INFAMOUS IOT SECURITY BREACHES
I’m not talking hypotheticals here. There have already been several high-profile breeches of IoT security that have gotten a lot of media coverage.
- ILLINOIS: One was staged by a willing Wired reporter and two whitehat hackers, who tunneled into his Jeep’s entertainment system. (This underscores, by the way…that individual IoT devices become more valuable and versatile when they are linked. Hackers can reach the most critical system, in this case the car’s drivetrain, through another device.) They then proceeded to take over the controls, ultimately killing the engine while he was driving sixty miles per hour on an interstate.
- TEXAS: Or, frightening to any parent, several years ago a Houston couple heard a loud voice coming from their two-year-old’s bedroom. When the father entered the room, he heard a man with an Eastern European accent making lewd remarks over his daughter’s baby monitor. The father had taken precautions by putting a password on the monitor, but the manufacturer had taken shortcuts with the device’s security provisions, which ironically touted that it could be remotely monitored from anywhere in the world.
- NEW HAMPSHIRE: Most frightening of all, was an October 2016 distributed denial of service (DDoS) attack on a New Hampshire-based hosting firm. It temporarily made large portions of the internet unavailable in the U.S. and Europe. The hackers used the “Mirai” malware to infect a wide range of cheap IoT devices, including printers, IP cameras, and baby monitors that had few protections (i.e., passwords such as “admin”) or none at all. Can you imagine if a similar attack was launched again today, only this time taking over billions of IoT devices as the IoT multiplies?
These and other IoT privacy and security incidents illustrate that the very principle that makes the IoT so versatile and powerful, the fact that a variety of devices can be linked, means that an attack on one of the devices can potentially affect all of them. That’s an argument for not just making privacy and security the highest priority with your own devices, but also for joining in collaborative efforts to reduce risk, as will be detailed later in this chapter.
SHODAN (THE WORLD’S SCARIEST SEARCH ENGINE)
The extent of the IoT’s vulnerability is demonstrated by Shodan, which bills itself as “the search engine for the Internet of Things.” Some have called it “the scariest search engine on the Internet.”
Shodan utilizes a variety of filters to query IP addresses (remember that IP addresses for almost every “thing” is a key tool for the IoT) for a whole range of devices, from routers to webcams.
According to Dan Tentler, a security researcher who has spent several years investigating webcam security, Shodun’s feed includes images of everything from marijuana plantations, to back rooms of banks, to college campuses, to the insides of homes and retail stores.
Visitors to the site can query keywords to find the indexed devices and, sometimes, information such as default passwords.
CONSIDER THE CONSEQUENCES
It can’t be stressed enough: DDoS attacks based on infecting IoT devices such as these with malware have potential impacts far beyond the individual users.
If consumers were making an informed decision and that informed decision affected no one but themselves, perhaps we could let the matter rest. But neither of those conditions are true. Most consumers fail to appreciate the consequences of purchasing insecure IoT devices.
Worse, such a quantity of insecure devices makes the internet less secure for everyone. What botnet will use vulnerable webcams to launch DDoS attacks? What malware will use insecure webcams to infect smart homes?
SECURITY BY DESIGN
Another IoT Essential Truth to be discussed later in this chapter [The Future is Smart] is “close the loop,” instead of using traditional linear processes. The privacy and security issue forces us to deal with that concept here as well. No matter how elegant your privacy and security measures are today, you simply can’t rest: the process must be iterative and never-ending, because the threat from hackers is constantly changing. There’s a growing consensus in both IoT companies and government regulators that what’s needed is “security by design.”
Security needs to be an integral part of the device’s design from the beginning, followed by an iterative process to make sure it still works as challenges evolve.
PRIVACY AND DATA PROTECTION BY DESIGN
The EU recognizes privacy as a fundamental human right, so Europe is much further along on this concept than the U.S. is.
The EU has created an excellent overview, Privacy and Data Protection by Design—from Policy to Engineering, which is perhaps the best place to begin to develop security by design strategies. In it, the authors first give a stark assessment of current privacy and security protections (or lack thereof) in IoT products and services:
“We observed that privacy and data protection features are, on the whole, ignored by traditional engineering approaches when implementing the desired functionality. This ignorance is caused and supported by limitations of awareness and understanding of developers and data controllers as well as lacking tools to realize privacy by design.”
The report goes on to:
- Argue for integrating technical solutions.
- Address organizational procedures and business models so that privacy and security and technology will reinforce each other rather than be at loggerheads.
- Tell legislators and regulators that they must play an active role, so that any regulations or standards don’t limit future innovation.
- Give an overview of what are lumped under the term “Privacy-Enhancing Technologies” (PETs), such as encryption, protocols for anonymous communications, attribute-based credentials, and private search of databases.
- Link these tools and overall design strategies to a company’s legal obligations to protect privacy to design strategies so developers can easily choose technologies that will meet the requirements.
- Caution developers about the approach’s current limits—both inherent limits and those due to the current early stages of strategies and technologies.
- Offer recommendations on how to overcome and mitigate those limits…
Ensuring IoT privacy and security will only become more important—and risky—as IoT devices and services become more ubiquitous in the next few years. You will need to make it a central consideration in everything you do on the IoT. In addition, you will need to go beyond your own policies to also become active in collaborative IoT industry privacy and security initiatives, such as the IoT Security Foundation and BuildItSecure.ly.
The collaborative nature of the IoT requires equally collaborative privacy and security approaches and because a scandal involving any company in the field threatens public confidence in the concept in general. It will also be necessary for companies to work with government agencies to craft regulations that will, on one hand, root out the bad actors who jeopardize everyone’s credibility and, on the other, avoid the kind of prescriptive government regulations that would inhibit IoT innovation.
It remains to be seen what the Trump administration may do in this area, but the FTC during the Obama administration launched an admirable collaborative regulatory development process with the industry.
Adapted with permission from The Future is Smart: How Your Company Can Capitalize on the Internet of Things--and Win in a Connected Economy by W. David Stephenson, copyright W. David Stephenson.
TO READ NEXT:
IoT Essential Truth #2: Share Data, Don’t Hoard It