If there was one topic that got people talking at CES in January, it was the Internet of Things (IoT). Once the stuff of science fiction, we are now facing the arrival of networked devices that can be connected to the Internet, from tennis rackets to refrigerators to printers.
No doubt some of these advancements are both fascinating and convenient. The problem: many of these new capabilities aren’t governed by a security standard, which opens the door to new risks around privacy, data theft, DDoS attacks and other cybercrime. Controlling your thermostat via your mobile device can help you lower your utility bill, but aggregated data could also help a savvy criminal determine when you’re out of the house.
The IoT includes everything from computer games and TVs to fax machines, GPS devices, refrigerators, home thermostats, coffee makers, lighting, security alarms and more. Basically, any device that can be connected to the Internet, directly or indirectly, should be considered vulnerable to security threats. That’s a lot of exposure. Unfortunately, it’s a risk many homeowners and business owners simply aren’t educated on yet.
Is Your Refrigerator Spying on You?
While the benefits of IoT are myriad, the reality is that it offers hackers millions of new access points to a variety of networks. Currently, the value of most personal data stored by such devices tends to be of little interest to hackers. Yet as the devices become more sophisticated, the potential for skilled cybercriminals to steal valuable information increases.
Consider the difference between two smart refrigerators. This year’s model scans food labels, notes expiration dates and adds lowfat milk to your weekly shopping list. Next year’s model goes further, buying milk online with your stored debit card and providing banking or other authentication details to complete the order. That’s exactly the kind of data that appeals to hackers, and it can easily be accessed via an insecure home network.
Or, to return to our earlier example, consider a smart home thermostat. You control it remotely with a mobile device, adjusting the temperature as you leave or prepare to return home. While the system is cost-effective and environmentally sound, your habits are being stored somewhere. Depending on your system, you may also be providing data about outdoor security lighting or opening and closing your garage doors; you could even program all of them in advance while you go on vacation. Any hacker invading your home system will understand exactly when he can break in – and of course, the data from your system will help him deactivate your alarm system as well.
Scared yet? You might not want to read this then; skilled criminals can go a step farther by using basic devices to launch spam campaigns or DDoS attacks. Worse yet, attackers could potentially use your devices to infiltrate your network and gain access to data on other connected devices or computers. On their own, the devices won’t be able to do anything sophisticated. But by enlisting them as part of a botnet, or using them as a point of entry into your network hackers can use them for a variety of nefarious purposes.
The Call for a New Framework of Protection
The underlying problem here is that the devices we’re talking about – simple household appliances, or relatively ‘dumb’ devices– just aren’t built or programmed with security in mind. Even worse, most of these devices are figurative black boxes – there’s no way to audit the device from an OS/firmware perspective, configure security settings and/or modify the underlying OS or software if vulnerabilities are identified. To offer the necessary protection, manufacturers would need to implement security measures to limit the potential attack surface and regularly audit the security of the devices. Unfortunately, that kind of security expertise doesn’t fit the current business model of most traditional device manufacturers.
Obviously, manufacturers have a responsibility to ensure that any data transmitted by their devices can be managed and stored securely. But for global appliance companies like GE, Whirlpool or Panasonic, customer support usually comes in the form of user guides and help lines. Adding a technical level of support such as internal security audits and consumer security patches could increase the cost of goods substantially. Another option is asking consumers to buy durable goods and security updates on a subscription basis. Yet many consumers might balk at paying an ongoing monthly fee for patch updates for a smoke alarm.
Playing it Safe in the IoT Age
Clearly some kind of established security framework or guidelines are called for when it comes to IoT. Just as with every other emerging technology, we need to develop best practices across the IT spectrum, from individuals to manufacturers.
Whether you’re buying a smart refrigerator for your home or a printer for your company, your first step is deciding the risk involved and how to deploy the device in a secure manner while preserving the functionality you require. If you do acquire it, you should understand what each device is doing, who it can “talk” to and firewall off all unnecessary connections. To prevent rogue actors from entering the network, either configure perimeters to disallow incoming requests or don’t connect devices to the Internet at all. Another option is configuring each device so it can only communicate with certain IP addresses, or can communicate with the Internet only and no other device on your network – an isolated VLAN.
While some new capabilities of the IoT may sound far-fetched, it’s obvious that this is only the beginning. As long as we understand how to minimize security risks while enjoying the benefits, we’re headed into a future of amazing technical possibilities. We’re lucky enough to live in a time when our environments at home and at work are getting smarter. We just need to be smarter about how we set them up to ensure our own privacy and security.
Chris Hinkley is a Senior Security Engineer at FireHost where he maintains and configures network security devices, and develops policies and procedures to secure customer servers and websites. Hinkley has been with FireHost since the company’s inception. In his various roles within the organization, he’s serviced hundreds of customer servers, including Windows and Linux, and overseen the security of hosting environments to meet PCI, HIPAA and other compliance guidelines. Previous Columns by Chris Hinkley:Getting a Grip on The Internet of ThingsDisclosure: A Case for Bug BountiesPCI DSS 3.0: The Impact on Your Security OperationsThe New Compliance Checklist Disasters, Damage and Discovery: Detecting Breaches Before It’s Too Late
Tags: INDUSTRY INSIGHTS