Security and the Internet of Things
Internet of Things (IoT) are devices and sensors that are embedded into machines that communicate with each other by transferring data over a network, which is often public. The idea of sensors and devices that communicate with each other is not new. Cars built in the late nineties and later have more sensors and devices built into them than a computer. What is new is that these devices now communicate with each other over public networks.
Because these devices can communicate, their usage has exploded into multiple areas such as consumer wearables, electricity grids, home automation and communication between vehicles for assisted driving. For example, electricity meters at home can measure the electricity usage on a per hour basis and implement dynamic pricing of energy based on demand and the cost of production at that time. Fitbits and similar devices ‘gamify’ physical activity so that it is no longer a chore, but a competition between friends and colleagues, improving overall fitness levels of people.
Nest, the sensor driven, Wi-Fi enabled thermostat married the device sensors with intelligence which tracks and then learns a person’s temperature preferences inside the home and then managed that without people having to program the device.
While these devices have made the life of a person easier, not enough attention has been paid to the security of communication between these devices. Manufacturers have been focusing on providing more capabilities from these devices and hoping that obscurity will protect these devices. These devices are often manufactured in millions, are very likely to have a much older embedded operating system which is likely not patched. In addition, most consumers will not change the default passwords on the device.
In late 2016, a malware called Mirai used hundreds of thousands of these devices and generated a Distributed Denial of Service attack to bring down sites like Twitter, Reddit and The New York Times. And what if, when travelling at 60 miles an hour on your Tesla on autopilot, it decided on its own due to malware that the distance between cars need not be the regular 10 meters, but can be reduced to one meter. Lack of proper security on these devices has real implications, much beyond your favorite website not being available.
The United States Senate is now debating a non-partisan legislation (“The Internet of Things Cybersecurity Improvement Act”) mandating standards for security on these devices that are connected to the internet. Among other things, it requires that vendors of Internet-connected devices:
- Ensure that their devices are patchable
- Rely on industry standards protocols
- Ensure there are no hard-coded passwords
- Ensure that their devices do not contain any known security vulnerabilities
While this is a good start, much more needs to be done. Vendors need to ensure that the firmware on the device is tamper-proof and that the code is authenticated cryptographically. Data communication as well as data storage on the device needs to be encrypted and all communication between devices needs to be authenticated. In addition to these safeguards, devices must monitor and report on intrusion detection like failed login attempts, and have device tamper detection capabilities and an ability to destruct itself if the tamper succeeds.