IoT Security is a huge topic these days, and one that's becoming increasingly important as we become more and more connected to our devices. But how do you make sure all those connections are secure? I recently sat down with Aaron Bryson, Kony's Chief Security Architect and Product Security Manager, and asked him a few questions about IoT Security.
Q: How big of a problem will a lack of security with IoT devices be?
A: It will be far-reaching and continue to be a problem for a long time to come. The barrier for entry into the IoT space is low. Anyone--hobbyist, student, or entrepreneur--can go online and order all the parts necessary to create their own IoT device. You can buy logic controllers, sensors, and many others things for a few bucks online or at your local electronics store. Now imagine that you have created something cool or useful and think that other people will like it, so you want to sell it as a product. Maybe you crowd fund it and sell it to the public at large through KickStarter or your company sells it as one of its product offerings. Very few of these people and even organizations have the security expertise to recognize the security flaws in their designs and implementations because that is not the focus--making a selling product is.
I like to compare this to how easy it is to build a website today; millions can do it but most of them can’t build a secure one. IoT devices are being produced at rates that far exceed the security scrutiny that is being performed on them (if at all). The creation of IoT devices is not regulated and there is no governing body that makes sure that only secure IoT devices are sold to the public.
It is difficult to know what you don’t know. As an example, imagine an IoT product that controls the temperature of a thermostat. It even has the ability to control it from a mobile app. A hacker comes along and figures out how to impersonate the mobile app and send commands to the thermostat from a laptop over Wi-Fi from outside the building, and then turns up the heat to maximum. The thermostat receives the command and does not know that the real user of the mobile app did not really intend to perform that action, so it does what it is told to do and turns up the heat.
So what? You might think, okay, so my house or office got uncomfortably hot so we manually turned the temperature back down. But imagine if this thermostat was in a datacenter. All the servers in that room combined with the heater would heat that room very quickly, possibly causing over-heating of the servers, which causes them to ultimately fail--or worse, a physical fire that burns the building down. What if those servers that fail were running a website for a major online retail store that makes millions of dollars per hour? That company is now losing that much money per hour. A simple mobile command to an IoT device to turn up the heat has now caused millions of dollars in damage to a business. And therein lies the problem. It is the abuse, misuse, and overuse of IoT capabilities that if often not considered. Controlling a thermostat from a phone sounds harmless at first.
However, it is not purely the fault of the creators. This problem is largely due to the nature of IoT devices themselves. IoT devices are very simplistic pieces of hardware and software, often very cheap too. This often means they have very little memory, low bandwidth, and can only perform a handful of tasks. The protocols they use for communication are also very simple and do not possess security features to prevent abuse or misuse.
Operating Systems like Windows, Mac OSX, or Linux have security capabilities like Address Space Layout Randomization (ASLR), memory protection, firewalls, sandboxing, encryption of data in transit and at rest, and so much more. Virtually none of this exists on a typical IoT device because it simply is not capable.
Imagine the everyday kitchen toaster. It does not require a full-blown operating system in order to function. It only needs a very dumbed down system that knows when to turn on, how long to heat, the temperature, and when to turn off. It can’t encrypt anything even if it had a reason to.
Q: What do big businesses fail to grasp about this?
A: Whether or not they think there is security risk in their IoT systems and environment is not going to stop someone else from actually discovering it for them. If vulnerability is found in an IoT product that is sold by a big business or found in an IoT device that runs their office, the effects of an IoT security incident can be similar to that of their network or software. It can mire poor brand reputation, reduce share prices and sales, result in expensive product recalls or replacement, and have further reaching impacts than you might realize.
Q: What can be done to rectify the problem?
A: With the continuing growth of IoT, we must afford it the same level of security scrutiny and risk management that we do the rest of our information security programs. IoT security is often overlooked for a variety of reasons. For businesses, this means making sure you perform your due diligence and security best practices, such as threat modeling, vulnerability scanning, penetration testing, design and code reviews, configuration and deployment implementations, etc. If you are a consumer, then you have to be careful the way you purchase, look up reviews, read about the product, etc. I would make sure to keep up with security bulletins regarding products that you use. For example, many home routers have had vulnerabilities discovered and published but not many users ever see those security bulletins so they don't go out and replace the product or fix the problem. Don’t be complacent!
Q: What change would you like to see?
A: In my personal experience, there are some businesses that do give IoT the security diligence it deserves and possess the technical and security expertise to do so. Behind the scenes, they work hard to make sure that they release secure products. I have a lot of respect for those businesses.
Unfortunately, these kinds of things aren’t talked about in the media and businesses aren’t transparent about the awesome things they are doing in the security space. A paradigm shift is welcome, where businesses openly talk about how they are securing their IoT and changing the status quo. It sets an example for others to learn from and to aspire to.