The tsunami-sized trend to add intelligence with sensors and actuators and to connect devices, equipment and appliances to the internet poses safety, security and privacy risks.
Proof comes from a recent meta-study titled The Internet of Hackable Things (pdf) from researchers at the Technical University of Denmark, Denmark; Orebro University, Sweden; and Innopolis University, Russian Federation—compiled from industry and academic research reports—that finds smart devices used in healthcare and smart homes and buildings pose daunting risks.
The authors quantify the risks of Internet of Things (IoT) devices:
- 90% of devices collected at least some information via the device
- 80% of devices, along with their cloud and mobile components, did not require a password complex enough
- 70% of devices, along with their cloud and mobile components, enabled an attacker to identify valid user accounts through enumeration
- 70% of devices used unencrypted network services
- 6 out of 10 devices that provided user interfaces were vulnerable to a range of weaknesses, such as persistent XSS1 and weak credentials
Some of the data and examples used by the authors were somewhat dated. Nevertheless, they are still a concern because most of these devices are still in use, especially medical devices.
In particular, smart equipment such as CT scanners proved to be at risk of an attack capable of increasing the radiation exposure limits to harmful or fatal levels. Another potentially deadly weakness cited was Implantable Cardioverter Defibrillators (ICDs), which automatically shock patients going into cardiac arrest. They use a Bluetooth stack with weak, easily compromised passwords to test their devices after the implantation.
Why we have IoT security problems
IoT architectural reasons contribute to these flaws and exposed weaknesses:
- It implies complex and distributed systems, with a huge variety of different (sometimes obsolete) operating systems, programming languages, and hardware.
- Even developing a simple application for an IoT device can be non-trivial.
- Securing the applications is even less easy because the attack surface is enormous (any device could be a possible entry point), and defining all the potential threats beforehand all the potential threats is extremely challenging.
- The contained data are sensitive and highly valuable for the market nowadays, which entails huge potential gains for any successful attacker and high attractiveness.
Most risks are perceived to be financial. However, the authors include examples disproving this. Health records can actually be more valuable than banking and credit card information. For example, a health record that includes identity information such as Social Security numbers, addresses, children and jobs can be priced as high as $500 each.
That is not a theoretical estimate. The identity data of 78.8 million Anthem customers and 113 million Office of Civil Rights users were breached. This information is sold to the highest bidder on the dark web.
Who is responsible for IoT security?
Some of the responsibility for the risks was attributed to device makers:
- Only 48% of organizations focus on security of their devices from the beginning of the development phase.
- Only 49% of organizations provide remote updates for their devices.
- Only 20% hire IoT security experts.
- Only 35% invite security researchers to identify vulnerabilities in their devices.
It should be noted that the source of this data is from a 2015 study from Capgemini.
The race for IoT is similar to the early history of Windows and Android products, as security was often overlooked when companies rushed to design and deliver products to a fast-growing market.
The authors of the report represented this issue mathematically:
N. Dragon, A. Giaretta and M.Mazzara
Compounding the problem, when you have a diverse ecosystem of device makers and manufacturers adding sensors, cameras, and connectivity to everything from medical equipment to smart TVs, you get an ecosystem of disparate and diversely architected platforms. There isn’t one platform company, such as Microsoft and Google, that has the financial resources and the technical talent to backfill good security into platforms such as Windows and Android.
According to a Capgemini survey, IoT executives—when asked to rank the resiliency to a cyber attack against products in their industry—said the security of these IoT platforms have not matured. Though they may have a different opinion about their products, they do not have high confidence in the cyber defenses designed into their industry’s products.
N. Dragon, A. Giaretta and M.Mazzara
Percentage of executives who rate the IoT products in their own industry highly resilient to cyber attacks
There are more than enough examples of breaches, attacks and vulnerabilities compiled in this meta-study to make the case that indiscriminate connectivity embedded into the devices, equipment and appliances improves customer experiences and provides manufacturers with analytics, but it could lead to uncontainable vulnerabilities.
Windows and Android during the early development also faced this problem, but with one difference. With all these heterogeneous interconnected IoT devices built by a large ecosystem of manufacturers, cyber criminals need to find only one weak node.
How to solve the IoT security problem
Controversially, the authors say the IoT security problem is not a technological one; it’s cultural.
“In the end, what we have learned by this excursus is that the main problem and concern with IoT security is that a security culture is nearly non-existent in our society,” the authors write
The solution, they say, is to integrate human understanding and algorithms. They recommend creating and strengthening a security culture in which security is considered throughout the entire development lifecycle of an IoT product, not treat security as a single instance.
“This is surely a long-term goal that has several dimensions: developers must be educated to adopt the best practices for securing their IoT devices within the particular application domain; the general public must be educated to take security seriously, too, which among other things will fix the problem of not changing default password,” the authors write.
Doing those things will prevent another IoT botnet attack like the Mirai malware that produced a record-setting Distributed Denial of Service (DDoS) attack reaching targets with 1.2 Tbps of requests. More than the record-setting request rate, the Mirai malware is more notable for its simplicity. As it traversed the internet and cooped nodes, it used a dictionary of only 50 combinations of user names and passwords—gaining access to thousands of devices and enslaving them to create an IoT botnet.