IOT INFRASTRUCTURE

  • 11/02/2015
    8:00 AM
  • Rating: 
    0 votes
    +
    Vote up!
    -
    Vote down!

IoT Security & Privacy: Reducing Vulnerabilities

Ensuring data security and privacy in IoT networks means taking a different approach and building protection in from the start.

In a recent 2015 cybersecurity report, AT&T charted a 458% increase in Internet of Things (IoT) vulnerability scans of devices. This is  just the latest indication that hyper-growth of IoT devices, sensors and systems across business, consumer and government sectors puts users' information privacy and security at risk.

The Internet of Things (IoT) universe of devices, sensors, networks and technologies is so vast that meaningfully addressing any aspect of it -- such as security and privacy -- can be daunting. Even narrowing the scope down to specific IoT use cases, such as vehicles/robots, smart homes, critical infrastructure, connected medical devices, wearables, or HVAC systems, requires factoring in numerous and complex security considerations.

That said, market growth projections make it clear that the stakes are too high and business opportunity too great for vendors to shy away from efforts to improve IoT security and privacy. In this post, I'll examine the current state of IoT security and privacy, and what needs to be done to preserve the privacy and security of information that travels across connected networks.

Insecure legacy

Growing adoption of IoT requires overcoming a legacy of insecurity. This is not unique to the Internet of Things: Too often, software and products today are built to work as intended, and then after the product is out on the market cybersecurity is factored into the equation. More specifically, this process occurs in the following stages:

  1. A new technology gets developed without security in mind
  2. That technology gets traction and flourishes
  3. It gets plugged into the Internet or made more widely available
  4. Good guys in the security profession notice that it’s insecure and start trying to help companies fix the problems.
  5. Responsible companies address these issues and release fixed products, but this can take a long time, depending on the development lifecycle.
  6. Less responsible companies keep driving ahead with innovation and new product releases, but ignore or under-invest in security. Often this is because there’s a perception that the bad guys don’t stand to benefit from hacking their product.
  7. The bad guys figure out a way they can benefit from hacking the product.
  8. Everyone now has to invest significant resources in fixing it. It’s a big distributed problem because in step 2, the technology has flourished.

For some context, email is in stage 8. It originally had no security, but senders and recipients trusted one another. Then spam happened and everyone recognized the need to address security and privacy issues. IoT is currently somewhere between stages three and four. It isn’t yet ubiquitous, but many people believe it’s poised to get huge, and if it becomes a stage eight technology without security and privacy addressed on the front end, it's a recipe for disaster.

IoT security & passwords

A number of IoT devices available today have defaulted to the lowest hanging fruit for security and authentication: passwords. Passwords are bad for the web; for IoT, they’re a disaster for a number of reasons. First, IoT devices are almost always very limited in their user interface -- they don’t have keyboards to type a password into, nor do they have screens on which to display random “pairing codes."  When you try to bolt a “password-like” system onto something with a difficult interface, you usually end up with something weak.

For example, I have an Internet-connected music player at home where I have to key in my router password with the tuning knob. Similar things happen with TV systems. Your router password needs to be strong, but these systems make it super hard to key it in. A password that’s hard to type means that it will be very short and hackable, while a PIN code, usually only four characters, is even worse as any computer can brute-force 10,000 combinations in a matter of seconds.

As a result, most devices mix up the concept of its user’s identity (and which user in the household is the user) and its own identity (the device proving itself to a remote network). We can barely fix the federated identity problem on the Internet, let alone the new problem of low-power, low-UI devices.

Passwords endure as a frustratingly popular yet weak security link, one that is terribly inadequate for IoT and should challenge vendors to embrace more secure authentication methods throughout the development process.

Developing a different approach

Vendors must adapt a different approach for IoT than was done with the Internet, which was “you are the product, not the customer.” Sticking with this old approach would treat IoT user privacy as second fiddle. Getting privacy right is even more important with IoT than it is with computers because IoT extends beyond a smartphone or laptop screen to end user applications such as Internet-connected baby monitor video cameras, door locks that can be opened remotely with an app, wearables that track our movement and smartphones that track our location.

The physical nature of IoT has an enormous potential impact on privacy because it involves going beyond “what you do on your computer” to “what you do anytime, anywhere.” As referenced at the outset, wrapping our arms around security and privacy across the entire IoT system is a daunting task. Nonetheless, a vendor and industry approach should consider the following layers:

  • Privacy policy: Vendors should take privacy seriously. They must respect their customers enough to understand that privacy is a legitimate human need. NIST is working on some privacy standards that might help. Sometimes systems are secure (they work the way they’re intended), but violate someone’s privacy because they are designed to do so. For instance, they track people when they don’t want to be tracked.
  • Security policy: Vendors must intentionally build secure systems. A system that’s not intentionally secure is definitely insecure. Someone needs to think hard about the security of your system, and that person needs to be pretty experienced in order to do a good job.
  • Application-level security: Many IoT security flaws are the same types of bugs we’ve seen on the Internet for years, such as default “backdoor” admin passwords, weak passwords, not using encryption over the network, and open ports.
  • Protocol-level security: Wireless protocols such as ZigBee have some weaknesses, so even if you secure the application layer, the communication link itself can be intercepted or modified.

Emerging IoT solutions for security and privacy are promising. These include making users' mobile phones their security and privacy “key” that can confirm device pairing, leveraging cryptography instead of a keyboard and passwords, and privacy-preserving personal data storage systems so users control their  private data shared across IoT systems. IoT can be made secure and user privacy can be preserved if vendors, government and enterprises build security into the IoT from the beginning.


Comments

IoT security

Thanks for this post Isaac. I agree that the industry needs to break some bad habits and build security in from the start into IoT networks and systems. What do you think it will take for vendors to take privacy and security seriously? Standards? Government regulations? 

Re: IoT security

Great question! Just like normal users, vendors will use the "defaults" most of the time. So secure standards are a great starting point. They can be the "secure default" for developers and vendors. Unfortunately, there is no recipe for security; each product is different. Security is particularly hard for innovative products since the "norms" are just not as well defined.

Regulation might go part of the way; the federal government has risk-based security standards that they are required to follow. As the government gets more experience with implementing these, maybe we'll see them voluntarily applied to commercial markets.

Of course, white-hat hackers will continue to break into systems and demonstrate problems. A lot of good comes from that, but there are serious risks of using the penetrate-and-patch approach in critical systems. People could be seriously hurt if vulnerabilities are disclosed irresponsibly.

Re: IoT security

"Regulation might go part of the way; the federal government has risk-based security standards that they are required to follow. As the government gets more experience with implementing these, maybe we'll see them voluntarily applied to commercial markets."

Isaac, whether any norms from IEEE standards with respect to security and IoT? I think there may be something in pipeline from IEEE for IoT; recently they introduced similar guidelines for cloud security.

Re: IoT security

Hi Mynet, are you referring to this IEEE project

 

Re: IoT security

" Are you referring to this IEEE project? "

Marcia, Yes. I think it may take time to formalized into a proper way.

Re: IoT security

MyNet,

The Biggest issue when it comes to Regulation(as far as I am concerned) is the big issue of who exactly is forming/writing the Regulation.

If (as is routine in America today);The Regulators are in bed with the Companies they are supposed to govern;Regulations definitely get watered down and amount to nothing more than excessive paper-work which can act as a Professional Barrier to protect the Incumbents(who helped draft the regulation in the first place) from Hungry,upcoming startups.

As long as Private Sector Employees can move straight-away immediately into the Government/Regulatory Agencies and back without any major Cooling-off period in place nothing really changes.

We need a real cooling off period(of atleast 2 years in place) before anyone rejoins the Private Sector from the Government.Otherwise,they need to institute some form of Financial Penalties in place to those who flout these norms.

 

Re: IoT security

"The Biggest issue when it comes to Regulation(as far as I am concerned) is the big issue of who exactly is forming/writing the Regulation."

Asish, I think in general, it's by a group of experts from both industry and government sector. Whether they are vesting their personal or company interest, that's different question. But before formalizing and standards or guidelines; they used to open for a public debate, where common peoples or experts can raise their voice for correction.

Re: IoT security

MyNet,

The Guidelines usually are'nt worth the paper they are printed.

I know this sounds harsh but its usually closer to reality than whatever wishy-washy stuff they print and market to end-users.

Sad but true reality today.

 

Re: IoT security

"The Guidelines usually are'nt worth the paper they are printed. I know this sounds harsh but its usually closer to reality than whatever wishy-washy stuff they print and market to end-users. Sad but true reality today."

Asish, am not getting what you tried to convey. You mean about IEEE standards and guidelines. The appellate bodies can specify only standards and guidelines, OEM,s or service providers has to follow it. But unfortunately No one is there either to inspect or monitor in implementation phase.

Re: IoT security

Apart from regulations (which may or may not help), two things come to mind.  First, the vendor needs to feel some pain over lack of security.  That is to say backlash from customers or some other form of financial consequence for having poor security.  

Second, it needs to be made easy for the vendor to incorporate good security practices.  One of our ongoing goals in producing the "8th" development language is to make security easier for the developer.  

Certainly, without customer awareness there is little hope for improved security (and my personal experience is that few end-users really care enough about security to be interested in it).

Re: IoT security

Thanks for weighing in here 8th-Dev. I agree that vendors need some repercussions for insecure software. Perhaps customers will care more about IoT security because in certain cases (medical devices), it could have a direct impact on their physical well being.

I'm curious, are there some general steps to making security easier for developers?

Re: IoT security

Hello.  Well, medical devices (and automotive, and aerospace) are already heavily regulated and generally to good result.  But when someone's freezer gets hacked and told to defrost, and the end user loses a lot of money in wasted food as a result, that user will be upset -- but will the vendor pay up, or will there be much of an uproar?  Unlikely, unless a lot of freezes go into "defrost" in the same period of time.  We worry a lot (and rightfully so) about fatal consequences of failures, but economic consequences can be even more pervasive and destructive.

Regarding your question about what general steps may be taken to make it easier for developers to incorporate security, I think there are a few things.

First and foremost, security needs to be raised as a product goal in the developer's mind from the very beginning.  I can't tell you how many projects I've worked on where the dreaded phrase, "we'll add security later" was uttered.  It doesn't work unless it's designed in (and even then it may not work, but at least it's got a fighting chance).

Second, developers need to gain acquaintance with secure coding techniques.  Some are generic, and some speciific to particular tools.  As an example, in "8th" we encourage the developer to "wipe" buffers which had contained a password.  But ...

Third, the tools used should make life easier.  Again using the example of 8th, when the developer uses a password to create an encryption key, the password string (as well as the key) is marked for wiping upon reclamation.  That is, when the developer is done with the password and discards it, 8th will wipe it before releasing its memory.  Of course the developer could (and probably should) wipe it earlier, but that's a judgement call.

I really could go on a lot longer, but I've got to get back to work...

Best regards,

Ron

Re: IoT security

Ron,

Very-Very Good points!

Developers need to incorporate Security into their core Development plans if they have to achieve peace of mind for all concerned parties(including Consumers).

I Especially liked your main comments here-

First and foremost, security needs to be raised as a product goal in the developer's mind from the very beginning.  I can't tell you how many projects I've worked on where the dreaded phrase, "we'll add security later" was uttered.  It doesn't work unless it's designed in (and even then it may not work, but at least it's got a fighting chance).

Entire IT Departments need to stop considering Security is a bolted in feature or just a layer which is applied later on after the whole IT System has been designed.

That worked previously in the age of Mainframes and Client-Server Infrastructures but in today's age of BYOD and IoT its just no longer possible for the simple reason that the Perimeter around which you would have to defend could very well  encompass the Entire Internet today!!!

This obviously brings with it some major issues to solve and fix.But the biggest issue to solve has to be the change in Mindset of Developers.

Achieving success there changes things nicely for everybody concerned.

 

Re: IoT security

Ron,

What kind of pain do you have in Mind?

Some thing along the lines of major SLA agreements?

Lets say a vulnerability caused by the Vendor's Negligence leads to downtime of 1 hour for an IoT System;How big should the Penalty be?

In the case of Cloud-related Contracts you could probably end up demanding a weeks worth of Free Service in return but In this case the issue is much more complex and hard to manage.

What do you have in Mind?

 

Re: IoT security

Financial consequences, primarily.  If a provider whose product is faulty has to recall the product, that is painful.  If he has to reimburse consumers for their losses, that's painful.

I don't think that just passing laws is the way to go, but I'm not sure how to push back the pain to the producer of the defective product.  Particularly in an IoT setting, where a fault in one place may cause a cascade of faults in other places which otherwise wouldn't have shown up.

Re: IoT security

Ron,

While I don't disagree with the notion(that not many customers care about Security today) what bothers me more is what can be done to Educate Consumers more and make them care about Security.

We just can't let an issue as vital and as relevant to IoT Infrastructure as Security just simply float away....

Simply Automating everything without any sort of Manual and Expert Supervision is also pointless frankly speaking.For the simple reason it causes more problems than it solves today.

That is primarily because when you automate everything and remove the Human thought-process entirely from the Equation;people tend to get complacent and lazy.

That just makes it easier for things to get through the door which otherwise could'nt or would'nt if you had some full-time Security Pros who are always on Guard and monitoring issues as and when they do arise.

 

Re: IoT security

Ashu001,

Regarding educating customers, that's a tough one.  The amount the end-user has to think about security has to be reduced; meaning, we developers and designers have to make it much easier for the consumer.

As a simple example: PGP/GPG mail.  It's no secret that email is sent in plain-text, and is vulnerable to all sorts of hacks and spoofs let alone interception by interested 3rd parties.  The PGP solution (e.g. using strong PK encryption) has been around for a long time.  But it's painful to use, and most email clients haven't supported it or their support was "bolted on" and didn't work smoothly.  The method of exchanging public keys is/was clunky and don't even get me started on the UI issues around generating keys and managing them.  It's a good example of a technologically sound solution with terrible UX.

If something is hard to use, the users will defeat the hard-to-use part (sticky-notes for passwords, or using very weak passwords, etc).  We need to do better if we expect users to comply.

 

Re: IoT security

Hi 8th_Dev,

I agree completely that security products are far too hard to use for every-day users. Too often the security community blames the users for failure; falling for phishing attacks, choosing bad passwords, etc. At the very least, users need better training, but in many situations (like commercial products) that's just not possible.

Someone should take a few of those "user security training" books and use them as a roadmap for new technology development. Every time we depend on or blame the user, it should be instead considered a failure in technology or user experience, and the security community needs to do better.

Re: IoT security

Issac,

Great-Great points here!

The big issue when it comes to simply penetrating and patching every single time a problem arises is not just that some folks might get hit because of Irresponsible Disclosure practices but also the fact that there is a massive game of One-upmanship in place which ensures that just like in the Cold War(when there was a massive Arms race going on) even today there is an Arms race in the Virtual world to discover vulnerabilities faster and quicker than anyone else around them.

I was recently reading up on the Spat between Google and Microsoft over some Vulnerability Google Discovered in some Microsoft product without even bothering to share it with MSFT.

These kind of foolish games need to stop in today's age of IoT and all-pervasive Connected Devices.

 

security Concers with IoT based systems

"In a recent 2015 cybersecurity report, AT&T charted a 458% increase in Internet of Things (IoT) vulnerability scans of devices. This is  just the latest indication that hyper-growth of IoT devices, sensors and systems across business, consumer and government sectors puts users' information privacy and security at risk."

Isaac, it may be right because IoT based systems are comparatively new to the market, in range of 3-5 years. Now a day's IoT based systems are using as a part of automation/smart devices for monitoring and sensing. Most of such devices are not equipped with any form of security measures.