The industry must take steps to ensure a connected world doesn’t become a hacker’s paradise.
The IoT (Internet of Things) industry is exciting. There’s a race to market that fuels innovation and puts pressure on developers to create superb user experiences and prioritize device functionality. The competition is driving prices down, allowing more users to get their hands on more devices. But in the midst of this fast-paced world of IoT, some would say there’s something missing—a focus on security. In fact, security experts working in the IoT are calling for manufacturers to slow down and consider the consequences of handling device security as an afterthought. IoT device security should trump all, but often, it doesn’t.
As Scott Schober, president and CEO of Berkeley Varitronics Systems, www.bvsystems.com, a designer and manufacturer of RF (radio-frequency) analysis and wireless threat detection tools, puts it, the IoT is not only exciting for businesses and consumers, it’s also exciting for hackers, just for a different reason. “I’m looking forward to inexpensive, networked sensors all over my home and work,” Schober says. “But hackers are chomping at the bit to exploit all of those sensors and their data.”
A lack of universal security standards, combined with the push to deliver more and more IoT devices to market as soon as possible, has created a situation in which more thought and resources are going toward getting these products on the shelf than securing them. “This focus on squeezing every penny of profit out of (IoT) devices will distract from spending money on the real necessities, such as strong encryption, bulletproof security, and vulnerability testing,” Schober says. What kind of a hole is the industry digging for itself?
The problem isn’t just in the near-term, either. Devices being made and sold today may have a decades-long lifecycle. Consider, for instance, a smart appliance, which a consumer may use for the next dozen years. Longer product lifecycles require manufacturers to think about long-term threats. Schober points out that these devices must remain serviceable and updatable to the end of their lives.
Deidre Diamond, founder and CEO of Cyber Security Network, www.CyberSN.com, a talent acquisition network designed for the cybersecurity industry, agrees, saying one of today’s key challenges in the IoT is that some connected devices are made to last for long periods of time, often operating in places never considered by those who made them. “Consider embedded devices in satellites today,” Diamond says. “Did the designers account for what happens when devices go out of range from their Internet connections? Situations like this are where vulnerabilities become unknown and, consequently, dangerous.”
While IoT device innovation remains strong, and the way companies are rolling cybersecurity into IoT devices is often innovative, Diamond says security too often remains the weakest link in the chain. “We are in our infancy when it comes to being able to bridge the gap between rapid development, privacy, and security,” she says.
Diamond strongly believes vendors and the IoT industry at large should rank privacy and security over profit, especially for those devices that affect everyday life, such as healthcare devices and vehicles. “We must prioritize our devices of concern and make change as to how they are developed, updated, and replaced with time,” Diamond says, adding: “Security tests need to focus on heart monitors before Barbies.”
Navigating Troubling Times
Seth Danberry, president of Grid32, www.grid32.com, a provider of cybersecurity services, describes the current IoT security landscape in the United States as “troubling.” He says: “Manufacturers are trying to beat each other to market, and ease of use and functionality are trumping security as they appeal to consumers. It’s a more viable strategy to get the product out and fix the security flaws later, than (to) slow down the launch and get security right upfront.”
Danberry says common security issues include insecure interfaces to applications, such as using default usernames and passwords; insufficient authentication methods, such as using weak passwords; a lack of encryption; and issues with privacy of user data. He adds that many of these issues are not complicated to fix, which further demonstrates that many developers are rushing to the finish line instead of following industry best practices for IoT device security.
Another key problem is the inability to rapidly fix a flaw through patching or rolling out updates. This means even if an issue is identified and corrected, there may not be a way to update devices and correct the problem in a timely manner, or at all. “Security cannot be an afterthought, especially since these devices are sent out into the wild and it can be difficult to roll out updates,” Danberry insists. “It needs to get baked into the device from inception, and security needs to be evaluated and tested at every step of the way.”
Dom Glavach, CISO and senior principal cybersecurity engineer at CTC (Concurrent Technologies Corp.), www.ctc.com, an independent, nonprofit applied scientific research and development professional services organization, considers today’s IoT devices to be the weakest link in the cyber resiliency chain. He says: “Standards addressing messaging, protocols, APIs (application programming interfaces), storage, and data integrity for IoT devices are immature or absent.”
This lack of standards creates additional complexities or proprietary solutions, which can introduce vulnerabilities. As to which vulnerabilities are most concerning, Glavach says attackers usually prefer to focus on the low-hanging fruit. “Most (adversaries) attack areas that yield the best success with the least amount of effort,” he explains. “Default out-of-box installations—e.g., username: ‘admin,’ password: ‘admin’—and poor authentication—e.g., username: ‘admin,’ password: ‘password’—are common breach points that attackers are exploiting in IoT devices or IoT environments.”
Glavach says another weakness that should not be overlooked is a lack of SIEM (security information event management) integration, which increases attackers’ success rates. “Attacks are difficult to detect when there is no record of activity,” he explains. “The lack of detailed, long-term logging eliminates the detection of reconnaissance phase attacks and increases the difficulty when determining which IoT layer is being targeted.”
“(W)e must be cautious about the security of these devices and have good reasons to enable them in the first place. An IP addressable toaster just makes no sense.” –Morey Haber, BeyondTrust
Unfortunately, whether a device is being used in the consumer or enterprise realm doesn’t change the reality that most IoT devices have major weaknesses that can be exploited by adversaries. Morey Haber, vice president of technology at BeyondTrust, www.beyondtrust.com, a global cybersecurity company, says: “Vendors are moving rapidly to make everything IP addressable and forgoing security best practices for upgrades and testing in order to be the first to market. This is true for home users, pro-consumer, small businesses, and even enterprises.”
Bolstering awareness of best practices and developing a security-aware culture among consumers and businesses could positively impact overall cyber resilience, though. Best practices for enterprise IoT device security include segmentation; documenting processes that ensure IoT devices can be patched in a timely manner if needed; and setting up role-based access to IoT devices. Haber says businesses should also ask manufacturers if they have a service level agreement for patching critical vulnerabilities once they are identified, which helps ensure IoT devices selected for an organization stand up to regulatory scrutiny and compliance initiatives.
Meanwhile, many in the security space agree that government agencies need to be more proactive about issuing warnings and possible resolutions to known security flaws. Cyber Security Network’s Diamond says the government’s role is minor, yet significant. “Government should foster and encourage cybersecurity research and the development of IoT devices, and not punish those who discover vulnerabilities,” she says.
Whenever a device becomes accessible through a network, it is just a matter of time before someone somewhere finds a vulnerability and exploits it. “(Security) is not a marketing problem that can be handled with a press release,” says BeyondTrust’s Haber. “It is a technology problem and vendors must design and test the security of an IoT device all the way through the process, from inception to end of life.”
Therefore, according to Haber, just because we can put an IP address on a device doesn’t always mean we should. “Technology has evolved to allow us to (make everyday devices IP addressable), but we must be cautious about the security of these devices and have good reasons to enable them in the first place,” he says. “An IP addressable toaster just makes no sense.”
Common IoT Device Weaknesses
While specific security issues tend to change as adversaries discover new approaches or as software updates expose new flaws, there are some common weaknesses among IoT connected devices. Here are a few of the biggies according to William Webb, an IEEE Fellow, www.ieee.org, and CEO of the Weightless SIG (special interest group), www.weightless.org:
(1) Devices do not always authenticate the network. This means it is possible to set up a rogue network and attract a device onto it. Once there, if the device is static it may never attempt to leave. At best, this means it will cease to be useful to the wanted network. At worse, it is possible that the attacker may be able to read the information it is providing and gain value from it.
(2) Many devices do not have the capability for software updates. This means that if a security flaw is discovered, there is no way to fix it short of recalling the devices. For those that do have the capability, the update is often not given a secure watermark and verified prior to being installed.
(3) Devices may not be designed to prevent disassembly and discovery of secret-key information. Any secret information needs to be securely stored—as it is on a SIM (subscriber identity management) card for a cellphone.
(4) Some devices may not encrypt information or may use weak encryption coupled with frequent transmission of the same message (e.g., a meter reading), which makes breaking the encryption relatively easy.
By Bethanie Hestermann