The Internet of Things (IoT) is a huge new dimension, full of possibility for changing our everyday lives. A lot of IoT devices are already in use, of course.
On the consumer side, we see WiFi enabled juicers, Fitbits, home security systems, and children's toys, like talking teddy bears. In industry, we see insulin pumps, industrial components, and specialized devices that interact with programable logic controllers in SCADAs.
That's merely the tip of the iceberg, and I expect IoT use to explode the way home Internet use exploded in the 1990s and early 2000s. It’s a new frontier.
But all that possibility for fun, convenience, and efficiency comes with a significantly expanded cyber attack surface. Cybersecurity problems can take down organizations, open your family up to attack, and, in the case of some medical and other devices, actually kill, and IoT makes that an even greater threat.
One of Cylance's security researchers wrote an excellent piece on IoT security matters that’s worth a quick read. I want to get back to basics again and share some concerns covering a variety of areas of IoT security. And I could think of no better source for information than people who research IoT every single workday.
I had the honor of speaking with Mike Nelson, a technical Director for McAfee, previously for Intel; Ken Munro, a security writer, speaker, and researcher for Pen Test Partners; and Stuart Peck, head of cybersecurity strategy for ZeroDayLab. All three gentlemen work directly with IoT research, and their views may not necessarily reflect those of their employers.
Our conversations touched consumer devices, industrial and the Industrial Internet of Things (IioT), smart cars, and industry regulation.
The researchers agreed that consumer IoT devices are usually the least secure, as many manufacturers have no experience with cybersecurity and are woefully unaware of the risks that security vulnerabilities present to their customers and their business.
On the other side of the coin, consumers tend to underestimate the risk of seemingly innocuous products like children's toys, toothbrushes, and kitchen appliances. They may incorrectly assume that the worst-case scenario for a cyberattack on a consumer product is that it stops working. Ha, if only that were true! Still, some of what I learned in our discussions surprised me.
Mike Nelson said,
“I look at consumer (IoT) as the absolute wild, wild west right now. A big issue with (quality assurance) for vendors is the security horizontal across their manufacturing teams.”
I asked him if many consumer IoT manufacturers have security professionals like CISOs, or people with CISSPs. His response, “Right now I would say no. Otherwise I would not hear as many stories as I do of security vendors proactively saying 'Hey, this thing is a huge risk.'"
Ken Munro had an interesting perspective on IoT:
“Many people look at IoT as a matter of compromising their own personal security. An example is stealing your WiFi key from your IoT device, which then results in your personal data being stolen. But we've moved on to looking how compromised IoT devices can be aggregated and used to create systemic incidents such as taking down parts of the Internet, or even power grids.”
In other words, it’s not even just a matter of personal privacy right now, which we, unfortunately know that not that many consumers care enough about to stop using a service or a product if their privacy is in question. We’re talking now about the safety of our country and its people, cyberwarfare, etc.
I asked Ken how many IoT services and products can be security hardened just by changing default configurations.
“That's a big step for the consumer,” said Ken, “but it does make a difference. The problem is that many IoT devices aren't updated by the vendor, or are hard to update. The consumer doesn't understand the implications of not changing credentials from default, so doesn't bother. But then we find IoT devices where it's not even possible to change the default creds.”
Stuart Peck focused mostly on the consumer IoT market:
“I think there is a perception in the consumer market that IoT devices are very insecure. Firmware on the whole is seen as being vulnerable to, say, stack overflow attacks. Personally, I think there is a rush to produce innovative technology, and security is always seen as an afterthought.”
“If your 'smart toothbrush' was compromised,” he continued, “it could be used to pivot to another device. But I don't really see that as major threat vector. Let's take the smart TV in a corporate boardroom. If that was compromised, it could be used listen in on very sensitive conversation. Or used as a pivotal point to gain access to another network zone.”
I asked Stuart if there have been a lot of network attacks on smart TVs already. His response:
“If you look at the CIA Vault 7 WikiLeaks documents, there is proof that Samsung TVs are a valid attack vector. The 'Weeping Angel' attack springs to mind.”
Most of my awareness of IoT adoption has been in the consumer space. I was aware that industrial IoT exists, but I was surprised about how widespread it is already in 2017. My discussions with the researchers really enlightened, and terrified, me.
I asked Mike Nelson if there have ever been IoT devices connected in some way to SCADAs.
“IioT sure,” said Mike. “IoT, probably not much. Because the culture of critical infrastructure was always to be secure. But let’s say an old version of Windows XP is operating a device. That is a problem. A few years ago I could have taken you to some large Direct Access Methods (DAMs) that are so reliant on Windows XP, they just put some whitelisting on it because they cannot take the device out. If (any sort of) device is just supposed to do one thing and one thing only, I would not slap an IP address on it.”
I asked Ken if he thought the medical industry is adopting IoT devices too quickly. He responded,
“There's a big question. I think the medical industry needs to ask more questions of its suppliers. The industry needs to understand what questions to ask first, then supplier behaviour can be influenced, which will result in more secure equipment.”
Stuart Peck weighed in: “Older devices are a risk. Especially IioT, as these (devices) haven't been updated and can cause a huge risk to not only business, but also critical infrastructure.”
There are already motor vehicles with IoT devices on the road and they include cars with human drivers. But we may well get to a point when most cars are driven completely by computers, and they'll need to be connected to the Internet to do that job.
“We test cars,” said Ken. “The most high-profile we looked at were the latest electric BMWs and the Mitsubishi Outlander hybrid. New (attack) methods are emerging as researchers find new ways to bypass the security systems on vehicles, as they are made more and more connected and smart.”
I asked him how soon he thinks the first cyberattack car accident will happen and he told me that “proof of concept hacks have already happened.” Yikes.
Ken thinks that most car manufacturers have improved the security of their onboard computers due to these proof of concept attacks, but followed that with, “they have a long way to go.”
“The reason cars get hacked is back to the OEM and firmware,” added Stuart. “There are lots of components that have an insecure configuration. Also, WiFi in a car will get you hacked. I’m surprised there’s not been a car accident caused by a cyberattack yet.”
Everyone I spoke to agrees that there should be better regulation of IoT and cybersecurity, in general, but there are varying opinions about to what extent the industry can self-regulate and to what extent government needs to step in.
“I believe in Better Together,” said Mike. I asked him whether there are enough regulations for compliance to be effective and he said, “Not even close. But here is the problem with that. If you went to school to be a structural engineer, you learn how to build a bridge. You probably are building the same bridge for most of your life. In our line of work, you need to invent a new bridge every quarter. So no imagine the lag (and difficulty) it will take to inspect those bridges accurately and up to date.”
“Regulation is being worked on by many governments across the world,” said Ken. “In the US, the FDA has already published drafts for medical devices. The EU is working on it. UK government is working on it.”
He doesn’t believe the industry can self-regulate effectively, “primarily because the barriers for entry are low.”
Undoubtedly, as much as IoT may improve our lives, it'll only grow as a cybersecurity problem.
“Whatever the solution is,” said Mike, “we need to treat IoT security like we would when we drive or fly. I do not pick out my own airbags, nor do I bring a parachute. If we rely on the consumer to lock it down, we are going to be in trouble.”
“IoT is set to hit 50 billion devices by 2020,” Stuart said, “(Currently) the Internet of Things is around 22 to 24 billion. One report I read recently suggests this year it's expected to be 28 billion.”
When I think about worst case scenarios for IoT attacks, I think about patients being killed by attacked IV devices, or attacked smart cars causing road carnage. Am I on the right track?
“Loss of life is always the worst scenario,” said Stuart. “I think we're a very long way off trusting smart cars in self drive mode. I always say this in my talks... There are four guarantees in life. Birth, taxes, death, and whatever we build will get hacked!”