As IoT devices find their way into everything from aircraft to power plants and even home appliances, Phil Muncaster asks where our obsession with tech disruption will lead us.
The Internet of Things (IoT): a brave new world or a gateway to a dystopian future? The answer may lie with how well we address the thorny issue of cybersecurity. In fact, experts have been warning about cyber-risk in this space for years, but as fast as Silicon Valley moves, it’s taken this long for things to come to a head. So, as embedded computing devices find their way into everything from industrial and manufacturing systems to home appliances, cars and even planes, should we be fearful?
Threats Are Here
Many people make the mistake of talking about the IoT in the future tense; as something governments, regulators and security experts will have to ‘keep an eye on’ in the years to come. Yet, in the meantime, embedded computing and smart devices are slowly taking over the world. Gartner predicts that by the end of 2017 there will be 9.4 billion connected ‘things’ in use globally, up 31% from 2016. The figure will top 20 billion things by 2020.
Where are these connected ‘things’ appearing? Consumer-grade devices are being used in and around the smart home in ever greater numbers: smart TVs, set-top boxes, cars, electric meters, security cameras – the list is almost endless. A global survey from security vendor Irdeto revealed the worldwide mean figure is over four such devices per household.
In the enterprise sphere, the IoT has permeated both industrial processes and the immediate office environment. Smart printers, lightbulbs, air control units and even chairs can all make the office a happier, safer and more productive place to work. Behind the scenes, embedded computing is increasingly finding its way into industrial control systems in industries including energy, water, transport, manufacturing and pharmaceuticals.
Such systems can greatly improve operational efficiency and safety by monitoring, collecting and analyzing data on a continuous basis and allowing managers or automated systems to make adjustments accordingly. From the factory floor to the connected car, the power plant to the airplane, this kind of digital transformation is disrupting the old order, creating new and exciting ways of working, business models and products.
Yet with great technology advances come new cyber-threats. For the CISO, embedded computing offers a whole new set of challenges, providing remote hackers with an easy way to probe corporate networks for sensitive data via their weakest point. They also offer attackers an opportunity to hack consumer-grade smart devices en masse, conscript them into botnets and launch DDoS and other attacks against organizations. Then there are the potentially even more damaging scenarios in which IoT devices are hacked in order to physically control or damage related systems.
"If you're going to market, would you build a device from scratch or simply use existing components?"
No Longer Theoretical
There are already examples of all three types of attack in the wild, proving the threat is no longer theoretical. In fact, financially motivated cyber-criminals and state-sponsored operatives have much to gain by searching for new IoT vulnerabilities. Perhaps the most infamous in recent times has been the Mirai attacks. Mirai is described by Pen Test Partners founder Ken Munro as a “beautifully simple” piece of malware which scans the web for IoT devices protected only by factory default credentials.
If these log-ins are on a pre-set list of 60 common factory default usernames and passwords, they will be captured by the attacker. The resulting botnets launched some of the largest DDoS attacks ever recorded, including one against DNS firm Dyn in October 2016 which briefly took out some of the biggest names on the web including Spotify, Airbnb and Twitter.
It’s a classic example of how manufacturers often neglect security in the rush to market. Products can sometimes even lack the most basic security-update mechanisms.
Another example is the Devil’s Ivy threat, discovered in the popular gSOAP (simple object access protocol) web services toolkit. If exploited, it could provide attackers with remote control access to an affected device. The challenge is that gSOAP is so widespread, the flaw could affect tens of millions of devices. It’s what Munro describes as the kind of “systemic risk” which is rife in the IoT world, as various bits of code get reused in new products; bugs and all.
“It’s perfectly possible not to reuse components,” he tells Infosecurity, “but if you’re going to market, would you build a device from scratch or simply use existing components?”
There’s also a real and present danger associated with data theft and network intrusion, argues John Higginson, senior consultant at Context Information Security.
“Any network is only as secure as its weakest element and by introducing IoT devices to it, you have potentially added a new weakest link. At Context, we have been able to hack into a number of IoT devices from light bulbs to CCTV cameras, to access home or business networks,” he says.
“As a result, an attacker may use an IoT device as an entry point to the network and once inside, may then be able to move laterally to conduct any number of attacks on the system, depending on their motivations, intent and capabilities.”
Focus on the Firmware
A cursory look at OWASP’s IoT Security Guidance will highlight just how many elements in the IoT ecosystem could be exploited. Among others, these include the web interface, network, transport encryption layer, mobile app and device firmware.
The latter is a key area of focus for the prpl Foundation, a non-profit which is trying to coral the industry into taking a new hardware-based approach to IoT security. Cesare Garlati, chief security strategist, claims that hackers could exploit IoT chip firmware to re-flash the image, allowing them to reboot and execute arbitrary code.
“The issue with this kind of attack is that it gives the hackers complete control of the device and it is persistent; it can’t be undone via a system reboot, for example”, he tells Infosecurity.
The answer is to ensure IoT systems will only boot up if the first piece of software to execute is cryptographically signed by a trusted entity.
“It needs to match on the other side with a public key or certificate which is hard-coded into the device, anchoring the ‘Root of Trust’ into the hardware to make it tamper proof”, says Garlati.
"The issue with this kind of attack is that it gives the hackers complete control of the device and it is persistent; it can't be undone via a system reboot"
Worst Case Scenario
The prpl Foundation also points out that proprietary code is less secure than open source, that connectivity is often poorly engineered and that too many systems allow lateral movement at a chip level, ignoring the best practice rule of ‘security by separation’. The best way to mitigate the latter issue is via chip-layer virtualization, Garlati explains.
The question is, beyond data theft and DDoS-related outages, what harm could deficient IoT security genuinely do to society? Pioneering work by Miller and Valasek into connected car security first showed us back in 2015 how a vehicle could be remotely hacked and consequently steering and brakes manipulated, potentially to catastrophic effect. Then Kremlin-linked attacks on Ukrainian power stations in December 2015 and again in 2016 highlighted how – in one instance – IoT firmware could be successfully hacked and re-flashed to disrupt energy supplies for hundreds of thousands.
As the IoT works its way into ever more critical computing systems, the potential for devastating attacks multiplies, according to Sean Joyce, US cybersecurity & privacy leader at PwC.
“Even the US military is concerned about IoT risks,” he explains. “A recent Government Accountability Office report outlined several national threat scenarios in which IoT security risks might harm Defense Department operations, equipment or personnel. These examples include the potential sabotage of a mission or equipment, operations security and intelligence collection and the endangerment of leadership.”
Attacks might be easier to launch than many IoT-manufacturers think. Munro claims that simply by hacking and remotely controlling home smart thermostats en masse, an attacker could take down the entire power grid.
What Can We Do?
Given the huge security challenges associated with current IoT systems, the market has clearly failed, despite 90% of consumers now believing security should be built into devices, according to Irdeto. However, governments are responding.
In the US, senators have introduced the Internet of Things Cybersecurity Improvement Act, designed to improve baseline security in the market by tightening the requirements for government suppliers. In the UK, the government recently published guidelines for connected car manufacturers, in a bid to improve standards.
However, Munro thinks the right approach should combine regulation and litigation.
“Regulations take a long time,” he says. “It’s fantastic to see, but in the meantime we need to see more litigation [of the kind faced recently by] Bose and WeVibe. The pressure brought by consumer groups, lawyers and governments will force IoT makers to produce more secure kit.”
Until then, it’ll be down to CISOs to mitigate IoT security risk inside the enterprise. Yet according to PwC’s latest research, only 35% of organizations plan to assess device and system interconnectivity and vulnerabilities across the business ecosystem. This needs to change. IT also needs to strictly monitor IoT device usage, enable security protection on all devices, segment devices onto non-critical networks, encrypt all IoT comms and educate staff about the dangers, says Context’s Higginson.
“From isolated incidents to widespread chaos that could be possible with the manipulation of the electrical grid, the potential for damage is huge,” warns prpl Foundation’s Garlati. “It’s almost limitless."
"From isolated incidents to widespread chaos that could be possible with the manipulation of the electrical grid, the potential for damage is huge"