Cybersecurity and the Vulnerability of the Internet of Things
“In a relatively short time, we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.”
— Jeff Jarmoc, Senior Security Researcher, Dell Secure Works Counter Threat Unit
“It is an internet of vulnerable things.”
“I have a couple of kids, and I genuinely worry about what privacy will mean for them in the future, unless we put security into these devices. Because every move they make, it’s going to be tracked, it’s going to be locked, it’s going to go somewhere in the cloud and be used by who knows. So we’ve got to start banging the drum now.” — Intel Security CTO Raj Samani
With the arrival of the IoT and billions of new Internet connected machines, appliances, sensors, “things,” and devices, Internet security has become a near impossibility.
Securing our Information and Communications Technology has been an ongoing battle since the beginning of the Internet. For example, in 2013 (well before the IoT), Desert News reported there were 20 million and counting malicious attacks per day on Utah’s government networks. With predictions for the number of IoT connected “things” ranging from 20-50 billion by 2020, and each “thing” and every communication potentially hackable, clearly the IoT presents a serious threat to us all, and it’s not going away anytime soon. According to a recent Wall Street Journal article, in a notice sent out to private companies, the FBI warned,
“The exploitation of the ‘Internet of Things’ (IoT) to conduct small-to-large scale attacks on the private industry will very likely continue.”
Even companies anxious to get on board with the IoT admit they are not prepared for the cyber risks that will result from this degree of connectivity. In How the Internet of Things will affect security & privacy author, Andrew Meola, states,
“AT&T’s Cybersecurity Insights Report surveyed more than 5,000 enterprises around the world and found that 85% of enterprises are in the process of or intend to deploy IoT devices. Yet a mere 10% of those surveyed feel confident that they could secure those devices against hackers.”
The way it works in the digital world is that vulnerability cannot be detected until there is an actual attack. First an IoT machine or “thing” is built; then (potentially) comes a cyber attack; and last, the “patch,” aka, the fix. Due to both the ingenuity of hackers and the ever-evolving nature of digital technology, we will always be in a reactive stance, responding as breaches occur.
Beyond the increase in hacking enabled by the IoT, the nature of the attacks has also changed. Before the IoT, attacks involved stolen data, such as personal identifying information, credit cards, and so forth. In an IoT world, attacks become far more impactful and devastating. Bruce Schneier explains,
“With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the Internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete.”
“Today’s threats include hackers crashing airplanes by hacking into computer networks, and remotely disabling cars, either when they’re turned off and parked or while they’re speeding down the highway. We’re worried about manipulated counts from electronic voting machines, frozen water pipes through hacked thermostats, and remote murder through hacked medical devices. The possibilities are pretty literally endless. The Internet of Things will allow for attacks we can’t even imagine.”
As things stand now in the IoT-wild west, our 21st century gold rush, no one is ensuring that our software-embedded technologies are secure. Start-up companies lack resources, motivation, or personnel to properly secure software-embedded technologies. And our government is not stepping up to the plate to incentivize companies to do so. The following are some reasons for these gaping holes in IoT security.
1. Speed of deployment
Government and industry are hell-bent on the US being the first country to approve 5G and they have no intention of letting regulations slow down the booming IoT industry. In his June 20, 2016 talk, The Future of Wireless: A Vision for U.S. Leadership in a 5G World, then FCC Chairman Thomas Wheeler boasted,
“If the Commission approves my proposal next month, the United States will be the first country in the world to open up high-band spectrum for 5G networks and applications. And that’s damn important because it means U.S. companies will be first out of the gate. “
In this same talk, Wheeler also rallies the wireless industry to . . .
“Lead the world in spectrum availability, encourage and protect innovation-driving competition, and stay out of the way of technological development.” [Emphasis added]
. . . and then adds . . .
“Turning innovators loose is far preferable to expecting committees and regulators to define the future.”
Whereas other countries, such as New Zealand and India, are now conducting studies to ensure public safety, the US — in its mad rush — has chosen profit over safety. And, our security experts cannot keep up with this race to the top. Joshua Corman, Director of the Cyber Statecraft Initiative for the Atlantic Council, and cofounder of I am the Cavalry, writes in Welcome to the Privacy Hell, Also Known as the Internet of Things,
“With IoT manufacturers far outweighing cyber security researchers, how will privacy and safety safeguards keep up?”
For a more in depth discussion of this please see: “IoT Growing Faster than the Ability to Defend it.”
Another reason for our government’s reticence to secure the IoT, is that a difficult-to-hack IoT would also prevent law enforcement and government agencies from accessing data they feel is needed in order to “keep our country safe.” Recall the recent back and forth between the FBI and Apple in the wake of the San Bernadino shooting.
2. No mechanism to update machines and devices
We regularly receive updates on our computers as new vulnerabilities are discovered and defended against. The Internet of connected machines, appliances, and “things” has no such mechanism for updates and patching. Once an IoT product becomes infected, it cannot be fixed — no real loss for companies as this will keep people coming back for more — however, not so great for consumers or the environment. For more about software control issues, please see The Internet of Things Will Cause the First Ever Large Scale Internet disaster.
3. We cannot predict how technologies will impact one another
Even if a company were to build security into the software of a particular machine, appliance, “thing,” or application, no one can predict how that particular technology will impact other technologies. What might seem fine in one system, when combined with other systems, can prove harmful. Bruce Schneier gives some examples of this:
“Already we’ve seen Gmail accounts compromised through vulnerabilities in Samsung smart refrigerators, hospital IT networks compromised through vulnerabilities in medical devices, and Target Corporation hacked through a vulnerability in its HVAC system. Systems are filled with externalities that affect other systems in unforeseen and potentially harmful ways . . . Vulnerabilities on one system cascade into other systems, and the result is vulnerability that no one saw coming and no one bears responsibility for fixing.”
In addition to complications stemming from the interactions of systems, in a recent Motherboard article, “The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters,” author Bruce Schneier states that companies are just not motivated to secure their products:
“the risks and solutions are too technical for most people and organizations to understand; companies are motivated to hide the insecurity of their own systems from their customers, their users, and the public.”
So who IS securing the IoT?
The bottom line is that neither government nor industry is securing the IoT. Foreseeing as early as 2013 the dangers the IoT would present, Corman and fellow researchers set out to discover who the thinkers and planners behind the IoT were and what measures they were taking to prevent hacking and/or catastrophic cyber attacks. But after going “higher and higher” in the IoT world, they realized, there was no one even attempting to protect the public:
“We got to the adults in the room and realized there were no adults,” Corman explained.
A recent Reuter’s article, quotes Trent Telford, CEO of Covata, an Internet security firm, saying:
“The harsh reality is that cybersecurity is not even on the radar of many manufacturers.”
Mirai — the recent IoT enabled cyber attack
Recently, we experienced the first large-scale cyber attack enabled by IoT connected devices, Mirai. Twitter, Reddit, Spotify, and Github were among the many websites and services that were taken down on October 21st, 2016.
Cyber security blogger Brian Krebs explained:
“Mirai scours the Web for IoT (Internet of Things) devices protected by little more than factory-default usernames and passwords and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.”
The result of Mirai was that many of the websites that are normally accessed through DYN’s service, were rendered inaccessible to the public. In cybersecurity terms, this is known as a Denial of Service Attack (DDoS) and though not uncommon, is the first such large-scale botnet attack to occur with IoT devices. Experts warn that this is just the beginning of a flood of attacks that will be enabled by easily hacked IoT devices.
In We Need to Save the Internet from the Internet of Things, referring to Mirai, Bruce Schneier writes:
“What this [Mirai] attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can’t get fixed on its own.”
He then goes on to point out that even if government were to step in and propose some parameters to secure the IoT, this would only affect the Internet in the US. “The Internet is global, and attackers can just as easily build a botnet out of IoT devices from Asia as from the United States.”
And even if other governments were to try to regulate the Iot, the other problems would still remain:
- No mechanism for software updates for IoT products
- Vulnerabilities from IoT products impacting each other in unexpected ways
- We are perpetually in a respondent mode when securing our technologies.
Corman sums up the current state of affairs:
“If it’s software, it’s hackable — If it’s connected, it’s exposed.”
By far, the best way to protect from cyber attack is to simply not buy IoT “things” at all, and to hardwire all devices wherever possible.
AVG Technologies’ CEO, Gary Kovacs,- “IoT: The Biggest Security Threat to Everything,” at the inaugural CyberSecurity Forum 2016 at CES on January 6, presented by CyberVista.
Gary discusses why it’s up to the tech industry to make the Internet of Things (IoT) more private and secure, and why it will require a level of inquiry and accountability that we’re not accustomed to.