The Internet of Things: Securing an Interconnected World
For those of you who haven’t heard yet, the Internet of Things (IoT) is the enablement of any-to-any connectivity between a wide variety of sensors and devices. The first surge of connectivity was on the user end (homes and offices), allowing them to connect to their corporate HQ through a wired Internet connection. Then the mobile revolution came. Bring Your Own Device (BYOD) became an expected option for most employees, providing users a connection to businesses and each other over wireless Internet connectivity. The latest surge involves “things” connecting to users, businesses and other “things” via wired and wireless connections. An increasingly common example of this trend is your car’s ability to park itself or send you a report card of its mechanical condition, driving trends, fuel consumption, etc.
The application of this concept seems endless at this early stage of its development. One day your refrigerator and pantry might do your grocery shopping for you, comparing their contents to a set of recipes you’d like to make this week and informing your grocery store app that you need more butter or eggs. The IoT concept is already being used in a much broader environment than your kitchen though. Wireless capable sensors are being used by power companies to identify and measure power loss, find installation problems and verify meter tampering flags and alerts. All of these discoveries in the overall health of their power grid infrastructure allows them to act on a much more proactive basis. But it also makes them, and anyone else integrating IoT solutions in their critical infrastructures, vulnerable to a variety of cyber-attacks.
Potential IoT Security Risks
Here are some of the more significant potential security risks that IoT devices present at the personal, corporate, and global connectivity level:
- Unauthorized access and misuse of Personal Information. The more we integrate these capabilities into our daily lives, the more opportunities for data mining and social engineering.
- Coordinating attacks on high value, attractive targets through less significant systems. By connecting “everything to everything” all systems become another option for would be attackers to exploit.
- Creating new safety risks. If my car can use sensor provided information to keep me from rear-ending someone (by applying the brakes before I do), what stops an attacker from exploiting security vulnerabilities and applying those brakes at will?
The question becomes, how do we protect ourselves and the systems we secure from these inherent vulnerabilities?
Unauthorized Access and Misuse of Personal Information
As individuals, we can protect ourselves from unauthorized access to our Personal Information by minimizing our exposure. We all know by now to use unique and complex passwords to protect our devices, but minimizing our time online can be a good habit to keep. Turn off your Wi-Fi, Bluetooth and Near Field Communication (NFC) when you’re not using it (no open connections means no access). Also, make sure you are aware of the permissions you are giving your apps, as many will collect a sufficient amount of data to socially engineer a more significant exploit than how well you’re doing on Candy Crush (lvl. 104 by the way). And don’t forget, this applies to wearable devices too. Your fitness bands only need a connection established to sync information. If you can turn it off, then turn that Bluetooth or wireless connection off when you’re not syncing with your phone.
Coordinating Attacks on High Value, Attractive Targets
The Department of Defense (DoD) treats classified networks like they are an infectious disease. Anything that touches a classified network instantly becomes classified to that same level, meaning they must be hardened to the same standards as a classified network and all data traversing those resources must be protected to classified standards. This same ideology must be applied to less significant systems. As they touch a valuable infrastructure, they become a part of it.
A great example of exploiting low priority systems to compromise high value targets occurred in November of 2013. Target provided a Heating, Ventilation and Air Conditioning (HVAC) company with network credentials to monitor HVAC performance and energy consumption. These credentials were exploited through a password -stealing bot program (Citadel) that was distributed through a phishing email, allowing the attacker’s malicious software to compromise point-of-sale systems nationwide. The attackers were able to make off with a staggering 110 million credit and debit card records total. The exploitation occurred because Target did not view this outside organization as part of their network. If they had worked to educate the contractor (through a mandatory Cyber Security Awareness training program), this risk could have been significantly reduced.
Creating New Safety Risks
The trick to avoiding the creation of risk is proper planning. Through analytical processes like Risk Assessments and the continued identification and resolution of system vulnerabilities (services that SealingTech just so happens to provide), risk can be identified and mitigated, or at the very least, steps can be taken to reduce the likelihood of occurrence. This concept is no different when considering the safety risks of IoT solutions (that is, risk of physical harm to the user). Consideration must be taken as to how a sensor or device will interact, physically and logically, with the user to provide its added value. Using the power grid example described earlier, while it’s great to have the ability to monitor power consumption and overall health of the infrastructure, an attacker could exploit the system and cause dangerous irregularities in power, causing failures, property damage and loss of life. These risks can be mitigated through proper analysis and resolution of potential threats to user safety. For example, remote access permissions could dictate that only a select number of features can be executed, such as system monitoring, with logical separation of physical control of the system.
Like any new technology, the Internet of Things provides new challenges in security on all scales. As the technology and correlating vulnerabilities evolve, the opportunity arises to secure this exciting, new environment. Even though the protection of this environment may seem out of reach, by utilizing a security-centric methodology and a holistic approach to risk mitigation, the possibility to secure becomes much more obtainable.