Back at the start of 2014, I wrote a piece here about the up-and-coming Internet of Things (IoT) and how it had the potential to transform not only consumers’ daily lives, but the business world as well. Fast forward to almost two years later, and IoT is in full swing – but there’s a problem, and it’s a lot more serious than just the prospect of running out of IP addresses to service all of the refrigerators, TVs, thermostats, medical devices, coffeemakers, alarm systems, and a myriad of other electronic gadgets that are now online and accessible from anywhere, not only by their owners but also by savvy hackers.
Security – the concern that looms so large when we talk about our desktop computers, servers and smart phones – seems to have gotten lost in the shuffle when it comes to all the connected “things” that don’t look like computers, but are. I’ve been doing a lot of thinking recently about the (fairly sorry) state of security when it comes to IoT, what can be done about it, and how we can protect our own networks from intrusions that come by way of those newly-connected devices.
If you’re interested in getting a little deeper into the technical details of IoT security, I have a series of articles that will be published in the near future over on Windowsecurity.com, so make a note to check that out in the next month or two. It’s titled IoT: The Threats Just Keep on Coming. What I want to talk about here are some broader concepts and some more personal musings about how I think IoT is going to change my life (and maybe yours) for the better while at the same time increasing the risk to our networks and data.
IoT is the natural progression in the evolution of computing, as the physical and digital worlds gradually but inexorably meld into one. In the past, we talked about the online world and the “real world,” but the line between the two becomes more blurred every day, as so many of the everyday physical objects in our world get online with us. The IoT lets us interact with those appliances and machines remotely and control them any time, from anywhere.
This is some amazing stuff – but there’s a big, buzzing fly in the ointment: without proper security, someone else can take control of our “things” – some of which have the potential to do us grave harm if they misbehave. In some cases the danger is obvious; a malicious hacker who accesses an insulin pump could set it to deliver a fatal overdose. In other cases, the severity of the threat is less obvious. It’s not as if we’re going to die if some prankster changes the cycle settings on our washing machine, after all. But wait – what if malware caused that washer to flood the house, or turned the gas on in our oven without lighting it, or overloaded the circuits of our electric heater so that it starts a fire? What if a hacker caused your car’s engine to shut down on a lonely road and jammed your cell phone signal so he could rob you (or worse)? What if the attacker accesses your “smart” garage door opener and then hacks your cool digital locks to get inside your house when you’re away (or worse, when you’re sleeping)?
Of course, it’s likely that we won’t face such life-threatening situations. But what about your privacy? How does the IoT affect that? We worry about a hacker accessing our sensitive email messages. What if a hacker could listen to everything you say to your family members when you’re sitting around, talking, presumably safe within the walls of your own home? If you have an audio-equipped “nanny cam” that you use to keep tabs on the babysitter, it can be hijacked. Of course, this is possible with all Internet-connected cameras, not just baby monitors. Security researchers at BlackHat in 2014 demonstrated how a Nest thermostat could be manipulated to reveal your heating/cooling schedule, which in turn would let a criminal know when you’re usually at home and when you’re not.
But that’s not all. When all of these “things” are connected to the same wi-fi network on which your computers reside, they can also be used as an entry point to access files on those systems if sufficient controls aren’t in place. Depending on the source, research shows that around 25 percent of the “things” on the Internet now are not secure. If there are 4.5 billion IoT devices online now (based on Gartner’s analysis), that translates to well over a billion that are posing a risk. But that’s nothing compared to what we’ll have in 2020 if predictions of 25 billion IoT devices prove to be true.
Before anyone can do anything about it, we have to answer an important question: Whose responsibility is the security of IoT devices? It seems like a simple question but it’s not. As I go into in detail in the article series mentioned above, IoT vendors are generally not good at security or even at IT. They don’t write most of the device software themselves; they pull software components together from different sources. Most don’t have regular software development cycles, security QA for their products, or good processes for patching the vulnerabilities that do come to their attention.
Many IoT vendors are startups, with very limited budgets, and sell their devices at rock bottom prices in order to get a foot in the door of the market, which means they can’t invest a lot of money in security. Many go out of business, leaving all the “things” they sold out there, orphaned, but still connected to networks.
Users are often complacent about IoT devices because they don’t see them as “computers.” They don’t change the passwords from the default (or even set a password if it’s blank by default). It doesn’t cross their minds that they need firewalls or anti-malware installed on their TVs and thermostats and even if it did, they don’t have that kind of access to the operating system to install them. They usually don’t even know what software, much less what version, is running on these “things” and most IoT vendors aren’t very forthcoming about providing that information to their users.
Some people want the government to get into the act and do what governments do: regulate. One proposal would have the law require that IoT device makers list on their products all of the underlying software components to make it easier for users to evaluate their security (in much the same way as food vendors are required to list the caloric and nutrition information on their packages). Others warn that this would be providing hackers with information that will make it even easier for them to take control of these devices (security through obscurity).
What’s the answer? IT security will always be a shared responsibility. Everyone – users, IoT device vendors, the software developers who create the code that runs those devices, the IT industry itself and yes, perhaps even the government – must first recognize that there is a huge looming problem and then come together to solve it. Right now, we’re still at the point of just raising awareness. Once we all decide that getting serious about IoT security isn’t just a good idea, it’s imperative, we can start to move forward. I know I’ll be thinking and writing more on this subject in the future, and I hope all IT pros will begin to understand that no matter what business you’re in, IoT is going to be everybody’s business.