Technical writer at 1E
Until a few years ago, if you were selling a smart home lighting system, you’d rhapsodize to your starry-eyed customers about its impressive cutting-edge technology, and demonstrate to them how their mobile phones could, almost in a moment of wizardry, communicate with the system on demand even when they would be vacationing in the Masai Mara.
Fast forward to the present. Where 5.5 million new things are being connected, and over 1 million malware attacks are reported on a daily basis. Most certainly, there’s not an IoTa of doubt that the Internet of Things has begun to show its dark side on a global scale. Almost everything we use in our daily lives be it kettles or kennels, watches or washing machines, pacemakers or PTZ cameras, running shoes or refrigerators, or even cars and candles (yes, and believe it or not, this segment is literally waxing now), are now adding to the already burgeoning list of smart connected objects. Quite logically, such a deluge of connected contraptions in the market carries with it the impending risk of these devices being hacked, tracked, and possibly attacked.
Gartner predicts that the number of connected devices will grow to 6.4 billion by the end of 2016, and will exceed 20 billion by the end of 2020. Bruce Schneier, who is the Chief Technology Officer at Resilient, a fellow at Harvard’s Berkman Center, and board member of EFF, observes, “What used to be attacks against data and information have become attacks against flesh, steel, and concrete.”
Just How Severe are These Threats?
A Princeton study revealed that there are over 500,000 inadequately secure devices connected to the internet. Devices such as these with exposed vulnerabilities are like sitting ducks, waiting to be targeted by actors of cyber crime. The number of connected devices directly equates to the number possibilities of attack vectors. Here are just a few incidents, which have grabbed the headlines in recent times, and are enough for us to sit up and take notice:
- CCTV Cameras: Unpatched CCTV cameras connected to digital video recorders offer an unrestricted gateway to websites and networks. What otherwise is used to monitor suspicious activity can be turned around to pry into the life of its very owner, and intrude into other interconnected devices over the network. And so the largest concerted DDoS attack the world as ever seen found its target recently in over 152,463 compromised cameras and IoT devices, delivering a combined scathing onslaught of 990 Gbps, pushing French hosting provider OVH into embarrassment.
- Baby Monitors: Another vile act has been reported of actors hacking baby monitors, changing their settings, and harvesting videos that unsuspecting parents not just treasure, but rely on for their peace of mind.
- Cars: A connected car can generate up to 25 GB of data per hour. Although there doesn’t seem to be any outwardly financial motive in taking control of another’s car, you can imagine what would happen if a malicious hacker decides to open the doors when the car is speeding up the highway at 60 mph. Car manufacturers have shown concern over this, and Chrysler recalled 1.4 million vehicles in the US in 2015 after detecting a vulnerability. Early this year, BMW confirmed it fixed a problem of hackers being able to unlock the doors of 2.2 million Rolls Royce, Mini and BMW cars.
- Medical Devices: Several pacemakers have been shown to be hacked as far as 30 feet away, and deliver powerful shocks of 830 volts in series, causing fatal consequences. These devices are also capable of being loaded with rogue firmware, which could infect other pacemakers and Implantable Cardioverter Defibrillators (ICDs) within the vicinity, which in turn, can spread the virus to others. And drug infusion pumps too have yielded to the smart and surreptitious hacker, allowing full control over the volume of drug that’s delivered into the patients system, while wrongly displaying a safe dosage value of delivery on their screens.
- Power Grid: Last year, hackers took down a power grid in Western Ukraine causing a blackout.
- Floodgates of Gams: The US government recently indicted Iranian hackers for attempted intrusion on the Bowman Avenue Dam in Rye Brook, New York. They tried to obtain operational control over its floodgates. That’s another thing that luckily the dam had been disconnected from the network for routine maintenance, otherwise the implications could have been disastrous.
Tim Phipps of Solarflare rightly says, Defence is only as strong as the weakest link. Such security threats can snowball quickly. Vulnerabilities on one system cascade into other systems, and the result is a vulnerability that no one saw coming and no one bears responsibility for fixing, says Schneier.
Whats the Root Cause of Such Vulnerabilities?
There isn’t one single factor, but plenty of them that have contributed to the existing mayhem. According to Schneier, risks arising from IoT devices are attributed to three things: software control (the extent of software updates supported on a device), interconnections between systems (eg Gmail accounts have been compromised on account of vulnerabilities in Samsung smart refrigerators), and the autonomy that systems enjoy (eg computers turning a furnace on or off, or driverless cars automatically steering their way around). Lets list each one of these and other factors individually:
- Mindset on security: First of all, most technology companies so far have engaged in product innovation, focusing on the features and functionality; security has taken a back seat, as it was not the need of the hour – until recently.
- Not knowing whats on the network: Once a smart device gets connected to a network, it forms part of the entire jigsaw of myriad interconnected devices. Vulnerability in just one device puts the security of the rest of them in jeopardy. Not fully knowing whats on your network is akin to entering a sport match without knowing how many opponents you are competing against.
- Systems with dated protocols or no patches: Many devices may be running on archaic protocols such as Session Initiation Protocol (SIP ) that may offer easy intrusion and hacking.
- Systems without provision for updates: Schneier shares the insight that the fact that most people replace their cars every 10 years or so, refrigerators every 20 years, and thermostats perhaps never, leaves manufacturing companies bereft of any financial motive for providing ongoing software support for such devices that have a low replacement rate.
- Systems that are pre-programmed to conduct tasks: The very fact that there is reduced human interface in computer-driven processes, or say in driverless cars, makes these devices easy targets for attackers.
- Absence of encryption: Smart devices that are connected to the internet but have no basic level of encryption offer an open ground and invitation to hackers to unleash their torrent of malevolence.
- Outwardly vulnerable: Some devices, such as the Samsung SmartThings smart home platform found by researchers to have an inherent multitude of vulnerabilities, if not patched, could present themselves as disparaging targets for gaining entry into home networks.
- Inundated by a data hurricane: A Federal Trade Commission report gathered that it takes less than 10,000 smart households to generate more than 150 million discrete data points each day. With data reaching such colossal proportions, it becomes imperative to say the very least to plug all possible entry points that would give actors access to sensitive personal information.
- Undesired circulation of data: Sometimes, data that we authorize one entity to access may be accessed by another for reasons legitimate or otherwise. For example, an insurance company may make use of information they obtain from your wearable fitness devices to arrive at the health insurance premium amount that you need to pay.
- Privacy breach: Some manufacturers or hackers can covertly track your life through the smart devices you may have bought.
Now that we know of the gravity of the situation, and the root causes of the problem, lets finally look at top preventive measures to safeguard ourselves from becoming victims of an attack.
Top 11 measures to save yourself from IoT threats
- Be aware of all connected devices: It pays to be aware of all devices connected to your network, and then make an assessment of their security positions. Keep only the necessary devices connected, and retire the ones that pose a security hazard or can be done away with.
- Secure the device: If possible, keep the device patched and updated regularly. Keep the firmware up to date. If you are using Windows SCCM, you can do this by using software such as 1Es Nomad, which allows you to distribute software and patches quickly through a P2P approach. Also, if you are a developer, make sure to provide a unique identity key to each device that talks to your IoT hub for ensuring authentication. As a user, you may want your manufacturer to provide a security certificate.
- Secure the connection: Make sure that your internet connection is tamper-proof.
- Ensure cloud security: Render security to your data as it moves to and from the cloud.
- Conduct penetration tests: Routinely conducting penetration tests gives you the assurance that your system is largely protected.
- Encrypt all data: The need for this cannot be stressed enough. Begin with raising consciousness about data security within your organization.
- Deploy network security protection: Institute a robust policy and arm yourself with the technology to neutralize an attack or incursion on your network.
- Judiciously use firewalls: Place your CCTV cameras and business systems behind firewalls.
- Turn off Universal Plug and Play devices: Prevent exposure by turning off this feature on your routers and smart devices connected to the network.
- One device-one password: Avoid using same passwords for multiple devices.
- Create a separate guest network: This can be done to keep undesired visitors from accessing your home network. Simply connect your smart devices to the guest network. That way, even if they fall prey to an attack, your home network remains unscathed.
Of course, with the passage of time and the influx of new technologies and devices, the risk profiles, challenges and remediation measures would keep changing. Be prepared to ride the charIoTs of fire.
About the author:
Thomas McGrath is a technical writer at 1E, and a digital content specialist. He has written for the likes of Telecoms.com, Digital TV Europe and Business Cloud News, among others, covering topics such as apps, the Internet of Things and TV.