The Internet is evolving into what it once was: a special means of communication between things. The informatization of society is developing rapidly and IoT security should become the first priority for both individuals and companies.
What is the Internet of Things?
In 1990, John Romkey created the world's first Internet thing. He plugged in his toaster. Since then, nobody has come up with a universally accepted definition of the IoT. Broadly speaking, the Internet of Things refers to the ability of objects and people to remotely interact via the Internet anywhere and anytime, thanks to the convergence of various technologies. At the same time, the IoT as a marker in the evolution of humankind has technological and social implications. Things in the world of the IoT are now on par with people, numerically speaking. And every year the number of things keeps growing.
The IoT has made its biggest strides in finance, commerce, medicine, energy, natural resource management, and agriculture. Many different types of smart home automation solutions have been implemented, too.
In everyday life, the IoT is:
- A smart home that can recognize voice commands or identify people who are at the front door
- A car that you can start via an app or check its state remotely
- A dog bowl with a Wi-Fi module, to reward dogs for solving puzzles
- A solar-powered trash can, which seals garbage by itself and signals when it is full
- Smart sensors and water meters in the infrastructure of São Paulo and Beijing, reducing costs by 50 percent
- Automatic systems for collecting fines and alerting about accidents and traffic jams
How are IoT devices managed?
An automatic irrigation system is an ideal example. It works according to a schedule, checks whether watering is actually performed (with the help of a water flow sensor), stores information about the system's operation in the cloud, and sends text messages to the customer. The schedule can be managed through a smartphone app.
It's hard to imagine what damage might result from "hacking" a lawn sprinkler—but what about a nuclear reactor? Your favorite smartphone-controlled coffee machine that you use along the way from the bathroom to the kitchen could be a target. That said, spoiling your breakfast is unlikely to motivate many arch-villains. (Neat idea for a retro techno-horror movie plot, eh?) On the other hand, attackers could do much greater damage by transforming everyday household appliances into a source of DDoS attacks with very real and devastating consequences, such as blocking websites and stealing information.
Attackers can take advantage of the least suspicious things—viruses only live on computers, right? IoT devices offer the prospect of legions of bots, ready at any time to take down, say, Amazon.
To pull off a successful DDoS attack, a hacker needs to quickly assemble a botnet.
The range of would-be bots is vast: they merely need to have software running on them, ideally with a zero-day vulnerability, and Internet access. This coincides neatly with the kitchen gizmos connected to the Internet of Things.
In addition, most IoT household appliances today can be controlled from smartphones or tablets. Any such device, when hacked, has the potential to become a mobile security threat.
Like other information systems, the Internet of Things requires security. Man-in-the-middle (MITM) attacks are just one of the types that can lead to catastrophic consequences.
What is IoT Security?
By providing modern capabilities for identification, collection, processing, and data transfer, the IoT enables efficiency in areas across the board. At the same time, IoT devices must comply with security requirements and privacy regulations.
At the device level, information security starts by ensuring the reliability of device identification, as well as authentication, authorization, and administration. Managing network connections requires access control and guaranteed message delivery. As for authentication issues, it is critical to protect server–device communication from MITM attacks. Signaling data as well as IoT system data must be protected during transmission in terms of confidentiality, availability, and integrity.
At the service and application level, packets are encapsulated during transmission. Therefore, identification and authentication services, as well as encryption and integrity protection, must be supported. Since the main attack vectors may target the application level, the security approach should be comprehensive and holistic.
Why is IoT security imperative for everyone?
Every IoT device on the network interacts with all the others, which leads to security threats—starting with hacker attacks and ending with the tried-and-true human factor. IoT-related incidents are among the top three financial threats to companies. Even government agencies are at risk.
Imagine the awkwardness of needing to pay a ransom for... the door. In February 2017, The Romantik Seehotel Jäger was targeted. Attackers broke into the hotel's computer network, gaining full access and control over door sensors used to read guests' electronic keycards. To restore the hotel's operations, the attackers demanded a ransom in bitcoins, in an amount equivalent (at the time) to $1,603.
The Uprising of the Smart Devices may be a ways off—yet it all sounded so familiar as vacuum cleaners turn into spy cameras, LG refrigerators send spam, and hacked routers tamper with search results to promote certain products.
What's next? The march of technology gives attackers the opportunity for ever-more sophisticated actions, with increasingly hard-to-predict results. The rise of 5G will likely strengthen their hand. 5G provides faster connections and high-speed data between devices. All this new bandwidth will make the Internet of Things more useful and multifunctional. But each hacked smart device will become more than a mere pawn of cybercriminals, as it provides access to all the resources of that device. This also means that the "quality" of bots will matter more than quantity for attackers trying to build a botnet.
The takeaway: 5G means that more things will be connected to the Internet, with greater resources available to plunder. Even today it is worth paying attention to 5G security issues with the IoT.
We have tested a significant number of IoT systems and we keep finding the same thing. These systems are usually assembled from the simplest and cheapest hardware and software. OEM components come from a handful of vendors. One company sells components to a second company, which in turn modifies them, adds functionality, and sells them further down the chain, where this process may be repeated several times.
Most IoT systems we have seen are Frankenstein-like agglomerations due to the pressures on manufacturers to ensure low cost and long life. Third-party software and hardware components are thrown together. The result is an inevitable loss in overall control and continuity in design. This also potentially bakes in deep-seated vulnerabilities that are difficult if not impossible to resolve.
Even the world's most reputable companies have problems, as seen with Intel's chips. If discovered on other devices using the same third-party components, such a breach could be easily replicated elsewhere.
IoT devices are also present on mobile networks. While the security provided by eSIM and eUICC is rather good, there are still issues with the network borders on SS7, Diameter, and GTP that we see all the time during network assessment and with our monitoring solutions. We have covered these issues at length in a number of whitepapers. And all the threats that we have previously highlighted against mobile network subscribers apply equally to SIM-enabled IoT devices.
Managing IoT security
Clearly, IoT security could become a headache. But just like software development, the sooner vendors start security, the cheaper it is. It is always more budget-friendly to identify and fix a bug during testing, compared to when it is in the wild and creating issues for real users.
Unfortunately, what we tend to see is that vulnerabilities in IoT solutions are found only after products have already hit the market. This attitude is dangerous and likely irresponsible, and requires expensive fixes.
So to sum up: it is hard to deploy a secure IoT solution. The number of potential vulnerabilities is huge, in everything from software to infrastructure. Sometimes, the time or cost of remediation is so high that it becomes impossible.
Securing the IoT requires knowledge of its DNA:
- Device (Sensors, Radio, Power, …)
- Network (Cellular, Wi-Fi, Z-wave, ZigBee, …)
- Application (Sensor Data, Real-Time Data, …)
Operators have to test and certify IoT security to ensure the integrity of the network. To do that, they need to look at each and every one of these different protocols, elements, ecosystems, and devices—security is only as strong as its weakest link. Accomplishing this requires a massive investment, including on the part of major multinational mobile operators.
So we see mobile operators motivated to build partnerships with one or multiple security companies, because the IoT will be far more fluid than what is currently the case on telecom networks. This change will probably be structured in the form of ongoing strategic partnerships between security companies and operators.
Perhaps security assessment for the IoT will be replaced by monitoring and use of limited versions of IoT PoC.
So to sum up: cross-disciplinary security expertise is essential. It requires a large operator security team or collaboration with multiple security partners. Risk analysis, threat analysis, and security assessment must be viewed as a normal part of business. And above all, companies must remember that security is an ongoing long-term process.