The other day, a colleague was musing about whether we need new security tools for the Internet of Things (IoT). If a watch or car navigation console runs Android 5.0 (Lollipop) or apps from the Google Play Store that use a cellular or Wi-Fi connection, what makes securing those devices different from securing an Android tablet?
Not a lot. Though some threat models may differ (for example, a tablet can be taken with you, while the console in the car is fixed in place), the underlying core architectural components — platform, network communication and applications — are the same. Analyzing an Android app for vulnerabilities may depend on the Android version, but in general, if the app is using an insecure transmission on the tablet, it is using it on the watch, too. Enterprises are maturing their mobile device protection programs by implementing stronger controls, including mobile app reporting analysis, mobile application and policy management and aggregation of mobile device log data into the corporate security information and event management (SIEM) the security operations center.
‘IoT’ Is a Broad Term
At the end of George Orwell’s “Animal Farm,” the Seven Commandments of Animalism are reduced to one: “All animals are equal, but some animals are more equal than others.” While that sentiment is rather depressing in the context of Orwell’s allegory, it’s quite apt for the IoT because not all devices and applications in the IoT world are equal.
The exact definition of what constitutes the “T” in the IoT world is still in flux, but IBM has posited an IoT framework that draws a distinction between smart devices (such as tablets, phones and watches running Android or iOS and loaded with mobile apps from Google Play or the App Store) and other “things,” such as pacemakers and oil level sensors in cars. This is illustrated in the graphic below:
While it’s true the “things” at the top need some kind of operating system (OS) and application software that communicates with a local or public network, there is no requirement that these “things” run a full-blown version of iOS or Android. This means standard enterprise mobile application and policy management agents won’t run on them.
Testing mobile apps is fairly straightforward. Download the app from the Play or App Store and run it through an analyzer. However, IoT apps running on the “things” may not be freely available for testing and may not be testable with analyzers designed to assess Android or iOS apps.
The Propriety Problem
Remember the early days of cell phones, when there seemed to be as many OSs as there were phone manufacturers? The splintered OS issue is alive and well in the IoT today. In addition to iOS and Android, there are competing systems for IoT dominance, including Ubuntu, mBed and Contiki — not to mention vendors that are writing their own custom OS for very small “things” and sensors.
Application testing and protection agents are purpose-built for a platform, which means vendors need to create a specialized version for each OS. While this isn’t an impossible task, it requires significant investment that may not be cost-justified. With so many IoT OS options, strategic vendors will have to wait to see which ones gain market share before they develop security solutions for them.
How about monitoring the data and communications from those things and apps? Proprietary app logs don’t need to follow a standard format, which could mean new parsers and rule sets for SIEMs. The same goes for unique communications protocols. This is already a reality in the industrial control systems space, where protocols such as DNP3 and Modbus are used.
Other must-haves for security, such as the ability to discover devices, manage them remotely and interconnect with them via networking and data exchange, are equally up in the air, with at least six different groups working on standards.
Time Will Tell
The IoT is broader than smart devices running iOS and Android, and new security solutions, or versions of existing solutions, will need to be created to extend security controls and monitoring. However, until the market shakes out and winners emerge in the OS and standards race, it will be hard for security vendors to know which platforms and protocols to build for.
In the meantime, there is a lot you can do, starting with designing your IoT sensors, instruments, applications and hardware with security in mind.