Exchanging Convenience for Security
By Daniel Jetton, VP Cyber Services, OBXtek, Inc.
Picture this scenario. Recently, I purchased a smart grill, which automatically starts and heats up via an app I can set on my phone. Additionally, it senses when my food is the correct temperature for retrieval. One day I receive a text message from someone calling himself “Xtrakt0R79”. Xtr@kt0r79 texts me that he has hacked my grill and has fired it up to 500 degrees. The gauge is rapidly approaching the danger zone. I quickly hit another app on my phone, connecting to the Wi-Fi camera on my back patio. I can clearly see the hot grill with heatwaves dispersing in the air above it. The hacker is asking for $75 transferred via bitcoin or crypto-currency to keep from superheating the unit and possibly starting a fire on my patio. I have 20 minutes to comply and 30 minutes to complete the funds’ transfer. What do I do? I should have secured these apps and devices better. Was there a default password I should have changed? Can the hacker access other smart technology in my house? From where will the next ransom request come?
The term “Internet of Things (IoT)” is used to describe the increasingly networked machine-to-machine/network-to-network communications that is built on cloud computing and various sensors. The IoT exists in an instantaneous, virtual and mobile environment. The term IoT is sometimes used synonymously with “smart” hardware, describing how the hardware reacts and sometimes anticipates our needs (like turning on the lights or otherwise reacting to voice commands). These smart devices are not equipped with artificial intelligence, but use sensors and commands that automate tasks we humans no longer have time or the inclination to do (Burrus, 2017). The three major drivers of this IoT technology are decreased computing and storage costs, pervasive cheap and tiny sensors, and ubiquitous connectivity (Jontz, 2017). Objects like smart thermostats learn your house habits to adjust temperatures that keep you most comfortable when home and save money when you are not. Smart lights may go off when they sense no movement or have reached a programmed time. They may also turn off when you press a button on your phone or use a voice command. Between you and the smart device exists a network and internet cloud that decipher and transmit the data from sender to receiver.
The cleverest part of the Internet of Things is not necessarily that you can tell devices to do things, but that device can tell you things. A moisture detector can alert you to a flooding basement via your phone. Smart cement can detect warps, cracks and stress fractures on bridges and roads and automatically notify authorities to prevent a calamity. Similar sensors on your car can detect ice on a sloped road and automatically slow your vehicle (Burrus, 2017). In traffic, anyone with the Waze application on their smart or tablet device can use the GPS and algorithm (and network of users) to determine the fastest way home.
In 2016 the IoT market generated $1.39 billion with a forecast of generating $74.53 billion by 2025. Largely due to global distribution and growing internet availability, the demand for connected devices will increase while the cost of sensors, sensor technologies, and high-speed internet will decrease. The only thing slowing the growth will be a shortage of IoT expertise and trained workers along with a lack of universally accepted standards and protocols (Inkwood, 2017). Polling 5000 enterprises globally, an AT&T Cybersecurity Insights Report found that 85% of enterprises are either currently using or planning to adopt IoT hardware, yet only 10% are confident they can secure these devices (Meola, 2016).
Always On: Part of the Collective
Virtually every household item has the potential to become connected to the internet in the next few years. Turning a “dumb” device into a smart one will be financially inconsequential as processors become a commodity. This could result in a flood of smart devices that have little to no value to the consumer. These smart devices would instead be produced as a way to harvest data, analytics, and information for the manufacturer. Data is a much sought after commodity that can be used by the manufacturer or resold on the marketplace. Mikko Hypponen, chief research officer at F-Secure, foresees kitchen appliances collecting data to monitor repairs and broadcast their location. Location data can help marketing and sales by focusing on advertising (unbeknownst to the owner). With upcoming 5G wireless service, these devices may not even need a home Wi-Fi to communicate worldwide. Just as computer-controlled vehicles are commonplace in the automobile market; soon you likely won’t be able to purchase a device without IoT connectivity. Darren Thomson, CTO & Vice President of Technology Services at Symantec, agrees that companies are asking if they can produce IoT devices instead of if they should. Businesses across the globe are racing to digitize what they do and connect what they have in order to collect data from what they have to sell. Further, patches and updates work for items that can be completely shut down and rebooted, but cars, buildings, pipelines, power plants, and cities have little or no downtime.
The danger of using these IoT items is that we become used to them and forget they are always on, always collecting data (Palmer, 2017). The emergence of the data economy will further promote the use of connected devices and the data they produce. This emergence will give big companies like Amazon, Apple, Facebook and Microsoft distinct advantages and power. Algorithms can be implemented to predict when hardware needs servicing when a person is at risk for a disease or is ready to buy a product.
Access to this data also gives an advantage over rivals and startups. By tracking “big data”, large companies will be able to know new trending products and services as they happen, giving them the opportunity to copy or purchase an upstart before it becomes a threat (Economist, 2017). As data of the 21st century become what oil was in the 20th century, companies will be staking their claims and digging deep in hopes of hitting some of that valuable data.
Threats to IoT, from hackers to malware, are myriad. A newly discovered malware called BrickerBot, currently in the wild, targets IoT devices that specifically run open-source Linux. BrickerBot takes advantage of users who did not change their default username and password printed on the IoT devices prior to shipping. While other malware may look to add a device to its collection of botnets, BrickerBot looks to kill the device outright. As opposed to the common distributed denial of service (DDoS) attack, BrickerBot offers a permanent denial of service (PDoS) attack which renders the device useless. While this vulnerability is common, it is easily preventable and remedied by changing the default username and password while turning off any Telnet remote access (Coppock, 2017).
The cellphone, the most ubiquitously connected device today, has its own share of security issues. Pew Research found that 28% of owners do not lock their cell phone screen at all. 40% of owners only update their devices when it is convenient and 14% admit to never updating the software (Williams, 2017). Personal phones are connected at all times and contain personal correspondence, photos, banking, and contact information; however, a large percent of the population can’t be bothered to secure it. Perhaps in the future, government regulation will mandate protections for cell phones in the same way mandates were implemented for the automobile (Palmer, 2017). Safety belts weren’t always standard or legally required and airbags are a fairly recent innovation. People lived longer in spite of themselves.
A Secure Way Forward
Security company ForeScout produced an IoT Enterprise Risk Report authored by ethical hacker Samy Kamkar. The report reflects badly on IoT product vendors that often use rudimentary security and old firmware–an invitation to backdoor exploits and IoT botnet DDoS attacks (Palmer, 2016). So, what are we to do in order to secure our IoT world? There are some enterprising individuals and companies that see this niche and offer options. Forbes offers up the six most popular technologies for future IoT security with examples of each; 1) IoT Network Security – intrusion detections and firewalls; 2) IoT Authentication- static/dynamic passwords, two-factors, digital certificates, and authentication; 3) IoT Public Key Infrastructure (PKI) – digital certificate and cryptographic keys and life-cycle capabilities; 4) IoT Encryption – in rest and in transit, full key encryption life cycle management; 5) Rest-based Application Programming Interface (API) – authorization and authentication of data from device to back-end, integrity through bona fide communication channels and 6) IoT Security Analytics – aggregation, monitoring and normalization of data from other IoT devices, adding machine learning, anomaly detection and predictive modeling in the future (Press, 2017).
IoT as Security
Another solution for the security of IoT is IoT itself. In other words, the same techniques that allow inspection, management, and optimization of the immense amount of information that currently crosses networks can be used to repair a hack or breach. Tools can be developed to compare network activity against a baseline while continuously monitoring and logging. Full situational awareness is especially vital for critical systems as opposed to a common household platform (OT vs. smart home), but both can be used for the same purpose. The future of household IoT adopters may be breach alerts sent to their smartphones and automatic hack countermeasures deployed upon discovery.
Just as the internet was developed as a government application then transitioned to the public, this IoT solution can be also be deployed in this manner. Current Defense Department initiatives include the ability to identify and react to network changes. The Defense Advanced Research Projects Agency (DARPA) is working to develop self-healing networks. Currently, finding bugs have been considered “artisanal” requiring many hours of professional expertise. These challenges leave hackers with an advantage. Judson Walker, systems engineering director at Brocade Communications Systems, insists that IoT security solutions lie in clearly defined software and application program interface frameworks. These frameworks centralize control over IoT devices, facilitating the ability to alter sensors with minimal effort. Handling massive amounts of data has provided the push for machine learning (artificial intelligence). Algorithms are being formulated for use in not only networks to examine the information, but to also understand it and recognize unusual changes or deviations– ultimately making decisions to mitigate threats. Removing the human piece will provide a much faster reaction to events as opposed to the slow engagement (or non-engagement) of human owners. On-the-spot self-correction is the quickest way. The technology does exist, but the lack of trust is the biggest hurdle as we are turning over human decision making to algorithms (Jontz, 2017).
The Internet of Things is a ubiquitous entity that offers untold abilities and conveniences that could not be anticipated 20 years ago. Unfortunately, the ubiquity and security concerns can leave users including countries, cities, municipalities, and individuals vulnerable in a multitude of ways. The sheer volume of devices and the data they process and store can be used by bad actors for ill. While we are becoming more aware of the risks, we continue to plug-in without taking proper care to mitigate and address those risks. Some solutions are simple (changing usernames and passwords) while others are more complex (implementing authentication and encryption). If companies insist on producing unsecured IoT devices, perhaps the government may step in to regulate the security of these devices. Until we start to take notice of the risks and take the initiative for our own security. Personal responsibility means we take it upon ourselves to do what we can to secure our personal devices while demanding companies secure theirs. Lack of action should require federal intervention to protect the public at large. We should always remember that information is power. We should never give up that power unknowingly or unwillingly.
Burrus, D. (2017). The Internet of Things Is Far Bigger Than Anyone Realizes. Retrieved from https://www.wired.com/insights/2014/11/the-internet-of-things-bigger/
Coppock, M. (2017). New ‘BrickerBot’ malware attack kills unsecured Internet of Things devices. Retrieved from https://uk.news.yahoo.com/brickerbot-malware-attack-kills-unsecured-204503806.html
Economist. (2017). The world’s most valuable resource is no longer oil, but data. Retrieved from http://www.economist.com/news/leaders/21721656-data-economy-demands-new-approach-antitrust-rules-worlds-most-valuable-resource
Inkwood Research. (2017). Global Internet Of Things Market Forecast 2017-2025. Retrieved from https://www.reportbuyer.com/product/4379313/global-internet-of-things-market-forecast-2017-2025.html
Jontz, S. (2017). Cyber Network, Heal Thyself. Retrieved from http://www.afcea.org/content/?q=cyber-network-heal-thyself
Meola, A. (2016). How the Internet of Things will affect security & privacy. Retrieved from http://www.businessinsider.com/internet-of-things-security-privacy-2016-8
Palmer, D. (2016). IoT devices can be hacked in minutes, warn researchers. Retrieved from http://www.zdnet.com/article/iot-devices-can-be-hacked-in-minuteswarn-researchers/
Palmer, D. (2017). Internet of Things security: What happens when every device is smart and you don’t even know it? Retrieved from http://www.zdnet.com/article/internet-of-things-security-what-happens-when-every-device-is-smart-and-you-dont-even-know-it/
Press, G. (2017). 6 Hot Internet of Things (IoT) Security Technologies. Retrieved from https://www.forbes.com/sites/gilpress/2017/03/20/6-hot-internet-of-things-iot-security-technologies/#4d72f76e1b49
Williams, B. (2017). Put a lock screen on your phone, sheeple! Retrieved from http://mashable.com/2017/03/15/phone-security-lock-screen-survey/#ODDkctwhXSqk
About the Author
Daniel Jetton MBA, MS, MA, CISSP, CAP, PMP is the Vice President of Cyber Services for OBXtek, Inc., an Award-Winning Government Cybersecurity Service Provider providing Information Technology Engineering and Support, Program Management, Software Development, Testing, and Information Security services to the Federal Government. He is responsible for leading and defining cyber strategy while ensuring security, defense and risk mitigation for his clients.
Mr. Jetton is a former Army Medical Chief Information Officer with over 25 years of experience in cybersecurity, management, strategic planning and project management.
Daniel can be reached online at (email@example.com). You can follow Daniel on Twitter @CyberPhalanx. For more information on OBXtek, please visit their website at https://www.obxtek.com/aboutus