Just How Safe is the Internet of Things?

Just How Safe is the Internet of Things?

The Internet of Things that keep you up at night

Just How Safe Is The Internet of ThingsThere is no doubt the Internet of Things is gaining momentum and is now a reality for some organisations. There is also no doubt it will be a huge market. I read somewhere that Gartner said there were just short of 5 billion things connected in 2015 and they predict 25 billion by 2020. Cisco have placed a value on what they refer to as ‘the Internet of Everything’ will become a 19 trillion dollar industry.

I believe there is huge potential for the IoT to make our lives easier by intelligent devices working in concert to help us with many aspects of our working, public and private lives. But equally, there is huge potential for our lives to be made a misery on a grand scale, through loss, injuries or even fatalities. If you are responsible for IT, and in particular IT security, you are likely to be facing some serious challenges. Your security boundaries may be under siege from a plethora of ‘things’, each with their own need to connect to their host via the Internet and some with the potential of causing you sleepless nights.

“So, what is the problem?”

So, what is the problem? The majority of modern IT product, software or system developers will have security in mind at the outset of the development. This is as a direct result of being battle weary following years of high profile security breeches. Even with all of this experience, there are still products reaching the market with inherent vulnerabilities. A high proportion of these vulnerabilities result from the mechanism required to enable remote firmware updates and feature upgrades.

The Internet of Things device developers may be experienced product developers but it seems security may well be an afterthought. The problem is that the vulnerabilities will already be inherent in the product and it could well be too late to remove. This would be like taking an unprotected device from the 1980s and connecting it to the Internet and expecting to be able to operate without being compromised.

“It could be much worse than this as some developers appear to be ignoring the risks by putting security on the back burner…”

Many security specialists warn of the lack of a cohesive security strategy in the development of Internet of Things things. It could be much worse than this as some developers appear to be ignoring the risks by putting security on the back burner while they focus on developing their product and getting it to market. The security implications are then considered as an afterthought. There was a reasonably well publicised example of this lack of inherent thing security last year when hackers compromised a Jeep Grand Cherokee via it’s infotainment system – see Vehicle Dash, Vehicle Crash. Network Security on the move.

There is another security dimension that could be overlooked in much the same way as BYOD caught some organisations unawares. As the Internet of Things grows, so will the number of communicating devices crossing into the corporate network. These will include wearables, environmental sensors, lighting controls, heating controls, appliances and more.

“What are the personal security implications?”

So, what are the personal security implications? With a multitude of things reporting our movements and habits as we go through our daily routines, who knows where our personal data will be stored. Are we really sure our personal data will only be used by the organisations we agreed the terms and conditions with? Do we know how long the data will be held? The fact is, our personal data will be out of our control as soon as it leaves the ‘thing’.

Internet of Things Smart AppliancesWe often here of ‘big brother’ but there are far worse things that could happen to our personal data. Losing our identity could take on a whole new meaning if along with our personal details, our personal habits could be stolen and replicated too.

There are clear benefits in having real time medical and health data monitoring things to ensure patients have the best possible quality of life during recovery or long term illness. The data may be used to adjust medication or warn the patient that they need to get into hospital as soon as possible. If these things were compromised the results could be tampered with leading to over or under doses of medication.

The Internet of Things is big in home automation. Our use of domestic appliances, heating and water give away a lot about our domestic habits. They also provide a good indication as to when we are home and on holiday. This is information is obviously very useful to anyone planning to break into your home. Relying on lamps with time switches just would not cut it when all of the other utility using activities are confirming our absence.

“What are the larger scale implications?”

What are the larger scale implications? The Internet of Things could expose us to new threats to our personal security. Threats that we just haven’t conceived before, let alone experienced. But if the new threats to personal security are not bad enough the Internet of Things could add a whole new dimension to the threat to national security.

Life in the UK (and many other countries) relies on ‘on demand’ or ‘just in time’ provisioning. Our food and provisions are constantly being refreshed on supermarket shelves from source via national and regional distribution centres. Some people have their own buffer supply in larders and chest freezers but for many of us we buy things as we need them. We expect everything to be there as and when we needed. I often see frustrated customers complaining about what is usually the lack of one particular brand of product not being available when they need it.

We expect the same from our utilities clean – drinking water when we turn on the tap and we expect our electricity supply to power our lights or TV and gas cookers to burst into life as and when required. Everything we need to maintain our lifestyle depends on a complex supply and delivery infrastructure, any disruption to the main trunks of that network have major implications, anyone living in areas hit by extreme weather conditions will know this only too well.

“This was a comprehensive and concerted attack on more than one electricity generating company…”

Internet of Things technology may play a big role in our national infrastructure. But, as we increase our dependence on IT to support our daily lives we are becoming more vulnerable by exposing more ‘attack surfaces’ to potential cyber attackers.

Towards the end of last year the Ukraine power network suffered a major outage as a result of a sustained and coordinated cyber attack. The attack commenced around six months prior to the outage when attackers started sending emails with infected Microsoft Office files. Some of these successfully infected PCs enabling the attackers to collect user credentials. These credentials were later used to break into the control system to replace critical operational files which caused the outage.

The attackers even disrupted telephone systems to prevent electricity company customers calling in to report the outages. With no contact from their customers the power engineers were unable to establish a clear understanding of the extent of the problem. This was a comprehensive and concerted attack on more than one electricity generating company to bring about major disruption of service lasting several hours and the only means of recovery was to disable the automatic systems and revert to manual system management.

“I wouldn’t feel very comfortable would knowing my kettle could be switched on remotely by a cyber attacker.”

Internet of Things SensorsExperts say this type of attack could happen in other countries including the UK. The SCADA control system is readily available to be studied by cyber attackers to identify vulnerabilities. However, the Internet of Things opens up another potential angle for cyber attackers to bring about major disruption to the power network.

I have heard experienced people in our industry say on several occasions – why would we concern ourselves with the security implications of domestic appliances? But if we do ignore domestic appliances we are missing a major potential threat in that if one kettle, refrigerator, dishwasher or heating control can be compromised, there will be thousands more with the same vulnerability.

There have already been many cases of compromised security cameras, although many of these are due to the systems being commissioned with their default username and password. What next? I wouldn’t feel very comfortable would knowing my kettle could be switched on remotely by a cyber attacker. Nor would I feel comfortable that cyber attackers could monitor my presence through my use of appliances and heating thermostat.

“As with any IT threat, it is good practice to carry out a thorough risk assessment before proceeding and mitigate the risks where possible.”

What if a cyber attacker infected thousands of domestic smart appliances and programmed them to switch on to full power at exactly the same time? Combine this with a cyber attack similar to the attack in Ukraine and it would cause widespread disruption to the power network that would require more than just reverting to manual control to overcome.

To answer my question “Just how safe is the Internet of Things?” Currently, it is not very safe at all. I will leave you with some sobering thoughts. Gartner predict a $5B black market in fake Internet of Things ‘things’ will exist by 2020. They also predict that in the same year Internet of Things compromises will account for 20% of annual security budgets. There is much work to be done. The best we can do in the meantime, is be aware of the potential threats we are exposing ourselves and our businesses to, and to mitigate the risks where possible.