Revealing the Potential and Risks From the Coming Together of IoT, AI, and C...
IoT, Security & the Path to a Solution
1.
2. IoT, Security & the Path to a Solution
In October, internet users around the United States were flummoxed when they couldn’t access
a number of their favorite sites—like Twitter, Netflix, Amazon, Spotify, and Reddit—for a good
chunk of an entire day. No, the electricity didn’t go out; quite the contrary. It turned out that Dyn,
a company that oversees a substantial amount of DNS infrastructure, was the target of a
prolonged cyberattack.
Here’s what happened: Dyn was hit with a distributed denial of service (DDoS) attack, which
involves a group of infected devices called botnets overloading servers with traffic until they
buckle under the volume and are knocked offline for an extended period of time.
Here’s the catch: While botnets usually are made up of computers, the specific botnet
responsible for this attack—called the Mirai botnet, a publicly available malware—is made up of
Internet of Things (IoT) devices, like DVR machines, routers, and digital cameras. Since the
attackers had so many different and unsuspecting devices to launch the attack from, it made it
that much more difficult for Dyn to ward off the invaders and get its servers back online.
It’s one thing for the average internet user to realize their laptop is being compromised. It’s quite
another for them to think their connected washing machine is being used to stage cyberattacks.
To date, the attack against Dyn was the largest DDoS attack that we know of. While in the past
DDoS attacks were seen as annoyances because attackers couldn’t leverage that many
machines at once, the rise of the IoT and the emergence of an innumerable amount of
connected devices has made many systems incredibly more vulnerable to cyberattacks, as the
Dyn incident demonstrated so clearly.
While IoT devices ostensibly make life easier—think nanny cams, connected refrigerators, and
smart home infrastructure—most IoT agents lack serious built-in security because, in an effort to
gain market share in a highly competitive market, manufacturers rush their products out. As
things stand now, security takes time.
The attack on Dyn is just the tip of the iceberg. In the grand scheme of things, not that many
connected devices were involved in the attack. According to Gartner, there are already 6.4
billion connected gadgets in the IoT ecosystem. Research projects there will be a whopping 50
billion connected devices by 2020. If hackers were able to do what they did to Dyn with a
relatively small amount of devices, imagine the fury they could unleash by commandeering a
substantial amount of them?
The security of IoT devices—or more appropriately, the lack thereof—is a major issue. Most IoT
devices have a false sense of security due to typical weak encryption, the use of default
passwords (i.e., many devices across the IoT ecosystem can be accessed with the same
password), and the lack of update capabilities. For example, one recent study of 4,000 different
3. devices revealed that there were only 580 unique keys protecting them. Gain access to one
device, and sooner or later you’ll gain access to another with the same key.
These security flaws are frightening, to say the least. But, despite the limited murmurs from
Silicon Valley indicating there’s a concern, is there really a path to a solution? What can the tech
community do to prevent cyberattacks like the one that crippled Dyn from happening again?
The State of IoT & Security
If we really want to grow the IoT market, we need to get rid of the increasing security and
privacy issues that are built into it. It’s that simple.
As things stand now, there’s a lot of optimism with respect to the future of the IoT market. Not
only does the IoT promise convenience in our personal lives and increased efficiencies in the
business world, pundits believe the technology will have a profoundly positive impact on the
economy, too. According to IDC, the Internet of Things market will eclipse $1.7 trillion by 2020—
quite the uptick from the $655.8 billion the market hauled in during 2014.
Despite that traction, the security threat will be growing faster than the market with each new
additional advice added to the mix. If we want to realize the true benefits that the IoT promises,
we can’t allow that to happen. Every device—from the most inconsequential to the most
important—needs formidable security.
When you use your laptop or mobile device, you’re constantly monitoring it to make sure it’s
working as it’s designed to work. IoT devices are quite different. Once you install your smart
refrigerator, you generally don’t tend to check up on it periodically to make sure that it’s still
connected to the internet and working as designed. Really, all you care about is that it keeps
your food cold. Because IoT devices are left alone once they’re installed, no one is looking after
them—except for the hackers that are ready to take control of them.
Though the technology promises to be transformative, the IoT has gotten a lot of bad press over
the years. Remember the Target hack of 2013? Intruders initially breached Target’s system by
gaining access through a third-party refrigeration, heating, and air-conditioning subcontractor.
Because someone hacked their refrigeration system, the mega-retailer was eventually forced to
fork over upwards of $162 million to settle the issue.
Should these kinds of problems keep occurring, the market may very well collapse by itself as
people—and businesses—stop trusting IoT devices altogether. Of course, we are still quite far
from that tipping point, as people, for the most part, are not that privacy- or security-conscious.
(Just think about how much personal information your friends and family members share on
Facebook.) Beyond that, most IoT devices are “imposed” on us as part of other devices (e.g., a
smart coffee maker) and are seen as inevitable. But things can certainly change if major
breaches continue to occur.
4. Keep in mind that, according to security expert Bruce Schneier, there are three ways hackers
can cause problems with data:
● Confidentiality. By accessing your private data, your secrets can be aired out in the
open. The Ashley Madison hack showed up how the loss of confidentiality can affect
owners of data.
● Integrity. Hackers can alter your data—making it appear you were somewhere when
you weren’t or you said something that you didn’t.
● Availability. Attackers can also prevent you from accessing or controlling your devices.
Imagine a hacker gaining control of your connected car’s control mechanisms, leaving
you unable to steer or brake.
While we’ve seen what happens when data confidentiality is compromised, there haven’t been
as many well-publicized and harmful infractions against data or device integrity and data or
device availability. That may change soon.
Still, security issues still play a major role in the IoT market nonetheless. If we want to realize
the true potential of the IoT, it’s now or never that we figure out how to improve the security of
all connected devices. Because most IoT devices are early generation and have short lives,
there is still time to consider the issue seriously. But as IoT devices assume more and more
responsibility, performing more and more critical functions when it comes to running our houses,
production plants, hospitals, and health monitoring devices, among other things, we will soon
reach a point of no return where the issue won’t be manageable. For that reason, it is imperative
that device makers and members of the IoT community solve this problem quickly. Otherwise,
we may miss out on many game-changing technologies as consumers look for more secure
alternatives.
The October DDoS Attack: How Much Security Do We Have?
According to a summary of the October attack, 100,000 Mirai-infected IoT devices were
involved in the DDoS assault on Dyn’s servers. Attack rates as high as 1.2 Tbps were
reported—which is quite significant, as most sites are unable to handle rates higher than 10
Gbps (large companies would have a hard time handling 100 Gbps). Some security researchers
believe the hackers—having access to as many as 500,000 compromised devices—were
actually taking it easy on Dyn.
While the Dyn attack is not the first hack through the IoT nor the first DDoS attack—the same
method was used to knock France-based hosting provider OVH offline in September—it’s
visibility was much larger because it disrupted a key DNS service that provides IP address
5. lookup functionality for major websites. Amazon Web Services (AWS), for example, hosts many
key services, including Netflix.
What’s more, the assault on Dyn’s servers gained exposure because of its simplicity. The
intruders used the publicly available malware Mirai, after all.
At the time of the attack, analysts estimated that 1.2 million IoT devices were infected with the
Mirai botnet, though only about 166,000 of those devices were active. This is an interesting
kernel of information to say the least. It suggests that most of the devices in the IoT ecosystem
today are gadgets that have short lifespans. After consumers get the most out of them, they
either break or a newer version comes out. Then it’s on to the next.
Of course, this will change in the future as more and more devices assume critical roles and
people can’t live without them, both figuratively and literally.
While most of the security issues inherent in IoT devices are unknown by the general public, the
IT world is aware of the weaknesses many of the gadgets have. Some of the security issues
found in the IoT ecosystem are as follows:
● For the most part, IoT devices aren’t under 24/7 monitoring. In addition to someone
being able to physically change an unattended device, there’s also the risk of malware
being installed on one—which could steal data and change programming. Believe it or
not, HP says 70% of IoT gadgets are susceptible to hacking and there is an average of
25 vulnerabilities on each device.
● In an effort to get their products to market as quickly as possible, a number of IoT device
manufacturers don’t even add encryption to their products. For example, one connected
car startup was found to not have encrypted communications sent from the car to the
server. If a bad actor were to intercept that data, there could be serious consequences
up to and including commandeering the vehicle.
● A new startup might put out a great IoT gadget. Over time, the startup can either go
bankrupt or be acquired by another company. Should that happen, there might not be
anyone around who’s thinking about the security of each device the startup used to
make. This could lead to severe vulnerabilities in devices that a handful of users depend
upon.
Despite the awareness of the IT community, at this point no one has come up with a path or a
solution that would be easily acceptable and deployed by all organizations in the IoT world, e.g.,
an ISO standard or a certification. As it stands now, IoT devices have to comply with hardware
and network security standards—you can’t sell something that might catch on fire by
overheating or something that would interfere with a pacemaker’s signal, for example. But when
it comes to security and privacy, it’s the Wild West.
6. The key issue is that infected IoT devices on their own might not cause any direct harm. But
when they work in a network environment, their behavior can be quite disastrous. For example,
imagine your connected thermostat increasing the temperature as high as it can go while
locking your doors and windows. Or maybe your connected refrigerator gets compromised and
an intruder raises the temperature to the point all your food spoils. Worse yet, imagine your
smart door lock is hacked, enabling culprits to physically enter your home while you’re at work.
The possibilities are truly endless, especially as more and more devices enter the market.
On the upside, there have been some initiatives proposed by groups focusing on fixing the
problem before it spirals out of control. For example, the Broadband Technical Advisory Group
(BITAG) suggests that manufacturers ship devices with up-to-date software while also following
best practices for encryption. The group also wants to ensure there’s an easy way for users to
notify manufacturers of any bugs or vulnerabilities they may notice while using the product. That
way, problems could be addressed right away. BITAG has some more recommendations, too.
But unfortunately, it’s not a regulatory body, so the group has no real power. Will industry
players acquiesce?
As mentioned previously in this ebook, not only do device manufacturers and IT technicians
need to protect the IoT devices and technologies that are already out there, they have to figure
out how to secure the information and data that’s being transmitted. Once the data and the
devices are out in the world, they are no longer protected. For these reasons, we need to act
now before too many devices are out there with no protection at all—which could kill the IoT
prematurely.
A Few Possible Solutions
Who knows what the cybersecurity community will ultimately agree needs to be done in order to
ensure the confidentiality, integrity, and availability of data and devices in the IoT ecosystem.
But one thing is certain: We must act, quickly, if we wish to see the full potential of IoT
technology.
From hardcoded passwords that can’t be changed to security credentials that have never been
changed to reused security keys across multiple devices, it appears as though IoT device
manufacturers are violating every basic security practice. And the worst part about it is that
unlike smartphones, tablets, and laptops, once IoT devices are out in the world, they cannot be
updated (for the time being, anyway).
Before we can solve the problem, we first need to recognize the scale of the issue and
understand that we need to act differently at different levels of the ecosystem:
● At the user level, it’s all about education. Users need to be aware of the multitude of IoT
devices they have as well as the status of each device and any potential issues. As
such, all IoT devices should have a unique identifier with a central repository where their
7. status can be checked. Users should also be encouraged to register their devices in
order to receive security bulletins and, potentially, patches down the line.
● At the hardware level, a kill switch should be available that can quickly disable a device.
This way, users can be sure that in the event they suspect their devices may be
compromised, they can shut them off immediately. Furthermore, devices that have no
activity over long periods of time should be disconnected from the network.
● At the network level, it might be time for a new type of technology altogether. IoT
devices are highly distributed data nodes that constantly exchange information in hubs
or mesh networks, connected to the cloud or not. All of these different combinations
make it difficult to understand who or which entity to trust in terms of data security and
access to the device. The good news is that one technology has been invented for the
use case where there is no central authority that can be trusted: blockchain, the highly
decentralized and distributed ledger.
Blockchain technology already powers cryptocurrencies like Bitcoin and Ethereum. As more
and more IoT devices become part of the ecosystem, blockchain technology can enable specific
gadgets to connect to one another securely, with authentication, without the need for a central
authority to monitor and facilitate the connections.
Already, there have been some initial efforts to adapt blockchain technology to IoT devices.
Companies like Filament and IOTA have made inroads into the space. These companies are
still in the early stages, but they are pursuing what is likely one of the only paths to ensure
proper security throughout the IoT ecosystem.
Steps to More Security in the IoT Market
As we’ve seen, there are a few paths that lead to securing the IoT. But the question still
remains: How can we put blockchain technology in place in a coherent, simple, and organized
way?
Should we take a platform-centric approach, giving control of overall end-to-end security to the
platforms themselves? There are already some manufacturers moving in this direction, like:
● BlackBerry. The company that once was a major player in the phone market is
transitioning to an enterprise software company. It recently introduced BlackBerry
Secure, an “Enterprise of Things” management platform, which controls things like
calendars, emails, contacts, apps, and secure file-sharing tools, among other things.
● Amazon. For a company that sells seemingly everything, it was only a matter of time
before Amazon got involved in the computing space. After establishing Amazon Web
Services (AWS) as a dominant cloud computing force, Amazon’s kept expanding its
8. computing offerings. Now, the company has an IoT platform that enables users to
connect to AWS and their gadgets, ensuring secure data transfers and granting the
ability to manage devices—even when they’re offline.
● Azure. Unsurprisingly, Microsoft has built its own IoT suite as well. The Azure IoT
solution professes to enable businesses to capture and analyze data that would
otherwise go unnoticed—thereby enabling them to become markedly more efficient. The
platform also allows companies to get the peace of mind that comes with knowing their
devices can be monitored and updated.
While these developments are certainly reassuring for developers and manufacturers, there’s
no way for the average end user to understand it—or even be aware of it.
What’s more, the platform-centric approach also implies a web of complex partnerships.
Imagine you’re trying to use Amazon’s Alexa to switch your Philips Hue lights on and off. In
such a scenario, how can you be sure of which platform you’re using for the activated voice
service and which one you’re using for the IoT component? What happens when you buy a
gadget from Amazon’s universe and want to use it on an Azure-powered network?
Should IoT security be embedded in the device and independent of the platform? Should
platforms agree on a standard—and device manufacturers forced to build within it? Should the
platform-centric approach be the one we take? Can blockchain technology protect the IoT—and
allow it to flourish?
There are a lot of questions left to ask. And their answers will invariably lead to even more
questions. But because of the promises the IoT delivers, it is imperative that we figure out a way
to provide a fully secure and transparent IoT ecosystem. The possibilities—from personal,
professional, consumer, and business perspectives—are endless.