is the Internet of Things?

haydn-povey2It’s easy to get carried away with new buzzwords and technologies, especially if you are a technophile. Haydn Povey fits into this mould as his self-confessed love of gadgetry shapes not only his home life but also his desire to ensure that everything in the rapidly developing Internet of Things (IoT) is safe.

Until recently, Povey was responsible for strategy and product roadmaps for security within the IoT and machine-to-machine (M2M) marketplaces at Cambridge, UK-based chip designer ARM, working closely with US and UK governmental agencies and alongside leading silicon vendors, OEMs, system integrators and software solution providers. Povey is today working independently and as a technical associate at Beecham Research.

IoT is top, or near the top, of the agenda for many industry watchers but how secure is it? Are we on the verge of meltdown or does the industry have a cunning plan up its sleeve? I spoke to Povey to get an expert view on these and other questions.

 

Q: In your opinion what is the worst that can happen with an IoT security breach?
Naturally we are all worried when our data is lost, or captured, or when bank details are targeted. However, with IoT these systems will be so tightly intertwined with our daily lives that any breach could significantly impact the way we live and how we interact with our own homes.

Q. So is IoT cybercrime inevitable? Should we be worried about putting heating control systems on the internet, for example, or has there been a lot of scaremongering? 
When we look at more critical systems, such as heating and water, the impact could be massive. If an attacker can switch off the heating in winter, or can impact the hot water in our homes, people will become truly outraged, and vulnerable people may, unfortunately, die. Beyond this is the realm of connected medical devices. Here, security is already a bigger priority, so the probability of a successful attack is lower but, as we saw with Shellshock, even fundamental technologies have flaws and hence can be potentially compromised.

Q. Do all devices have flaws? If so, this is surely a massive headache in the making?
Yes, the reality is that any connected device will have flaws, and will be targeted at some level. While the doomsday scenarios are exactly that, pathological thinking, it is only by thinking like the “bad guys” that you can design trusted systems. The reality is that attacks will be driven by perceived effort-versus-reward calculations. If I can compromise a system and “ransom” the homeowner easily then we will see these attacks. If the attack is hard, and the fix is a simple ‘on-off’ reset, then the risk is low. If the attack is easy and the reward is high then the risk is high.

Q. So who are we talking about here? Governments? Crime syndicates or kids in bedrooms?
Some attacks will be from script-kiddies looking to show off their skills by breaking badly designed products, but will not be pathological in intent, apart from the odd “revenge” attack.

Other attacks may be driven by organised crime or as aspects of cyber-warfare. Unfortunately these threats are very real, and we need to ensure that systems are built to not be subject to widespread systematic attacks, or not being used as hosts for DDoS (Distributed denial-of-service) attacks. The principles for avoiding these attacks are well known; it is just that best practice is not always implemented. I believe we should implement a best-better-best strategy. We don’t need to boil the ocean on security today, but we need to implement robust chipsets that go beyond just encryption technology, and then over time improve these.

Q. A year ago, former US vice president Dick Cheney said he feared his pacemaker could be hacked and switched off. Is IoT a real threat to healthcare?
The question becomes: if it is possible, how likely is it? I hope today the risk is fairly low, both because of the features most medical device vendors put in their devices, and very few organisations would have the capability and desire to drive an attack. Having said that, the pathological case still exists that exploits can be found by organised crime and utilised to blackmail medical vendors for large amounts of money.

Q. Are we looking at it the wrong way? Should we see potential IoT device security issues as a gateway and not necessarily the main target then?
Most definitely! Security is traditionally seen as a cost but in reality it should be seen as a core feature, and benefit, that enables the development and delivery of a new range of applications. As an analogy, the use of security in mobile handsets is enabling the development of integrated payment technology and BYOD (Bring Your Own Device) capability in devices. For example, the Samsung Knox program is transforming how devices are used in enterprises, and this can only be done with a secure platform. In IoT, the development of Big Data applications can only be achieved with trusted data, and trusted data can only be sourced from secured devices.

Q. So the responsibility for security and security breaches lies at the door of vendors?
As usual, security breaches must be the responsibility of the vendors, either hardware or software, or often both. The goal has to be to assume devices will become compromised at some point but there must be mechanisms, such as secured FOTA (firmware over the air) to remediate any attack. To err is human, but the vendors must then be able to fix what has been broken.

Q. What should key infrastructure vendors be doing to minimise risk?
The move to good standards is the first step for many vendors. The use of TLS-based communications security, the utilisation of RESTful application interfaces and strong encryption makes a good start. However, platforms and infrastructure have to put themselves in the attacker’s shoes and think “how would I break this?”, rather than just relying on core technologies.

Q. Standards: will everyone agree on them, given the scale and breadth of devices and networks?
We are seeing the emergence of many standards, and all of them point to strong security at some level, again from a crypto, TLS or RESTful level. However, I do believe we need to go beyond this to develop standards, practices and principles across the entire lifecycle of the devices – from authentication and authorisation, through to on-going anti-virus management and, ultimately, device retirement. These aspects are not broadly agreed on today but need to be well thought out to ensure we have a simple-to-use, as well as a secured, IoT.

Q. Are security forces up to speed and capable of policing any breaches or, as Europol warns, will IoT mean that it’s ‘open season’ for a new breed of organised criminal?
I believe the security forces are actually at the forefront of identifying the risks associated with IoT and M2M in general, and have outlined a number of good practices across industrial systems including SCADA. For example, the Department of Homeland Security and the Centre for Protection of National Infrastructure do give guidance in these areas.

However, there is a significant gap emerging between good practice and real-world implementation, and it is here that the threat lies. We have seen early IoT systems breached, including white goods and lighting systems; the question is how industry reacts to these early setbacks and decides if these are the grim reality or just aberrations. My call is certainly for the former.

Q. Should governments be doing more to legislate?
Governments have a challenging role here. They are not, and should not be, the arbiters of technology or technological evolution. However, they do have a role in setting the framework and good practices, and indeed are doing this through the work highlighted earlier and through working with NGOs such as the Council on Cybersecurity.

Legislation is a blunt instrument, as we have seen with traditional IT security legislation, but setting high-level goals and challenging vested interests is in the best interests of the entire industry.

Q. What is the biggest challenge facing businesses and professionals in the security industry with IoT?
The biggest single issue is that devices, platforms and systems are not perfectly implemented and never will be. Any code of more that 100 lines has a bug and any of more than 1000 will, on average, have a significant issue. Given that embedded devices are now being coded in the megabytes, by multiple people, in different geographical locations, means that exploits will always exist. The challenge is how we deal with that over very long time periods. When you purchase a new washing machine you expect it to last at least five years and hopefully longer than 10. Personally, mine is approaching 12 years old. How do we protect these systems in the field over these long lifecycles when we don’t know what exploits are possible and how easy they are to harness into an attack?

Q. What did you learn from Heartbleed?
Heartbleed, similar to Shellshock, is a strong example of the last question. When even well trusted, and massively utilised, articles of techno-faith are found to be fundamentally flawed we have to wonder how we can mitigate these issues over the long term. For many home routers, the solution to Heartbleed has been to bin the device and purchase a new one; we cannot allow this to be the case for white goods and heating systems in the IoT.

Q.  Would it be possible in a few years to bring a town or country to standstill through an attack on an IoT network?
Certainly this is already the case for many critical M2M systems, and this is what has pushed governments to give stronger guidance on SCADA and industrial control systems. For IoT this is certainly possible based on many of today’s implementations, but hopefully as we build out the IoT we will have learnt our lessons well and can avert this threat.

 

Marc Ambasna-Jones is a freelance writer and communications consultant that has written about technology trends and issues for over 24 years for national newspapers, as well as consumer and business magazines. He can be found on Twitter @mambjo.

PREVIOUS ARTICLE

« What Happens After Crowdfunding Projects Finish?

NEXT ARTICLE

Brazil: Technology at the Tip of the Fishhook »
Marc Ambasna-Jones

Marc Ambasna-Jones is a UK-based freelance writer and media consultant and has been writing about business and technology since 1989.

  • Mail