The Internet of Things (IoT) looks to be a boon for vendors selling hardware and services as well as spies and hackers. Vendors with IoT tools and solutions are popping up everywhere, and established vendors are turning their tools into IoT platforms. Not all markets are on the bandwagon yet, but everything from cars to HDTVs is being connected at an ever increasing rate.
Of course, consumers and vendors are not the only ones looking at IoT with ever-growing interest. IoT solutions provide a level of connectivity and millions of targets to hackers and spies that have never enjoyed such a large playground.
This is not to say that hacking IoT devices will be easy or that security is not foremost on the minds of IoT vendors and developers. IoT systems are being built on standards like Thread and ZigBee that have encryption and authentication at their heart. IoT solutions should, in theory, be more secure than earlier embedded network solutions.
In fact, much of this security support will work as designed, preventing straightforward attacks at decrypting encrypted data. The problem is that bypassing security is often the way spies and hackers get into a system. This is sometimes done by taking advantage of programming errors like the Heartbleed bug. It can also be done via a human vector by tricking someone into providing their password or personal information that will allow an attacker to gain access to a system.
Another issue is back doors that are placed into a system by accident or on purpose. Be wary of anyone, from politicians to vendors, that wants to incorporate a back door into your product because it is just one more way for a hacker to bypass all that security built into a system.
There are two major problems that tend to get overlooked in the discussion. One is problem detection and the other is fixing a known problem.
There are firewalls and intrusion detection systems (IDS) available. The challenge is that these systems have been employed in places like the enterprise, but are rarely discussed when it comes to consumer or industrial products. There is also the issue of overhead and integration as the number and variety of IoT devices proliferate. How do you incorporate new devices into an IDS environment?
Fixing a problem can be even more difficult, especially as platforms become locked down. Secure boot and update functionality can be very valuable in preventing a system from being compromised, but if those systems are compromised, then updating the system to fix it is important. A fix typically starts with the vendor that has to send a signed update to an IoT application or device. This is great if the vendors are providing regular updates. It is true for operating systems like Microsoft Windows, but this is not always the case.
Consider smartphones that are often supported for only a few years. Unfortunately, this is more likely to be the case for many IoT devices. Likewise, vendors typically prevent third-party updates. For example, there are some network routers that can be configured with software like DD-WRT, but that tends to be the exception rather than the rule.
This leaves users with few alternatives for using a product with a known problem other than discarding the product. That may not be as much of an issue for a consumer product that has a limited lifetime or that is easily replaced, but it can be a major issue for an industrial product that is designed to be used for decades.
Many industrial SCADA systems highlight the problem of moving to an IoT/Internet-connected environment. Most of the early systems assumed a physically isolated network, so network security was often non-existent.
So what is a developer or vendor to do?
There is no easy answer to this other than to implement new systems with as few bugs as possible and using best security practices. Updated policies need to be put into place as well. Remote updates tend to be easier for IoT devices, but that only makes the job easier—assuming updates are provided. End-user license agreements (EULAs) typically try to minimize liability including security-related issues. In the future, a EULA may not be enough vendor protection as security problems become more common.
The number of nodes accessible via the Internet is growing tremendously and each is a potential point of attack as well as a place where bug-riddled code is running. Hopefully they will not be, but given the quality of software these days it is hard to be too optimistic.
The problem will be that one cannot simply ignore IoT or related products. Connected devices will be standard fare in everything from farm tractors to cars to refrigerators. Unfortunately, most users will be oblivious to security-related problems and issues until they are affected by a problem.