Homing in on the Challenge of Securing the Internet of ThingsJune 2017
Topics: Cybersecurity, Education and Training (General), Information Security, Homeland Security
Many of the new devices in our homes make life easier. For example, that nearly invisible motherboard in a smart lightbulb now lets you turn on your porch light from across the country with the flick of an app. But what if those same motherboards led a hacker to your bank account?
It's an ongoing challenge: How do you improve security with minimal loss of features?
That's the kind of conundrum that researchers of MITRE's Consumer Internet of Things Initiative (CITI) lab investigate. Opened in 2016, the CITI lab simulates a smart home environment with multiple devices connected via the internet. This set up allows MITRE researchers to find and plug Internet of Things (IoT)-based security and privacy loopholes.
"More devices equal a broader attack surface," says MITRE's Marc Schneider. "If we can see and understand the potential entry points, we can help build better, more secure systems."
Schneider serves as CITI lab principal investigator and is a cybersecurity research principal in the National Cybersecurity Federally Funded Research and Development Center, sponsored by the National Institute of Standards and Technology (NIST). The lab has two physical locations, one on the MITRE campus in McLean, Virginia, and the other in Rockville, Maryland, at NIST's National Cybersecurity Center of Excellence.
Getting Physical with the Virtual World
Ironically, to get at the heart of how the IoT works, Schneider and his team sometimes have to get physical. They literally dig into hardware. They have taken apart everything from lightbulbs to smart home hubs to identify ways someone could get inside an individual's or organization's network and access and manipulate sensitive data.
The McLean lab has a fabrication room with giant spools of cable, soldering and de-soldering equipment, grinding wheels, a convection oven, and other tools and appliances to get an up-close look at a device's insides.
"We're looking at consumer devices, but that doesn't mean what we're doing isn't applicable to other, larger-scale challenges," Schneider adds. For example, wireless device communication in manufacturing is increasing, which introduces more cybersecurity risk. "Like it or not, consumer devices are infiltrating enterprise environments at an unprecedented rate."
Schneider and his colleagues analyze requirements that lead to less secure architectures, such as flat networks, which connect devices to a single switch, and devices that have public access.
MITRE is well positioned for this work. Besides having expertise in systems of systems and cybersecurity, including embedded systems, we don't make, sell, or market any products. That makes the CITI lab an objective testbed both for improving consumers' security and privacy and for developing countermeasures to an internet-wide attack. Schneider points out that researchers can also investigate industry-specific challenges—like building and testing a control-system firewall. The CITI lab welcomes research topics from industry, academia, NIST, and other government sponsors.
The labs are a natural outgrowth of MITRE's research into the IoT, which extends back to IoT's beginnings. Most recently, a MITRE Challenge about this growing concern recognized three teams for solving intricate IoT puzzles.
Defining the Line
Schneider explains there's a pivot point for assessing what impact a vulnerability might have on a consumer, a company, or even an entire sector.
"If someone hacks a refrigerator in a home, it's usually a minor inconvenience—maybe some food spoils," he says. "But what if someone changes the setting on a refrigerator in a hospital, where caregivers store medications at a set temperature? The impact is greater because vital medication gets ruined."
The same calculus applies to banks, utilities, the automotive industry, and other sectors.
"Ransomware could take an assembly line offline for several hours," Schneider says. "A manufacturer could lose hundreds of thousands of dollars. To avoid that, the company might be willing to pay $10,000 or even $100,000 to continue business as usual."
To help secure systems across sectors and lessen the chances of such scenarios, the CITI lab promotes external and virtual collaboration with government and industry. The two labs use MITRE's Networked Experimentation Research, & Virtualization Environment, or NERVE, a virtual, secure space that enables integration and innovation.
Schneider often speaks to the larger IoT community to share best practices. He recently spoke about IoT security as both an enterprise and product issue at the 2017 Industry of Things World USA Conference in San Diego.
Finding Solutions to the Cyber-Challenges of New Devices
Samantha Palazzolo, a MITRE senior wireless networking engineer and CITI lab researcher, says, "One of our goals is to make security as simple as possible for consumers."
Down the road, she explains, devices might carry a "nutrition label" of sorts so that consumers will know the potential risks to using a device.
As a 2016 MITRE cybersecurity intern, Emily Fernald can attest to the conveniences and risks of using internet-connected devices. "I'm definitely more careful when it comes to uploading personal information," she says. "I tend to wait until devices have been on the market for a while so that issues have been detected."
The Norwich University senior, who's majoring in cybersecurity assurance, spent many hours in the Rockville CITI lab digging into hardware and analyzing network traffic among multiple connected devices. That hands-on experience gave her a greater understanding of the pros and cons of hyper connectivity.
"You can run for the woods and not use technology, or you can choose to be on the side that’s trying to find solutions to the ‘insecurities’ that come with new, shiny devices," she says.
─by Karina Wright
If you're interested in finding out how to connect your IoT-related business concern or research project with the CITI lab, email firstname.lastname@example.org.