IoT Security: Opportunity or a Disaster in the midst
A household name that is commonly thrown around in every conversation and in every product advert defining it as smart; is the term IoT. What is IoT? In short it refers to internet of things. Then you might wonder what do “things” mean. In the context of IoT, they are basically devices or in simpler terms a physical object that has a unique IP address and has the ability to transfer data over a network.
Ever since the proliferation of technology it was only a matter of time before each and every device that we know is connected to the internet. From the absurd to the very quirky, every device in your household will have a unique function with its integration to the internet, that you didn’t know you needed. For instance, from dustbins that tells you it’s time to takeout your trash, to cups and toothbrushes that notifies you it’s time to brush and replenish yourself. These are the many weird and wonderful ways that IoT has taken over our lives. IoT which was once perceived to be an innovative technology and cutting edge, have now certainly become a domestic must have. As seen from the above definition, their sole objective is to transfer data. What is this data? How is it gathered and how is it used? These are the types of questions which are currently being tackled when developing IoT devices.
The whole selling point of IoT is the assumption of it making our lives easier and more convenient. As a result, this makes information of our lives available to the devices. For example, a smart fridge will have your payment details making it easier for it buy things that you run out of. Furthermore it can study your purchase patterns, usage, preferences and finally provide you with a tailor made shopping list. It can go even further, as to recommend substitutes depending on your purchase history. So all these are data that have been gathered by the device in this case the fridge about its owner, in the aim of providing a great consumer experience. Likewise, another example would be smart lighting and climate control, the current lighting market is saturated with smart lights that is capable of doing varies activities, such as setting the mood, changing the lights according to the music and various other skills. Once paired with other smart devices such as climate control, then you have an energy saving system. For instance, lights will be automatically switched off when you are not at home and the climate can be set to an energy efficient setting and vice versa. The bottom line is each an every device gathers any information that is available to it; either directly from its user or by obtaining it from its shared IoT ecosystem.
We have now seen how data is being collected, the next question is; how is it used and is it secure? As evident from the examples provided above, smart devices contain a lot of our information, be it our address, last purchased item or even the time you were at home or not. This will most certainly include other personal identifiable data. So is this what “being connected” means? Having your data readily available, or is there a way of being secured whilst being connected? This leads to the topic in question. Is this another opportunity or a disaster waiting to happen? From an opportunity perspective it gives many independent start-ups and major security organisations the avenue to standardise and verify the security in IoT devices, similar to various other standards such as common criteria and PCI levels. The problem however with IoT is that there is no set standard available that manufactures can follow. For example, a fridge will be built according to its manufacturing guidelines with safety in mind. The moment they become smart devices the same approach does not seem that important and the lack of regulatory necessity with regards to security is where the disaster lies. If the security is such an issue with IoT why has no principles or methodologies been put in place to combat it?
There are different principles that can be followed when designing a security system. The whole concept is based on the fact that no one can build a system without any drawbacks. However one way of minimizing the number of issues is to follow the eight design principles which was introduced by Saltzer and Schroeder.
Then, why do we have security issues with IoT? This is due to the experience and resources a particular organisation has, for example the two largest technology organisations invest a lot of money and resources to stay ahead of various IoT threats. As a result this publicity also attracts various threats. Nevertheless they have constantly maintained their high standards and this has become one of their selling points when providing IoT devices and services. Unfortunately the same cannot be said for many of the start-ups and other small businesses. This is because the potential access to billions worth of consumer data gathered by rushed to market IoT devices is far too tempting for smaller enterprises to resist and therefore security takes a back seat. As a result more and more businesses invest in IoT technologies and this in turn introduces more endpoints which mean more attack vectors. This makes it easier for attackers to infiltrate a connected ecosystem.
How do we combat such a scenario? How can a consumer or a retailer know if a particular IoT device has an acceptable level of security? This where UL’s IoT Security Rating system comes in to play. UL is able to utilise its vast experience in various fields of security to consolidate the best methodology of assessing the security of IoT devices by performing the following:
“UL’s IoT Security Rating assesses critical security aspects of connected products against common attack methodologies and known IoT vulnerabilities, with the objective to make product security transparent and accessible to consumers. Based on UL’s IoT Security Top 20 Design Principles, UL provides a security rating—Bronze, Silver, Gold, Platinum, or Diamond —with a UL Verified Mark for product labelling.”
This form of assessment is also vital for manufacturers’ since it gives them the information of what is required to meet each level of rating, and most importantly an independent assessment of the security implementation. Understandably achieving a higher rating would require more resources to be available. Therefore it should be carefully decided depending on the deployment and various other factors such as, how secure would the device need to be?
This conveniently leads to the whole debate of cost vs security. However, there is no straight forward answer in which should prevail, since some aspects of a business cannot be monetarily quantified. One such example is the damage to the brand and to the organisational reputation it holds within its industry. Especially in the age of social media and technological regulations, the consequences will be severe. Subsequently, there is no point in having extensive and expensive security controls if the business cannot afford to maintain it, which leads in to the risk appetite of a business. So one way of mitigating the whole problem is having third party vendors to hold your sensitive data and avoid the whole cost and responsibility involved in being assessed and compliant. One such type of service is cloud services.
A cloud with large amounts of data which has been gathered from various IoT devices, is a very good logical point of interest to a would be attacker. There are currently plenty of cloud services available with bespoke functionality and if these services are not fortified, the event of a security attack would have a very catastrophic impact on the economy, and all businesses involved. Basically if a cloud service is to be taken down due to a sophisticated cloud attack it would have a monetary impact, similar to that was experienced during the Hurricane Sandy and Katrina crisis.
A potential threat to such services is malware and specifically polymorphic malware. They are nothing new and have been around for quite some time, but now due to the boom in IoT and AI. simple malware can be leveraged into a whole another level. So much so that the AI will find vulnerability in
IoT and connected networks and deploy the appropriate attack by harvesting complex data patterns. This would be the next logical step in cyber-attacks. However, in reality the current security landscape is not that sophisticated. Majority of the cyber-attacks that have taken place within various organisations, were due to fundamental vulnerabilities that arose due to the lack of implementing basic security principles.
For example the attack on Uber, which saw attackers obtained roughly 57 million users’ personal data, was done by accessing Uber's GitHub account, a site many engineers use to store code and track projects. In this location the attackers found the username and password to access Uber user data stored in an Amazon server. This is by no means a sophisticated attack, but an accident which resulted in a major breach.
Similarly, O2 suffered a major network outage due to an expired software certificate. As a result more than 25 million users had no connectivity. Certificates are an integral part of an communication infrastructure. Their sole purpose is to provide trust between entities so that information can be shared. So having an expired certificate means that you no longer trust the other device. A small oversight such as failure to check for validity has resulted in a major outage.
As more and more attacks are being published due to GDPR regulations, consumers become more and more security conscious. A key selling point, or the differentiator will be how well secured a device is. Therefore, consultants and vendors must adopt self-regulation. If not, there might be a possibility that in the future, governments will enforce this, or specific IoT certifications will be needed to be obtained prior to release. Similarly organisations could help businesses by educating them of the importance of security, especially in legacy systems. There is a huge number of businesses that do not even have the fundamentals of security in place. When the current security culture is in this kind of state how would you expect to combat more complex issues that would arise due to the use of IoT?
Finally, how can this be turned in to an opportunity? What can security organisations do to combat the vulnerabilities? First and foremost, it is important to have a good legacy with regards to security and technology. As already seen by the boom of IoT, a lot of security consulting companies have emerged and not all provide the same level of expertise, since they simply lack the legacy knowledge of security that have shaped the current IoT landscape. Similar to that of an old saying which states that;
“you need to know where you are from, before you know where you are going”
One such organisation is UL, that has more than 125 years of experience in protecting and making the world a safer place. This ranges from product safety to cyber-security. It is clearly evident that both large and small businesses should focus on cyber security and it should be a topic discussed regularly. It should have the same level of importance as other conventional business topics.
The bottom line is attacks are more likely than ever before and the stakes are higher. Every organisation should use this opportunity to invest in both people and in technology. Offer employees the needed amount of resources to maintain policies and procedures, whilst providing the necessary training and awareness to instil this new security culture within the organisation. As seen from this post, information is everywhere continuously being obtained, used and shared; and it’s our duty to be security conscious, because you never know when you might become the next target.