If you would like to read the other parts in this article series please go to
- IoT: the Threats Keep on Coming (Part 2)
- IoT: the Threats Keep on Coming (Part 3)
- IoT: the Threats Keep on Coming (Part 4)
In early 2015, I visited the topic of Securing Your Network in an Internet of Things. As an emerging and rapidly evolving phenomenon, IoT presents some of the biggest challenges to network and data security and will continue to do so for the foreseeable future. IoTT (the Internet of Things Threats) is a subject that grows on a daily basis.
In the months since that article series was written, IoT devices have proliferated and new, heretofore unconsidered threats have reared their ugly heads. Although I usually wait a year or so to revisit the same topic, in this case I think it’s time to take a second and closer look at how IoT is drastically changing the security landscape and some precautions that we can take to protect ourselves from the risks that go along with embracing this exciting (and unstoppable) new paradigm.
The IoT security mentality gap
Perhaps the most disturbing thing in relation to IoT security is not the threats and hacks themselves – although some of them are pretty scary – but the “head in the sand” approach that so many consumers and even IT professionals seem to take when it comes to their Internet-connected “things.” People who would never put their laptops or desktop workstations online without the assurance that they had proper security protections in place think nothing of hooking up a new smart TV or surveillance camera to their networks without an iota of information about the software it’s running and what vulnerabilities that software might contain.
I think there are multiple reasons for this security mentality gap surrounding IoT. The average consumer might not really grasp the fact that all of these devices that are capable of connecting to the Internet are actually special purpose computers. They sort of kind of understand that their cars have computers inside, but they don’t think that through to the point of realizing that those computers have firmware and run operating systems and application software, all of which is vulnerable to attack just as those same components in their PCs are.
We’ve already been through this and seen this disconnect to some degree with smart phones. Despite the many security vulnerabilities that are found in these devices – including Android and iOS as well as Windows Phones – many people use, on a daily basis, older phones that are running unpatched operating systems, and many people jailbreak their phones and/or install third party applications that haven’t been vetted for security.
Finally, people are beginning to come around to the reality that the tiny computers in their pockets are just as in need of security as the ones that sit on their desks or laps, especially since many of them use their phones to do online banking, make credit card purchases, and connect to both their home and their corporate network’s resources. No such awakening, however, has as yet come about regarding the “things” that don’t look and act like computers but are.
Another reason that the IoT devices are less secure is that even those people who do recognize them as computers may not understand just how the software in these devices is developed and integrated. The thing is, the companies that are producing and selling “smart” TVs, refrigerators, lighting systems, thermostats and so on are not, most of the time, tech companies. They’re television/entertainment companies, appliance makers, lighting specialists and HVAC companies. IT isn’t their core competency and security isn’t their business.
That means the vendor a) hires programmers who might or might not be security-conscious to write the software or b) uses software written by third parties to power the “smart” elements in their devices. Either way, we end up with a serious security gap.
Finally, the users of IoT devices think that because these “things” are superficially much simpler (from the user perspective) than “real” computers, that means they must be a lot easier to secure. It stands to reason; a simple system is easier to protect than a complex one. The problem is that many IoT devices require complexity “under the hood” in order to deliver that simplified user experience. And under the hood is where the hackers and attackers frolic.
The IoT security uncertainty principle
One big problem with IoT devices is that we know so little about them. You might be skilled at deciphering Windows output, reading log files, checking configurations and pinpointing problems, but what do you know about the code that runs on your smart washer and dryer?
Do you know anything about the version of the software that it’s running and whether or not it’s up to date? Do you know what vulnerabilities that product shipped with and whether or not they’ve been fixed? It’s probably a safe bet that the company that makes your connected smoke alarm doesn’t have a monthly Patch Tuesday when it lets you know how many and what types of vulnerabilities it’s fixing.
In fact, do you even know who is responsibility for updating your IoT “thing?” Is it the appliance manufacturer who made the hardware or the programmer who wrote the software? We run into that point-the-finger merry-go-round with computer vendors, operating system makers and application developers now, but it’s much worse in the IoT world where so many different software components are pulled together for many devices.
In selecting one brand of IoT device over another, do you have enough information to make a decision as to which is more secure? Is that information even available, anywhere? Most consumer buy appliances, entertainment electronics, household systems, etc. based on price and features, with little thought to the security of the software. Do you worry about your car being hacked? Maybe you should, now that motor vehicles’ computer systems are connecting to the Internet as well. Andy Greenberg made big headlines last summer with an article on how hackers remotely “killed” his jeep on the highway while he was driving it.
Although there has been some controversy over the jeep-hacking post and the feasibility of it occurring in the wild without physical access to the vehicle, there’s no doubt that as cars become more and more computer-controlled and connected, they will inevitably become the targets of some attackers. The bigger the “wireless attack surface” – the presence of technologies such as Bluetooth, wi-if and 4-G, along with wireless systems monitoring and keyless entry, all of which operate over radio signals (some of which require close physical proximity and some of which don’t) – the more hackable a vehicle will be.
Whether we’re talking about cars or television sets or the systems that control our home comfort and functionality, though, the problem is the same: We just don’t know whether the vendors of these products are ensuring that the software (which, in most cases, was written by someone else) is secure and whether they are keeping it updated. Most IoT devices update automatically, and may not even leave you a log record indicating that the update was done. If you do get a message telling you that the software was updated, it’s highly unlikely that it will provide details on what that update included or what vulnerabilities it fixed.
If you’re enough of a nerd – and paranoid enough about security – to want to take it upon yourself to verify that your IoT devices are running the latest and most secure versions of their software, even that may not be easy. Some product vendors are unwilling (or perhaps incapable, at their consumer tech support levels) to tell you even what software is running on their devices. Their philosophy seems to be “just trust us” but how do you know you can?
The unequal obsolescence dilemma
In addition to the obscurity that surrounds the underlying software on so many of our IoT devices, another issue that makes IoT security such a challenge is the durability of the hardware components. Although we all know people who are still using their ancient desktop computers from the early 2000s with XP (talk about a security nightmare), people tend to replace their systems more often than that, because modern applications require newer hardware to run properly and new peripherals may not even connect to old machines, at least not without a myriad of adapters (and then there’s the driver issue).
On the other hand, many, many people keep TVs and refrigerators for 20 years. Before these machines “got smart,” that didn’t pose a problem. As they get connected to our networks, that longevity means that the hardware far outlasts the software, or at least the vendors’ ability to keep the software secure. At some point, IoT manufacturers will stop providing software support, including security updates, for older models of their products. Traditional computer software vendors do this, too, of course – but when that happens, the headlines explode with the news: “Microsoft ends support for XP” lets users know (whether or not they act on it) that their OS has just become a security risk.
Do you think TV and thermostat vendors are going to make big announcements when they drop support for a particular version of their devices? I don’t see that happening. And it’s also likely that many of the makers of lower end IoT products will simply go out of business, auto updates of the software on their devices will stop happening, and most of their users will never even know.
What’s the solution?
At first glance, it might appear pretty hopeless. How can we ever hope to gain control of an Internet full of so many “things” with such diverse purposes, made by so many different vendors? And as with IT security in general, it would be unrealistic to think we’ll ever achieve perfect or even near-perfect security. But there are definitely ways to improve on the current situation and steps we can take to address the challenge that the IoT cloud is bringing. In Part 2, we’ll take a look at what can be done from the standpoint of consumers, business, and government to make our Internet of Things safer for us all.
If you would like to read the other parts in this article series please go to