You may consider ‘IoT security’ an oxymoron and, unfortunately, for many IoT devices, you’re quite correct. The IoT and security don’t necessarily go together, with many companies and domestic consumers using IoT devices that lack fundamental layers of security. This obviously isn’t ideal.
Disclaimer: This post is not an attack on the Internet of Things (IoT), as there are some useful devices and applications by manufacturers that release products with security by design. Those who do not, need to cease and desist.
“Securing IoT devices is essential for the security of the data and controls on the device, any data and controls on neighboring networks and the internet itself,” said Adam Brown, manager of security solutions at Synopsys.
Is he overstating it? Save the sarcastic “fear mongering” comments as there is sufficient evidence available in the form of high-profile hacks.
IoT-Based Hacks Aren't Trivial
Consider the prevailing misconception that hacking a toaster will limit the hacker to toaster functions such as burning your toast. Is this true? How much of threat are IoT attacks, really?
“The security of an air conditioning control system may seem low risk at first – the initial thought might be “so what, the hackers can only make us too cold, or too hot right?” Wrong – as was famously recorded in 2013 at Target, a breached air conditioning control system was used to steal 41 million credit card details, now costing Target $18.5M,” said Brown. He also added that, in 2016 webcams and internet routers were used to in a coordinated DDoS attack knock out services including Twitter, PayPal, Spotify and many more. All of these security breaches were caused by cases of IoT devices with problematic security.
IP cameras and routers are typical IT hardware but how about children’s toys and the IoT?
“… the “My Friend Cayla” doll is an IoT connected toy. The child asks the doll a question, which is then sent to an app which converts it to text. The text is then used to look the answer up online; returning the answer to the doll. Cayla then speaks the answer back to the child. Cute, and sweet; but German regulators did not see it like this. They saw “My Friend Cayla” more as “My Spy Cayla” and banned the doll on the grounds that it was a surveillance device,” said Avani Desai, Executive Vice President at Schellman & Company, an IT compliance and attestation firm.
Justifiably so, as the doll could easily be hacked using a Bluetooth-enabled smartphone.
Desai is quick to point out that the IoT can be a technology for good. IoT products such as wearables have already helped save lives. One man, “a patient at the Lady of Lourdes Medical Center had been admitted with a heart arrhythmia. Doctors had two courses of action, each dependent on knowing how long the arrhythmia had been occurring. With permission, they accessed his Fitbit and were able to ascertain the facts they needed to give him life-saving treatment,” said Desai.
“To make the most of what can be empowering technology, we need to make sure that the technology is optimized to do its job, but not expose our information,” added Desai.
This is the crux of the issue. Data security must be a priority for all devices connected to our networks.
“In the case of the man saved by his Fitbit, his wife gave consent for the doctors to use the information created by the device. But with the IoT, we need to ensure that not just anyone can steal our data. Internet of Things devices generate lots of personal data. They also, generally, are custodians of other Personally Identifiable Information (PII) like name, address, passwords, and even location,” said Desai.
Therefore, yes, we do need IoT security. Case closed.
Unfortunately, IT teams must still support their networks but what can they do when those networks include both wired and wireless IoT devices that lack inherent security?
Adding Security to IoT Devices
So, we’ve answered why we need to IoT Security. Identifying the necessity is one thing, but can we effectively secure them at the software level?
“Every device can have security provided at a software level, although some devices have a very limited amount of computing power which makes it hard to apply state of the art security practices,” said Julian Weinberger, CISSP, director of systems engineering for NCP Engineering.
How about IoT sensors?
“Devices which only have a sensor and an internet connection might not be able to use advanced security practices to secure it. In this case, an advanced layer of security needs to be built around the device. Ultimately, it is definitely more challenging to provide a high level of security for very small devices at the software level – but it is possible,” claimed Weinberger.
To get to the bottom of it all, we asked Weinberger some probing questions, and the answers (provided verbatim below) are sure to aid those with IoT security concerns.
To ensure IoT security, what is the ideal process involved? For example, do you discard devices that are not ‘secure by design’ as a first step?
When acquiring any IoT device or solution, you should always make sure that it’s secure by design.
In some environments, this might not be realistic because of price point, legacy products or just because you’re not aware if or how they are protected.
If the manufacturer can’t provide detailed information about their security approach, you might want to reconsider the provider. If you already have devices in place, you can build security around the device. This approach usually happens in environments with legacy products.
Also, it is important to make sure the manufacturer has a way to update the devices and provide updates and patches for the lifetime of the device. Most security vulnerabilities become known after the product is already on the market. The lifetime of IoT devices may be way longer than any traditional IT device. When it comes to IoT devices, the lifetime spans from 10 to 20 years. The manufacturer must be able to provide updates and patches for the duration.
What conditions are necessary to secure IoT devices?
Management buy-in is very import. If the management of a IoT manufacturer doesn’t have security on their radar, it’s very hard to provide a secure device.
This happens quite often with IoT startups where the go-to-market is more important than security. Some manufacturers compromise their security approach to achieve a fast way to get the product on the market or even just to cut costs.
If the manufacturer doesn’t support the secure by design approach, most likely the product won’t be secure.
Enterprises should always know the manufacturer’s security approach. If the manufacturer’s security approach is not clear or sufficient for an enterprise, security can be built-in around the devices.
However, building security around IoT devices or adding another layer of security should be an exception and should not become common practice.
How do you secure at the software level? OTA (over the air) or manual updates?
Updates should be pushed by the manufacturer as most IoT devices are not maintained by the owner. Over the years, we have seen multiple breaches caused by devices that were not updated by the owner. This is especially a big issue in the consumer market. Manual updates might even be necessary if the devices are in a restricted area without internet access. At the end of the day, it’s important that the devices receive updates to remain secure.
In cases where a device/sensor is not secure by design but must still be used (for whatever reason) – how does the IT team reduce/eliminate the risk posed if a device update is not possible?
If devices or sensors don’t provide any security or don’t have security built in, usually these devices are separated from the rest of the network. A common practice already, the first step is to separate the network of this device from any other devices. This will make sure that only traffic which is supposed to be sent from the device is permitted. If possible, the source and destination IPs should also be restricted. In addition to separating and restricting the network access, you can also monitor the network traffic. There are multiple tools on the market which analyze the usual behavior and detect any anomalies of the traffic. Strict restriction and monitoring is key here.
Any other observations on the problems facing security teams and how to solve them when it comes to securing IoT?
As of right now, there are no official compliances or guidelines for IoT environments. Just like PCI DSS provides security standards for credit card information and HIPAA for medical information, there needs to be compliances for IoT devices.
In conclusion, as the number of connected devices grows, so does the risk of a hack.
“While botnets used to be restricted to PC and servers, the introduction of more and more connected devices provides the opportunity for gigantic botnets which will be more powerful and uncontrollable compared to botnets of the past,” said Weinberger.
Compliance standards are needed and fast to ensure all manufacturers are producing devices that are secure by design and for the entire product lifecycle.
“IoT software like any other software needs a software security initiative as part of the development cycle making software secure by design. Surely, the future will see IoT device certification, much as we have for hardware today with the addition of a software focus,” said Brown.
IT security teams must keep an inventory of all connected IoT devices, segregating them from the main network if appropriate and from each other if not ‘secure by design’. If they don’t, then the canteen toaster, smart fridge and a few random sensors could be instrumental in compromising your network, allowing hackers to bypass all your expensive endpoint solutions with ease and acquire your data. Is your IoT environment protected? If you’re sure it is, why not hire a penetration tester to prove it? If verified, then it could be valuable publicity.