In a recent presentation at the Defcon security conference, Mark Stanislav and Zach Lanier from Duo Security outlined the current problems and threats that Internet of Things (IoT) devices face and how we can address the data security concerns of individuals worried about personal privacy in the IoT.
The research from the team at Duo identified emerging threats and recommendations for IoT security and next steps for IoT manufacturers working to correct previously improper access control, lack of transport security, and ways bad actors have been able to bypass the minimal security of existing devices.
“Internet of Things is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.” -Gartner IT Glossary
This type of network is generally made up of wired and wireless devices that are able to communicate to other devices of the same type. Gartner estimates that the growth of IoT should reach over 26 billion units by 2020. ABI research actually believes that number to be low, estimating IoT to reach over 30 billion units by 2020.
On the surface, the idea of smart homes, smart work, and smart life sounds enticing. The possibilities created by enabling technology to improve the way we work and live are endless. But new technologies also mean new threats. It’s critical that IoT vendors understand the implications their devices will have in personal and network security and address these security concerns with their Internet-able devices.
In IoT there is no one device to rule them all. “Things” is the key. It’s likely that at home and at work, users will need to get used to multiple devices connected to a network and understand the implication of the growth in threats to their personal privacy and data security.
Instead of worrying about protecting a computer, in the Internet of Things users will need to consider protection for computers, routers, hard drives, cars, appliances, WiFi routers, home security systems, and more.
Computers had time to mature before having to deal with network connectivity and integrating the Internet into their day-to-day processes. IoT devices are growing up with Internet connectivity. Although basic computer maintenance and updates are becoming more common for everyday users, device maintenance is still an uncharted area for most.
How will users manage patching and updating IoT devices as new security issues require firmware updates? How will vendors manage the ongoing security of their devices and certificate deployment?
In the early days of computers, networks were closed and trusted. Today they are open and vulnerable to bad actors. Vendors will need to ensure that hardware providers for their products are trusted and understand the security implications of the data being transmitted to and from these devices.
Each vendor will most likely have custom sets of hardware, software, APIs, and update processes.
All of the possible IoT devices will need to learn to communicate just like computers did, but in an already open and threat-prone Internet environment. Data security has to be first and foremost as IoT devices are deployed.
Stanislav and Lanier pointed out a “theoretical” exploit against a typical security camera with a vulnerability. While they considered the exploit “theoretical,” users who attempted the exploit learned how easy it was to really bypass default security on a popular security camera device.
Without proper security and authentication, IoT devices could simply offer hackers an open door into our work and home. And even if we lock the front door, a vulnerability in our home security system could easily allow a bad actor to unlock the front door or trigger a false CO2 warning and sneak in the back door.
A number of considerations need to be made in terms of how to secure IoT devices and ensure that data security between devices communicating in IoT networks is done correctly. The Duo team identified the following security areas as a start:
The growth forecasted by Gartner and other industry research groups shows that IoT development won't happen just with the top-end vendors. There are already hundreds of IoT-related organizations. If you search for device projects on Kickstarter or other crowd funding sites you'll see many startups producing IoT devices. Many entrepreneurs don't come from IT security backgrounds and an early stage startup often can't afford security researchers to put IoT devices through rigorous security testing. And these organizations usually don't simply add IoT capabilities to existing consumer products, they'll be at the forefront of IoT in ways we haven't yet imagined.
Managed PKI services are a critical component of IoT security. From certificate deployment to vulnerability scanning and security management, managed certificate systems can make it easy to deploy strong security for IoT data encryption, eliminating a key security concern for IoT.
Certificate-based security remains the most reliable way to secure connections and information exchange between mobile apps and IoT devices, device to device communication, and IoT device API calls.
Ensuring that security best practices are used is key to getting data security right for the Internet of Things. In addition to data encryption and secured access with digital certificates, organizations like Builditsecure.ly are making it easier to connect IoT device manufacturers with the security community for testing and consulting during the development process.
Organizations like Builditsecure.ly enable better security by:
Asking security questions and discussing security concerns and implications shouldn't be taboo. Researchers and vendors need to come together and have open dialogues on how IoT device security needs to be done in order to make sure that future vulnerabilities are addressed and the capability for ongoing monitoring and updating is in place.
Vendors must realize that lack of security or even one severe vulnerability in their IoT devices creates a lack of trust in their services and could mean the end of their business.
The Internet of Things is still in development. It's early enough in its life that security can be done right to enable these devices and make a positive impact while limiting the repercussions of the lack of data security.