Securing the Internet of Things

July 1, 2014
Cybersecurity Predictions and Trends: Post by Brian McKenney
Brian McKenney

This post is part of a continuing series on predictions and trends in cybersecurity. In my previous post, I identified the Internet of Things (IoT) as a common theme among the predictions for 2014. In this post, I discuss its challenges and security concerns.

The IoT Buzz

Most aspects of the IoT are not new; what is new is the buzz surrounding the growing pervasiveness of Internet-accessible devices for consumers, homes, businesses, and critical infrastructure. The IoT is now a hot topic at security conferences and forums. For example, it was identified as one of the Five Most Disruptive Innovations at the 2014 International Consumer Electronics Show.

The vision is that many of the devices ("things") we depend on will soon be accessible via the Internet. Gartner, Inc. estimates that 26 billion devices will be connected to the Internet by 2020, while International Data Corporation expects the installed base to reach 212 billion that same year.  This broad range of estimates is due to the wide variety of definitions for the IoT and for the classes of things that it comprises. For example, things may be (a) objects with tags or identifiers (e.g., radio frequency identification), (b) objects with one or more sensors that use one or more types of network connections (e.g., wireless, wired), or (c) sensors and other technologies embedded in physical objects, such as refrigerators and medical devices. Our understanding of the IoT will improve over time as definitions gain acceptance and taxonomies are developed.

Current View of IoT Security

I recently searched the Web for news about IoT and found a number of articles highlighting growing concerns about security. These stories referred to securing the IoT as a "losing battle," "the new "security worry," and a "top concern." One described the hacking of an Internet-connected baby monitor. Among the security challenges identified were the scale, pervasiveness, and persistence of attacks—along with the much larger attack surface for hackers to exploit. The lack of built-in security for things of all types, from home and medical devices to industrial control systems, was also raised as an issue. Consequences of these security gaps include:

  • Unauthorized access to services and data
  • Exposure of privacy data
  • Modification or deletion of data
  • Denial or disruption of access to services
  • Installation of backdoors or malware
  • Use of compromised thing as a launching point for further attacks

As people start using more devices—from thermostats and security cameras, to heart monitors and refrigerators—to perform more of their daily activities, they may be exposed to dozens of distinct vulnerabilities. These vulnerabilities could be in the form of notifications (e.g., updates, patches), loss of data privacy, or degradation of service.

Consumers need to register their products for updates and seek out additional protections, such as home firewalls. Providers should also be asked to improve "thing" security, deploy needed fixes for vulnerabilities, and resolve security and privacy concerns.

Security Considerations for Things

Security considerations for things vary according to the capabilities and constraints of each device, including how it communicates with other types of devices. Tags, sensors, and devices can interact with each other and with applications via device-to-device or machine-to-machine communications. An additional security consideration is whether a device, such as an Internet-accessible heating and cooling system, can be used to exploit an established internal defense measure, such as a firewall.

Consider the security issues in this scenario: Kate manages many aspects of her household and personal life from her smartphone. Every day when she returns home, she exits and locks her car, and unlocks the front door, which is tied to her home security system, all from this one device. In the wrong hands, Kate's phone could be used to steal property or modify data. She needs security controls, such as authentication and access control lists, to ensure that her devices only communicate with other authorized devices. Each transaction must be authenticated to her device and possibly other identity data. If updates are made to her thermostat, for instance, the thermostat must authenticate the source of the updates via device-to-device authentication. The event should be logged and reported, especially by date and time. Encryption may also be employed to ensure that traffic between devices is not exposed to unauthorized observation and modification.

Kate also owns several types of wearable devices for exercising and health monitoring. These devices can record and forward data to other devices; data may also be stored on the device or via cloud. Key security considerations are privacy and integrity controls for the data entered, transmitted, and stored. This is especially important for health-monitoring devices, such as wrist bands that monitor blood pressure.

This scenario reinforces the need for "thing" security, especially in the areas of user/consumer registration and notifications, authentication, confidentiality, integrity, privacy controls, audit/monitoring, and trusted updates.

Summary and Conclusion

IoT advances will provide convenience and efficiencies for consumers and businesses. But these benefits must be balanced with appropriate security and privacy protection. Security experts have concerns about device management, authentication, access management, audit-and-logging approaches, scanning techniques, and more. All the traditional security challenges apply to the IoT—and are exacerbated for handheld devices that are easily dropped, lost, or stolen!

In future posts, I'll address some of these challenges and highlight advances in cybersecurity standards and guidance for IoT, especially recommendations for classes of devices, from limited to more intelligent devices for identified risks and threats.