Co-authored by Ravid Sagy.
The Internet of Things (IoT), commonplace devices connected to each other to become more than the sum of their parts, is quickly becoming an exciting reality. However, there are connectivity, interoperability, management, scalability, privacy and security challenges that require a hands-on approach to this phenomenon. Gartner predicted that there will be more than 4 billion connected IoT devices in consumer smart home environments by the end of 2016 and 25 billion by 2020.
The Internet of Things Needs Better Security
The majority of IoT devices — from medical devices to connected vehicles and even smart cities — come with their own apps, systems and connections and do not necessarily interoperate or communicate. While consumers are gradually adopting the concept of connected devices, recent studies pointed out that security is not high on their priority list, leaving the door wide open to a myriad of security risks.
IBM recently discussed the end user’s need to trust the authenticity of the endpoint device (the “thing”). This is due to the fact that it may store information and potentially affect your immediate physical environment, putting the spotlight on personal privacy.
One other element to note is the communication between the thing and the cloud-based application or infrastructure. Sending data to the cloud means the application has full visibility into the way IoT devices are being used. For example, a smart water meter can reveal the size of a specific household and daily activity patterns. A deviation from this pattern, if in the wrong hands, can be monetized, making it an ideal target for criminals.
There’s been a lot of discussion regarding the hacking of devices and systems to obtain sensitive information and data. It shouldn’t come as a surprise that financially motivated attackers will find a way to monetize the hacking of IoT devices.
What Is the Current State of Things?
Attempting to apply traditional controls to the IoT is an uphill struggle and would require substantial engineering to address the many constraints these devices have. Some of these may include storage, processing power, bandwidth and inherently limited connectivity.
It should be noted that these devices have a relatively low footprint. As a result, they possess almost the exact processing capacity and memory needed for their tasks. This means there is little interaction with a human; they are expected to make their own judgments and decisions about whether to accept a command or execute a task.
A study sponsored by the U.K.’s Government Office for Science predicted that by 2020, the number of connected devices could be anywhere from 20 billion to 100 billion, so we shouldn’t assume IoT devices are too small to be noticed. As the Internet of Things phenomenon continues to gain traction and more connected devices come to market, security should be top of mind.
Software developers and vendors need to make sure they incorporate adequate security measures as part of the initial design and implementation process. These include dedicated security software development kits (SDKs) such as IBM Security’s libsecurity.
Libsecurity is a comprehensive package that offers application developers a complete, small and provably correct security toolkit for endpoints and gateways/hubs. That includes a lightweight and correct implementation of various security-related modules, including secure storage, user and password management, permissions and more.
Figure 1: Security features provided by libsecurity.
Forewind: A Secure Router/Gateway
Nowadays, most routers, gateways and hubs are usually running on top of Linux distributions, which tend to be prime targets for adversaries. From simple username and password misuse to sophisticated bypass authentication mechanisms, it is clear that he who controls the router controls the entire network.
For example, a recent attack on Netgear routers allowed cybercriminals to bypass the embedded authentication mechanism and change the default Domain Name System (DNS) to an alternative IP address, effectively routing Web-browsing data to a malicious address.
Secure Runtime Environment
Hardware vendors and service providers (such as ISPs and Telcos) are reluctant to allow users to perform software or firmware updates on their own. Therefore, it is crucial that their distribution of choice be as solid and robust as possible.
By default, the Linux kernel already supports important technologies (such as SELinux and AppArmor) to harden the runtime in addition to other optional applications that can be added as needed. Subsequently, this significantly reduces the attack surface and makes the environment more sustainable.
Secure Management Interface on Top of Libsecurity
As previously discussed, the implementation and management interface of most commercial routers does not necessarily make use of adequate secure mechanisms offered by the environment, nor are they written with the proper security mindset. A recent review of the 25 most popular passwords revealed that unchanged passwords make up a large portion of the top 10. The management application behind the scenes is not necessarily secure.
Forewind provides a secure management application and interface, using libsecurity to provide solid password management, user management, access control, etc. Additionally, applications running on the router can be hosted in a secure framework to benefit further from its management features.
One factor to consider is the enormous amount of data IoT devices generate and communicate back to the cloud for analysis. It would be naïve to assume that all systems can scale to accommodate the bandwidth, power, storage and computing ability needed to handle this load; there are simply too many devices generating too much data at any given point in time.
One method for solving this dilemma is a gradual approach. This means the first analytics phase takes place locally on the router, and if an anomaly or deviation is discovered, the relevant data is sent to the cloud for deeper inspection. This allows for a better distribution of data and optimized bandwidth and processing power.
Libsecurity provides a generic anomaly detection algorithm that works autonomously on time series data generated from IoT devices. It is extremely lightweight and very well-suited to first-pass analytics.
An additional factor to consider is privacy — or the lack thereof. Continuous data delivery to and from the cloud has a dramatic effect on your privacy. For example, a smart meter — one that is able to send energy usage data to the utility operator for dynamic billing or real-time power grid optimization — must be able to protect that information from unauthorized usage or disclosure. For example, information that power usage has dropped could indicate that a home is empty, making it an ideal target for burglary.
It is crucial that device manufacturers as well as users spend time understanding what data their devices collect, what information is shared and with whom and how the thing transmits and receives data. Additionally, one must be fully aware of the whereabouts of the stored data, whether encryption should be enabled and if more stringent privacy settings need to be activated in accompanying software.
Just as with any other computer devices, it is essential to run the latest software and patch vulnerabilities as well as ensure all apps associated with the device are updated.
So What’s Next?
This is a wake-up call for any engineer, designer or company in the process of building an IoT device. With the advance and proliferation of new IoT devices, security concerns will grow proportionally. There are numerous factors that contribute to this — where the most obvious one is the IoT’s high interconnectability posing a real threat only to be amplified by the sheer mass and projected deployment scale.
A recent research paper from EURECOM in France and Ruhr University Bochum in Germany showed that embedded device firmware is susceptible to multiple security flaws. The research included analysis of over 1,900 firmware images from 54 different vendors. Researchers looked for vulnerabilities in the Web interfaces of corresponding IoT devices. The results, to no one’s surprise, revealed over 9,000 vulnerabilities found in more than one-quarter of the vendors analyzed.
While the testing was mainly automated and performed on a relatively small number of firmware images, the researchers agreed that it is likely the issues are widespread among IoT devices and not limited to a single vendor or a small group of vendors. Since many of the discovered vulnerabilities have already been disclosed, the impact on end user security is potentially much higher because some users ignore firmware updates available for their devices.
There are several important steps that need to happen to change this mindset:
- Raise awareness. Companies and decision-makers need to understand the critical role of security in the design of the new IoT devices. Security cannot be thought of as an add-on rather than integral to the IoT device’s functionality and reliability. It should be part of any press article, discussion or plan for new and existing devices.
- Establish accessible security. Make security accessible. Nonexperts need an easy-to-use means for holistically handling security and privacy issues from the start.
- Rely on the experts. During the design and implementation phases, individuals and companies should make use of proven, reliable tools and libraries. These security solutions are the products of true security experts as opposed to freely available amateur solutions, which may either lack basic security concepts or are poorly implemented.
IoT brings forth a great promise that requires a change in mindset and in the overarching framework to overcome its inherent shortcomings. Awareness and proper guidance must be provided in order to make sure device manufacturers and owners understand how to put forth basic security and privacy measures as a first line of defense.
Turn to the Experts
You shouldn’t rely on off-the-shelf, amateurish implementation over proven expert solutions. The new IBM Security libsecurity library provides a collection of easy-to-use tools for password protection, authentication, authorization, secure storage and much more.
Libsecurity provides a powerful tool in the fight against cybercriminals who are on the constant prowl for the next system to attack. With libsecurity, you can start engaging with the Internet of Things knowing that you are in safe hands and armed with the correct tools and ammunition against the most prevalent attacks.