The Internet of Things (IoT); what’s to worry about?

Submitted by Brad Johnson and Paul Hill

There is no doubt that the concept of the Internet of Things (IoT), a term that’s been around since 1999 from an Auto-ID Center project at MIT, is gathering huge momentum and will be stampeding into your world whether you are ready for it or not. IoT is simply the idea of a network of connected smart devices.  What is making this such a fascinating area is the huge diversity of things that could be considered a smart device: fitness bands, nanny cameras, dashcams, doorbells, door locks, TVs, lightbulbs, mirrors, coffee makers, pet feeders, personal medical actuators, home appliance sensors, transportation actuators, and weather sensors to name just few. The real hope is that these devices will work together and make our lives and the management of our lives easier and tailored to our own needs.

What makes a device part of the IoT is that it is a physical object, is connected to and interacts with a network of some type and can transmit data that it is collecting. These networks can be embedded systems for a business network, a personal area network (PAN), interact through RFID or even a more public network. The objects will likely be embedded with an RFID tag and a sensor to measure certain data.  Of course regardless of the type of network, the data usually finds its way from the local or internal location to an external network or environment via an edge device. The edge device is the bridge between where the object is and where the data needs to go and is usually the entry point to an enterprise or service provider network.

Of course one network that people are thinking about is the Internet which brings with it a whole host of issues to consider. Any device that is connected to the Internet it needs an IP address.   If it has an IP address, it can be reached by anything else on the Internet which means you need to protect it just like any other host or service on the Internet.

If you have to protect it, you need to figure out what are all the ways in which it could be compromised and what technologies can be used to ensure it is only used in the way it was intended. IoT devices are somewhat different than what we have faced in the past. They are closely bound to physical objects and this can result in unexpected side effects.

Additionally, Iot devices are often sensors that transmit data. This means someone has to think about the risks of unintended disclosure, how to protect the data on the device, the transmission of that data and also how to protect it when it gets to its destination: which in many instances is likely to be someplace within a Cloud like infrastructure.

IoT device manufacturers need to perform “red team” analysis to help determine how the devices can be abused in unforeseen ways, and what the consequences would be. Only then, can the correct controls be designed and implemented.

Unlike traditional computing devices, IoT devices have a limited user interface, and as a result they are often designed to self-configure access to the Internet. If your SmartMirror can’t find a WiFi with a DHCP server to connect to, maybe it will see if it can find a nearby SmartTV that will act as a bridge to the Internet. Or maybe it can find a nearby smartphone with a Bluetooth interface in order to “phone home” to the manufacturer.

A number of people estimate that the number of devices connected to the Internet will be between 20 and 30 billion by as early as 2020 – that is less than 4 years from now! That’s a lot of devices to protect and you don’t have to look far or hard to see how quickly people can figure out how to hack into new technology such as monitors, medical devices, automobiles, printers, wireless devices, drones and so on.  The reason this often happens is that in an effort to get ahead of the curve (or their competition), companies focus all their efforts on features and not on security.

There is a huge rush to market for IoT companies. So far they haven’t been very proactive in designing in good security practices. Days after Philips released its line of Hue light bulbs, people figured out how to compromise the hubs and control the lights from anywhere on the Internet. Major news networks have run multiple stories about vulnerabilities in nanny cams that allow people on the Internet to use them to spy on people in their homes and even talk to people.

IoT devices are also entering the workplace. In some cases they are simply brought in by employees, for example people wearing a fitness band to work. In other cases, they are being installed by departments that normally haven’t had to think about IT security. For example facilities management/physical plant departments might be installing smart thermostats in an effort to eliminate zones and give employees more control over individual work areas.

One of the general fears is that organizations will not be proactive in preparing for this onslaught of devices, the information they collect and the various ways in which this data will be disseminated and acted on. For example, when handheld devices first started making their way into mainstream use, most organizations dealt with them by assuming they were simple innocuous devices, the employee would pay for and own them and that it was her responsibility to handle properly. In other words, handhelds were entirely administered through policy and it was an asset not owned by the organization responsible for managing it. It became clear very quickly that these devices had the same processing power and networking capabilities as a desktop and that to reduce their risk to both internal networks and to the sensitive data on them when off premise, very well-defined technologies, policies and procedures had to be deployed to deal with all of the potential security risks they presented.

The same thing is going to happen with the IoT and we should use these same lessons learned to be prepared for it. A number of the security challenges that will need to be faced include device authentication and authorization, encryption of sensitive data with regards to privacy and confidentiality, secure interfaces to the mechanisms that are used to store and manipulate the data (e.g., Web and Cloud interfaces) as well as maintaining the software and the physical security of the objects.