How to secure the Internet of Things and who should be liable for it?
How to secure connected devices before it will be too late?
Gartner researchers predict that by 2020 we will have 25 billion connected devices. Meanwhile, PricewaterhouseCoopers’ Global State of Information Security® Survey 2015 says that more than 70 percent of connected IoT devices, such as baby monitors, home thermostats, and televisions, are vulnerable because they lack fundamental security safeguards.
After California Gov. Jerry Brown authorized autonomous vehicles to drive on roads without any restrictions, driverless cars have become one of the most common examples of connected devices. Meanwhile, just after the Jeep Hack story, security researchers demonstrated how a $60 low-power laser could easily alter driverless car behavior by fooling its sensors.
Jan Schreuder, partner, cybersecurity leader from PwC Switzerland, shared his opinion: “The Internet of Things is about much more than just 'things' - it is about recording every piece of data about every element of our physical lives in addition to our digital lives. Just as product safety standards and regulations have evolved to protect consumers' physical safety, it will have to evolve quickly to protect our digital safety“.
According to Gartner analysts, machines will replace human decision-making in the near future. If vulnerable machines will indeed replace humans - then humanity will disappear pretty quickly. Not all connected devices are equally dangerous though: I don’t think that anybody will care to purposefully hack your smart WC, if he or she can just scratch your car. The biggest practical risks for non-critical connected devices are probably large-scale untargeted attacks launched “for fun”, like Morris worm, causing great inconveniences for the society. However, a large-scale attack on medical devices can kill thousands of people all over the world.
The simplest and the most efficient solution coming to my mind is to avoid plugging various objects to the Internet that do not really require Internet connection. I grew up without smart coffee machine and without a remotely manageable fridge, moreover, I feel just fine without them now. But falling economy pushes enterprises to innovate by all possible means in order to remain competitive. However, many companies just follow the fashion or market trend, such as Internet connectivity, creating unnecessary and even dangerous new features in their products.
Nevertheless, nobody can overcome the basic law of economy: consumption creates demand. And while non-technical parents, guided by aggressive marketing campaigns, buy vulnerable smart Barbies for their kids, production of vulnerable IoT devices will continue growing, regardless of the consequences for consumers. Moreover, in some industries connected devices are really necessary to increase efficiency and quality of production.
For economic reasons we cannot stop the expansion of connected devices, so we need to find out how we can secure them. Practically speaking, nobody, but the manufacturers (vendors), can make connected devices secure. Below there are five basic security measures they shall undertake.
First, manufacturers of connected devices should consider any LAN area a hostile environment, such as the Internet. Many companies still think that if a device is not directly accessible from the Internet, nobody needs to be concerned about its security. Today, even the largest security companies tend to ignore risks in the LAN area, developing their products as if hackers would never probe them. Such concept is totally wrong. Since the growing quantity and quality of malware for mobile devices, combined with highly-sophisticated and almost undetectable backdoors for PCs, LAN area becomes an untrustworthy segment of a network, and should be subject to all the security best practices and holistic assessments applicable to externally exposed devices.
Secondly, we should always try to segregate computer systems of smart devices into two separate parts: core and connectable. The first one is responsible for mission-critical functionality (such as brakes in the car or power management in a fridge), while the second one receives all necessary data from the first one, handles and sends it [if necessary] to the Internet. Since 1988, when the Morris worm made the headlines, nothing really changed in the basics of computer security: user-supplied input is the biggest evil.
Initially represented by simple buffer overflows, then heap, integer and format string flaws, in early 2000 by PHP includes, then by SQL injections and XSS. Today, we rather talk about chained web attacks and DOM-based XSS vulnerabilities, but all these flaws have one thing in common – they are all triggered by malicious user input. Therefore, the core system should ideally not accept any input that a remote user can provide or alter.
Thirdly, connected devices should be easily resettable on a hardware level. A firmware should be reinstalled from scratch with default factory settings by pressing a single button on a device. This will enable IoT device owners to quickly recover from various attacks and malware infections once they occur. Otherwise, we will spend billions on IoT antiviruses throwing money down the drain.
Fourthly, connected device manufacturers need to be financially liable for negligence in their firmware code and architecture. Yes, we cannot sue software developers for every single bug in the code, but obliging them to respect secure coding standards and security best-practices, implement an obligatory code review before deployment as a part of SDLC – are must have. This is a relatively new trend, but it’s starting to make more and more buzz attracting new supporters from all over the world. This approach is quite reasonable – if a toy manufacturer uses toxic plastic – he will be fined and sanctioned very quickly, so why shouldn’t the same responsibility apply for negligence in software development?
Last, but not least, IoT device manufacturers should make available to consumers which data from the device they handle or store, and explain how to deactivate any functions that receive or send any data to the Internet. Some data, innocent at first glance, such as how many cups of coffee you consume per day, can be very valuable for health insurance companies and may be used against you. And, even if the manufacturer just processes this data via its cloud for example, the company still should alert customers about it, as if the manufacturer is compromised - hackers will easily intercept and steal the data.
I intentionally omitted ‘automated updates’ section in my list, as compromise of vendor’s update server may kill all the devices at once. Therefore, despite that firmware update mechanism shall definitely exist, it shall not be automated on every device.
As we can see from the above, just by respecting some common-sense rules and information security best practices, IoT vendors can assure secure future for connected devices around us. Will they?