15 Sep The Internet Of (Insecure) Things
When an innocuous item like a baby monitor can be hacked, some joked that who would want to listen in on someone’s screaming child? When car’s system is compromised remotely, allowing a hacker to shut down the car in motion, others say General Motors already had that problem through a faulty ignition switch and not a hacker. But soon there will be a security event that will come along and shake the very foundation of this “always connected, always on” world. Companies like RSA, Symantec, and Webroot are providing security for the Internet of Things (IoT) market to help companies secure their IoT, but security spans beyond the endpoints. The gateways from companies like Cisco Systems, Dell, or Intel need to be secured as well, because they are the entry point into the network. And let’s not forget about these huge repositories of data that can be attractive targets for hackers, just full of interesting information that can be exploited, and yet another place that companies need to have protection.
The baby monitor hack was a glaring example of “just because something can be connected does not mean that it is a smart idea to connect it”. As those of us raised before baby monitors (and especially internet-connected monitors) can attest, we all came out alright. The connectivity presents itself as a convenience, but in reality it is a potential security nightmare in the making. This is because IoT endpoints live in a world of trust. Once you have authenticated that a device should be on your network, there is no ongoing verification. Devices aren’t asked to enter a password every time they want to upload data. If hackers can get through your baby monitor, a crying child might not be the target, it might be your banking data. If a hacker can spoof the device, what resources do they have access to on a network?
Consumer wearables and environmental sensors create an equally appealing set of targets. For instance, I have a Fitbit tracker on my wrist, a Google Nest thermostat in my house, and a Kwikset Kevo lock to secure the house. Between those three, someone could get a very clear indication of my life patterns, where I am throughout the day, and more importantly when I will be out for long stretches of time. Realistically, someone probably wouldn’t go through all of trouble to break into those three different data streams, but that doesn’t mean that it couldn’t happen. Based on the number of very targeted high-end bike thefts happening in Austin, TX these days, there is a level of sophistication that causes one to ponder that reality.
(Photo credit: John Fruehe)
Beyond the IoT devices and sensors, the next step in the IoT process is the gateway. This is where the security threat shifts from the consumer to the company. Whether their gateway is tied to carrier networks or the cloud, this is where all of this sensor data is being transmitted. Because these solutions are designed to be automated, there is an implied “machine-to-machine” connection that authenticates the endpoints with the gateway, so that this handshake only has to happen once. Which means that if this is ever exploited, the gateway could become the launching pad for attacks into a company’s network. This is why today’s gateway designs include far more CPU horsepower; more security needs to happen on these gateways in order to ensure the overall security of the system.
But even if your sensors are secure and you’ve locked down your gateways, what about that huge pool of collected IoT data? There is gold in there. In the age of industrial espionage (state sponsored or privately sponsored) this is the new treasure to plunder. Imagine a fledgling appliance business has the ability to sift through a competitor’s data to see who is buying what, where, what the duty cycles are, how often error codes are coming up and under what circumstances. It is a marketing and design engineer’s dream come true. And as this data store grows, access to the data becomes more valuable by the day. Most companies have data retention policies, but those were written long before companies were envisioning long streams of sensor data endlessly bombarding the data center. Is this most critical of data being protected from the wrong hands? It needs to be treated like “customer source code”, but in reality it will probably end up as cold data at the lowest tier where it may not be treated with the right level of security.
In the past, I made the point that IoT is all about the data, not the things. The next natural progression of that discussion should be “if IoT is all about data, then you need to secure that data”. Always secure what is important to you. In the case of IoT, that protection needs to start at sensor and work all the way back to the stored data, essentially covering both data in transit and data at rest. Functionally, this means that there is no single tool to manage security from end-to-end, meaning that companies can’t just rely on someone like Symantec to cover the whole path nor can they assume that a single product will do. Because of this, security should be a primary consideration before starting on any project, and interoperability between products should be paramount in order to ensure that no gaps exist, exposing data or systems.