With around 2 billion people connected to the Internet and the advent of IoT, there may already be more connected ‘things’ than connected people. In 2013, by some estimates, there were over 10 billion connected devices, and this will climb as high as 50 billion by 2020, according to networking equipment maker Cisco. Inadvertently, this has opened up a veritable connected can of worms. Each ‘thing’ is now potentially a point of insecurity, targeted by people who write malicious code for a variety of motives: fun, profit, or political gain. Even the privacy-conscious European Union Commission has recognized that its Data Protection Directive law is unable to cope with the advent of the Internet of Things. A recent poll by ISACA, a worldwide association of information security professionals, expressed concern that the Internet of Things presents a governance problem for their networks, with increased security threats being the most prominent issue raised by IoT adoption.
Attacks on internet-enabled devices can include nightmare scenarios such as loss of electrical power and communications, air traffic chaos, and countless other scares. While so far mainly theoretical, the hazards are real. Over the holiday season, it was reported in the technical press that the security company Proofpoint found an Internet first: over 100,000 Linux-running ordinary IoT consumer appliances, including TVs and refrigerators, were sending email solicitations for fake pharmaceuticals. And email recipients who clicked on the fake links had their PCs exposed to hostile software, with the capability of stealing information.
The security software firm Symantec reported in December that a new, malicious “worm” was spreading on the Internet, adapted to attack embedded devices running Linux. Dubbed Linux.Darlloz, it was spreading between common PC systems but was capable of attacking a “range of small, Internet-enabled devices in addition to traditional computers.” Symantec’s team found variants of Darlloz for chip architectures used in devices like home routers, set-top boxes and security cameras. The worm uses a known PHP vulnerability to spread. The vulnerability, which affects PHP versions before 5.3.12 and 5.4.x before 5.4.2, was patched in May 2012 — it allowed malicious code to be executed on vulnerable systems using specially formatted query strings.
This implies that, unless designers take careful action, we can expect to see a lot more inadequately secured internet devices being taken over, compromised by exploiting known Linux vulnerabilities. Hackers have in the past targeted PCs via the Internet, leading to data compromises and computer crashes. Antivirus PC software is continuously being updated to help laptop and desktop computers, but it is harder to install a software suite on a smart toaster. IoT devices typically rely on the user merely setting up a username and password for protection.
You are the weakest link
It could be argued that system designers are responsible for these issues, innocently ignoring catastrophic scenarios, but IoT sensors may be the true weakest components in the system: temperature sensors, video security cameras and other simple, inexpensive (often foreign-made) sensors. IoT Smart Meters often send their collected information to a local data hub — sometimes another nearby off-site smart meter — where the data is aggregated for later bulk upload. Is this data secure? There have even been security and privacy concerns with industry-leader Google’s head-worn computer, Google Glass, although they have been quick to point out that privacy issues had been considered a top priority since day one. Google recently paid $3.2 billion to buy smart thermostat and smoke alarm maker Nest — so you can expect even more internet-connected devices from Google.
It is becoming obvious and vital to add thought-through, robust security measures to sensor networks where they are installed. Formerly, a key strategy for protection systems was to isolate them from other networks, but real consideration is needed when designing or installing an IoT device, incorporating comprehensive security concepts with powerful access controls and network monitoring.
In addition to security, the new IoT problem includes privacy — what happens to collected information? Who has access to how much milk or which carbonated liquids do you drink from that smart fridge? Big Brother or industrial spies with inquiring minds need to know! Tiny items of data add up to defining us without our knowledge. This consumption can reveal we are dieting or even our religion (Muslim fasts, Jewish feasts, etc.)
The AllSeen Alliance is developing open-source software that could help. The Allseen Alliance is a recently-formed IoT industry group, encouraging interoperability among connected devices regardless of their manufacturer. The group’s software will be based on AllJoyn, smartphone IC manufacturer Qualcomm’s open-source Internet of things software. AllJoyn allows app developers to choose what security levels to incorporate (e.g encrypting data or limiting functionality to different users.) Other self-contained security methods have been employed, such as allowing temporary access on smart door locks. We may not necessarily want a cloud service to know when we walk in and out of our front door, so the designer who gives the house-owner that choice may gain more sales, with the comfort (illusion?) that they are not being spied on.
The Internet of Things is bringing amazing new capabilities and possibilities, but it can only be safely employed if it is reliable and trustworthy. Now is the time for IoT product and system designers to address these issues.