The Need for Security in the Internet of Things | Part 1: The IoT Phenomenon
In this two-part blog, I first explore the phenomenon that is the Internet of Things (IoT) and how safe it is from a security perspective.
In Part Two of this blog, I will discuss how IoT security can be improved in terms of the role and use of security best practices, tools and testing.
Let’s start with some valuable insight …
“Those who cannot learn the lessons of history are doomed to repeat it’s mistakes”
Wise words from Spanish born, American philosopher George Santyana.
And yet, in almost every field of human endeavor we never seem to learn the lessons, we keep on making the same mistakes again and again and sadly, IoT is no exception.
Arguably, the IoT is the eccentric but brilliant love child of the IT and electronic components industries, with the Internet as its favorite God Parent 1.
But, whereas its parents are for the most part well aware of the need for good security and largely understand the lessons of history (security best practices) needed to ensure cyber-safety 2, the young IoT often seems blissfully unaware of the need to not speak to strangers!
In fact, there have been numerous high profile IoT security breaches in recent years, and with a wide range of IoT solutions and systems.
They can range from the very personal, such as having your home heating controls hacked, to the very serious, such as life-threatening exploits involving personal and public transport.
Here are just a few examples of where cyber-criminals, hacktivists and even government agencies have exploited IoT vulnerabilities; ironically the hacks are often just as ingenious as the IoT solutions they are aimed at.
Examples range from the (apparently) trivial up to and including safety critical exploits:
- The vulnerability that can enable a hacker to take control of a particular brand of internet kettle, but more worryingly, to also obtain the home router password – an important stepping stone to further and more serious personal hacks.
- The internet home heating controller vulnerability that can enable a hacker to take control of your thermostat. While it may not be a disaster if you start feeling a little too warm, imagine what turning up tens of thousands of such hacked devices simultaneously could do in terms of taking an energy supplier offline.
- The Mirai botnet, which launched a massive denial of service attack by mobilising poorly secured IoT devices, such as digital cameras and DVR players, and which was responsible for paralysing much of the United States’ internet recently.
- The 2014 shutdown of operations on a mobile drilling rig vessel that occurred when a hacker penetrated the vessel’s control systems and induced a tilt of sufficient magnitude to stop drilling from taking place.
- Vulnerabilities in safety-critical hospital systems, such as that discovered in an automated infusion device that can allow a hacker to take control of the dosage of medicines patients are receiving.
- Industrial level IoT security exploits, such as the German steel plant in which a hacker exploited a vulnerability which prevented workers shutting down a blast furnace, resulting in massive damage to the plant equipment and potentially lethal consequences for the workers. What could the consequences be if this took place in a nuclear power facility?
- And last but not least, there are numerous documented examples of IoT security exploits in transportation, from those as benign as immobilising cars, all the way through to rumors that a high-profile security researcher may have been able to interfere with flight systems on a commercial aircraft after tampering with and hacking into its In-flight Entertainment system.
Worryingly for me personally, this is not a theoretical risk - I may well be vulnerable to an IoT security breach in my own home.
I rely on a number of IoT solutions (ironically for home and vehicle security) that if hijacked would themselves become essential tools for would be criminals.
When I present on IoT, I routinely show the audience how I can access my home security cameras from my mobile phone, or how I can track the precise location of my car on my iPad.
Ironically, if either system were hacked, the cyber-criminal would know with complete certainty whether there was anyone in the house and where I had gone by tracking my car.
If that isn’t the perfect recipe for a bit of long, slow and leisurely house breaking, I don’t know what is!
Perhaps most worryingly, I blithely put my trust in these IoT security solutions but I have no evidence that they have passed any rigorous security testing.
I have no paper certificate that warrants the systems against casual hacking, and in truth I have absolutely no idea what these systems’ security credentials are!
If the spread of IoT were still relatively small, none of the above would be major concerns. However, we have embraced the IoT with open arms.
It appeals to Gadget Person (who must have the most up to date and showy devices), to the environmentally sensitive (who must reduce their carbon footprint by fine tuning control of their power usage), the weak and vulnerable (who can be monitored to ensure their wellbeing), the ill and infirm (whose various life-signs can be monitored and their treatment fine-tuned).
Over the last few years, interest in IoT has grown from it being a niche technology with a few early adopters, to the present day with many people gaining tangible value from the fast growing IoT market.
In terms of the future, it has been estimated that the total value of IoT over the next few years could be as high as $19 Trillion!
Like the gold rush, generally speaking it wasn’t the people on the ground that made the money, it was the people who were selling the people on the ground what they needed. The tools, the infrastructure and the services.
In IoT, the gold is actually being mined by the inventors, the technologists and the manufacturers, who are devising, developing and taking IoT solutions to market.
These people have a massive responsibility to ensure their IoT solutions and the people using them are as safe as possible; let’s all pray that they do not make the usual mistake, and neglect the lessons of history yet again!
In Part Two of this blog, I will investigate how IoT security can be improved in terms of the role and use of security best practices, development tools and security testing.
1. For those of you who would be comfortable with a more formal definition of what the Internet of Things is, how about – “the Internet of things is the inter-networking of physical devices, vehicles, buildings, and other items embedded with electronics, software, sensors, actuators, and network connectivity which enable these objects to variously collect and exchange data, and effect physical change”
2. This is not to say that we still don’t see security breaches, but these are typically where individuals have ignored known security best practices or through human error, exposed known vulnerabilities.
The Fact and Fiction of Cognitive Computing – Part 1
We've all seen the movies where robots evolve and end up destroying or enslaving the human race, but what are the real facts versus the fiction of cognitive computing?
Arrow Bandwidth Episode 1 – IOT 101: From Sensor to Sunset
Welcome to Arrow Bandwidth, the podcast from Arrow UK to help the channel better understand the trends, technologies and concepts facing the IT industry today.
IoT – The Internet of Treachery
It seems like IOT is the most talked about topic in IT. But when you look beyond the fantastic opportunities, how are we ensuring these devices and solutions are secure?