If Hollywood has taught us anything, it is that robots ultimately will turn on their creators and destroy them. We are seeing this scenario playing out today in the emerging Internet of Things, which has become a platform for online attacks.
All right—this analogy is not very good. It is not really the Internet of Things that is attacking us; it is just a tool that is being exploited by the usual suspects. And it is not destroying its creators; it is only making life and work more difficult for its users. Still, the IoT is another example of the Promethean hubris of creating something without considering the consequences. Like computers and the Internet before it, the IoT follows the classic pattern of build it now, worry about security later.
Fortunately, we are beginning to pay attention to the security—or lack of it—in the IoT. Analysts are documenting problems, guidelines are being created for developers, and manufacturers are hardening devices. Unfortunately, there are millions of vulnerable devices already deployed and the hardening on many devices being sold today falls far short of what it needs to be.
Is it too late to secure the IoT, or are we doomed to playing another losing game of catch-up? At the risk of sounding like a pessimist, I’m afraid we’re going to continue playing the game.
The IoT is not a single, definable network. It is simply the collection of networked devices—sensors, controllers and others—with software that makes them Internet addressable. They are called “smart” devices, but they are not necessarily very smart. They can, however, communicate with monitors, other controllers and with each other, and too often with anyone who cares to contact them. Remotely accessing a smart thermostat does not seem like a serious threat, but that thermostat also is a computer, and once compromised it can become a platform for other malicious activity.
Researchers Ory Segal and Ezra Caltum at Akamai recently traced a spate of attacks from the IoT to known vulnerabilities in the default configuration of the operating systems of many devices, including video surveillance cameras, satellite antenna equipment, networking equipment, Network Attached Storage devices, and others. “These devices are now actively being exploited in mass-scale attack campaigns against Akamai customers,” they wrote in their report.
There is no effective way to fix the vulnerabilities and they call this the “Internet of Unpatchable Things.” They do offer recommendations for mitigating the risk, including changing vendor defaults on SSH passwords and keys and disabling unneeded functions on devices in front of firewalls, and minimizing connections and communications with devices behind firewalls.
Looking forward, the Cloud Security Alliance has released guidelines for designing and developing secure IoT products. Brian Russell, chair of the CSA’s IoT working group, calls the guidelines “a strong starting point for organizations that have begun transforming their existing products into IoT-enabled devices.”
It is a detailed and lengthy document—75 pages—but it breaks out the top five security concerns that should be addressed in engineering practices:
1. Design and implement a secure firmware/software update process
2. Secure product interfaces with authentication, integrity protection and encryption
3. Obtain an independent security assessment of your IoT products
4. Secure the companion mobile applications and/or gateways that connect with your IoT products (e.g., encryption/privileges/authentication)
5. Implement a secure root of trust for root chains and private keys on the device
“Focusing on these top 5 items will begin to increase an IoT product’s security posture substantially,” the authors write. They add that this does not excuse developers from reading the rest of the document.
Experience has shown, however, that even with the best development practices, software continues to have vulnerabilities. The millions of vulnerable devices already online and the difficulty of patching or upgrading the millions of devices that will be added to the IoT every year make it likely that we will be playing catch-up with IoT security for many years to come.