If you would like to read the other parts in this article series please go to
- IoT: the Threats Keep on Coming (Part 1)
- IoT: the Threats Keep on Coming (Part 3)
- IoT: the Threats Keep on Coming (Part 4)
In Part 1 of this series, I revisited the subject of why the Internet of Things presents such a security challenge as it grows and evolves to include so many of the formerly “dumb” but now increasingly “smart” devices, machines and appliances that litter the landscape of our lives. We discussed the IoT security mentality gap that has prevented users and even security pros from taking the IoT threat seriously, the IoT security vulnerability principle that results from vendors’ lack of transparency about what’s under the hood of their IoT devices, and how the durability of the hardware that keeps on going like an energizer bunny long after the underlying software has outlived its security lifecycle.
Awareness is the first step
Security awareness has long been recognized as the first and most important steps in mitigating risk and security awareness training has become big business, illustrating the value that business organizations place on making users cognizant of the threats that are posed both by their choices of hardware/software and how they use them. Until users and companies wake up to the reality of the IoT threat, it won’t be addressed and the IoT landscape will become a playground for attackers. It’s essential to get a handle on this while IoT is still in its infancy, before malicious code runs rampant.
Education is, of course, the key factor in raising awareness. We must educate consumers regarding the security issues that arise when they blithely plug their shiny new smart toys into their home networks (whether literally or figuratively via wireless). But how do we do that? Companies can and do set up mandatory computer security awareness training sessions for employees, but we’re talking now about millions of home users who purchase their own gadgets.
In a perfect world, new Internet-connected devices would come with detailed printed documentation that prominently includes information about security risks and security best practices. However, printed documentation for most electronic devices has devolved into a single one-sided page that contains a few oversimplified drawings showing you the most absolutely rudimentary instructions for getting the device running. For a while, vendors included a CD with a more detailed manual but now optical media is fast going the way of the dinosaur and honestly, how many of you ever even popped that CD into the drive even back when you had a CD drive?
Perhaps the best we can do these days is to make the device run a program when it’s first set up that points you to a web site where you can get security information about the device (including the particulars about its software and versions, update process and support cycle, best practices and so forth). After all, the web is where we’re used to going now to find out how to use the features of our new devices. And the good news is that putting security awareness training and device security information on the web would allow vendors to present this information in a rich, multimedia environment.
Of course, vendors are likely to argue that putting specific information about device software on the web and open to the public will make it easier for attackers to devise exploits for it. That’s the old “security through obscurity” argument and it’s a weak one. Attackers are not adverse to reverse engineering the code; they’ll have or get the information either way if they target the device. It’s the less technically skilled user who needs to be able to arm him/herself with the same information in order to institute protective measures.
Vendors may also protest that putting up elaborate security awareness training materials to educate their users will be costly. My answer to that is: will it cost more than the loss you’ll incur if your products cause your users to be victimized by attackers? At the very least, that’s likely to result in fewer people buying the product.
IoT danger zones
Even those who are security-aware may be taken by surprise when new technologies pop up with unintended security consequences. For example, some new entertainment devices support IP over HDMI (IPoHDMI). Which means that at least theoretically, even if you decide to unplug your TV from the Internet for security reasons, if it’s connected over HDMI to another device (such as a Blu-Ray player) that’s connected to the Internet, the TV can connect to the Internet over the HDMI connection. Whoa.
Think that just because you don’t store any important information on an IoT device, securing it doesn’t matter? Think again. Wearables are open to security vulnerabilities, as well. A couple of months ago, security researchers uncovered a vulnerability in smart watches that you might not have ever anticipated: your watch’s motion sensor might be open to exploit that would allow a hacker to detect the keystrokes you’re typing on a computer keyboard – an entirely different device. Motion sensors are embedded in smart watches and fitness bands to measure steps for popular health monitoring apps.
Speaking of health: losing your data and your privacy is bad, but the ultimate consequences of IoT hacking could be a lot worse: losing your life. The most concerning IoT security risks are those around the Internet-connected medical devices that are beginning to proliferate. According to a security researcher’s report last summer, it is possible to remotely access some models of drug infusion pumps and make changes to the dosages – potentially causing the pump to deliver a fatal dose or withhold a needed dose of medication.
What about those surveillance cameras that you use to enhance the physical security of your home or office? It’s incredibly handy to be able to check up on the dogs (and the pet-sitter) remotely and see what’s going on, but a hacker could turn those cams against you and spy on what you’re doing when you’re at home, too – or see that you’re not home and break into your house. In addition to making sure you’ve done all you can to secure the cameras (we’ll talk about some of those measures later), it’s a good idea to think about where you have the cameras pointed (and if they have pan and tilt features, what areas can be seen by remotely moving them). Of course, this also applies to cameras that are marketed as “nanny cams” or baby monitors.
Some cameras are more secure than others and logic will tell you that those vendors who sell their cameras at the lowest prices are likely to have invested the least in building security into them, too.
Meeting IoT security challenges
If we took a simplistic approach to IoT security, we might say well, these “things” are really just computers that are connecting to networks in much the same way computers have been doing for decades. We’ve already developed many, many security mechanisms – all sorts of encryption technologies from IPsec to BitLocker and a myriad of security features such as host-based firewalls, whitelisting/blacklisting, IDS/IPS, SIEM, etc. Why would we reinvent the wheel? Why don’t we just apply all these same security measures to IoT devices?
And in some cases, we can. However, IoT devices are different from other computers in an important way. They’re often physically small, they’re dedicated to doing one task, and they tend to be less expensive than a full-fledged computer (although in special cases such as medical devices, the cost may be much more). In general, IoT devices run embedded versions of operating systems that are made to use less power (especially those that are portable) and they have far less CPU power and memory and storage capacity than a typical laptop, desktop or tablet.
One of the problems with security (and one of the reasons that many IT pros who know better turn off security features) is that it requires system resources. Encryption uses a lot of processor cycles. Whitelists and blacklists take up storage space. Security negatively impacts performance, and smooth performance is vitally important in IoT devices, which consumers expect to “just work” – like a toaster. Nobody wants a smart toaster that takes half an hour to get a slice of bread brown because it’s busy with packet filtering to keep an attacker from hijacking it and using it to burn your house down.
IoT devices also generally work in a more automated fashion, with less user interaction (especially administrative control) than traditional computers. Consumers are confused enough when Windows asks them whether to trust a certificate or continue with a process that might pose a threat. They certainly don’t want to have to make that decision many times per day for their appliances, cars and entertainment equipment.
That means consumers are going to be relying on vendors to build security into IoT devices from the ground up. Unlike with a desktop or laptop computer, users won’t be able to install their own firewalls, anti-malware programs, anti-virus, security monitoring applications, and so forth. That doesn’t mean users don’t share some of the responsibility for security, though. In Part 3, we’ll talk about all of the specific security measures that that are applicable and how they can be combined in a multi-layered approach that will take some of the vulnerability “bite” out of IoT.
If you would like to read the other parts in this article series please go to