Securing the Internet of Vulnerable Things
There are the computers you could see and work with (desktop workstations) and the ones that are small, usually less powerful and embedded deep inside your day-to-day devices. These hidden magical green boards with a small microcontroller worked tirelessly, day and night, in crucial systems — space vehicles, your washing machines and yes, even a voluntary cow milking system!
These systems have been crucial for decades, but over the past ten years or so, there has been an explosion of making these tiny embedded devices talk to each other. Kevin Ashton coined the term Internet of Things — a web of embedded devices in your day to day life that can talk, communicate and take decisions as per your requirements.
The boundaries between IoT and core embedded domains have been blurring ever since. From a very focused domain engineering, to a massive phenomenon fueled partially by a post-modern hacker culture and a technological push by chip manufacturers. They are much more accessible, support a plethora of tools and overall a blessing to the creative minds. Embedded device manufacturers have started focusing on devices that talk to each other — a car that knows when your musical choices based on your playlists on your mobile or a house that senses your mood based on your smartwatch notifications. Things are getting increasingly connected.
We are making our devices and our lives accessible but are we making them secure?
What Makes IoT Insecure?
Traditionally an unconnected device would have a limited attack surface. Serial console access on a heart-rate monitor for service engineers was the maximum depth of a breach. The trust was in individuals, and embedded systems security incidents were isolated to manufacturing plants and factories where the devices were connected through industrial control systems, such as SCADA.
With interconnected devices of today, however, the attack surface and the potential victims has increased massively. As we speak, these devices leak your data to nefarious clients on the web. The point of data leak may not be the actual security vulnerability in the device itself but in one of the other numerous ones to which they are connected.
Researchers at Princeton recently found out that a photo-frame can leak your activity and an IP camera that lets others snoop on you. Mattel recently discovered a vulnerability in one of its Wi-Fi connected toy bears that knows your kid’s name. By no means are such incidents isolated. Shodan is a search engine dedicated to finding such vulnerable internet-connected devices! A very casual search can easily point you to a data stream from a loosely protected baby monitor sitting thousands of miles away.
But hey, as the Shodan guys point out, someone needs to have a web interface to tune their gas-engine parameters as you see in the image.
Plan of action
As the IoT domain expands, we need to come up with viable solutions to secure things. Security flaws in embedded devices have not been unheard of. In 2014, Wired ran a report on how easy it was to hack hospital equipment. We need to make sure it is not easy anymore, especially in the age when these flaws can violate privacy at mass scale.
In engineering, standards maintain uniformity and compatibility. They also ensure that for a given domain, a certain minimum requirement is always maintained. Some are as detailed as the texture of paint used for devices in hospitals. IEEE has compiled a list of IoT-related standards that device manufacturers can follow. ISO has already started the work of developing standards as well. These standards would aim to cover all the details from the architectural specifications to the security requirements.
However, it is up to the manufacturers and consumers to understand the implications of using non-standard products. As of now, standards and certification-less products flood the market. An IP camera as low as $25 which can be regulated by a potentially vulnerable app sideloaded to you Android phone is a perfect recipe for disaster.
Certifications and Audits
The main reason cheap IoT products continue to throng the market is the cost-cutting done during certification. Certification authorities can ensure that the vendor maintains the standards of manufacturing and security. They take time and care while testing devices for any vulnerabilities. An explosion of unregulated web-trade (not that it’s bad) coupled with the consumer demand of latest and the cheapest that can connect their lives to the internet forces the IoT vendors to cut corners and bypass certifications. Big-name IoT devices may equally be vulnerable, but the chances in unregulated corner-shop vendors and seasonal manufacturers are very high.
What Can be Done?
The US Federal Trace Commission released guidelines for IoT manufacturers urges them to follow standards. Privacy Commissioner of Canada also seems to be taking note of the matter. Even though governments all over the world start to take cognizance of this threat, privacy experts warn users of trusting only certified and secure products from known vendors. The vendors need to increase their spending to get their IoT devices security audited and certified by trusted agencies. There are already IoT certifications being provided by companies like Digicert that the vendors can aggressively use. One can think of it as giving away your credit card info to a random text box on a random website versus your SSL-certified trusted bank website. Before buying, look up the vendor history and their products. See how the products are designed and if there have been known flaws in their previous models.
Remember the data breach of toy maker VTech last year? It had exposed personally identifiable details of around 5 million parents and 200,000 kids. It also contained pictures and audio conversations of parents which had been leaked from KidConnect service — that was storing audio conversations and pictures of kids from the children’s toy tablet to VTech servers.
Unsecured devices are essentially a nightmare waiting to unfold. Different countries have different laws and regulations that attempt to make sure someone can be held accountable in case of a serious security breach.
But above all, the biggest weapon a consumer has against any security threat (be it government or hackers) is encryption. Simply stated, encrypt everything. Your storage drives, your phones, photos and conversations. Keep them safe. Refrain from trusting multiple third parties for your data. There is an increased push, and encryption is not at all detailed tech jargon anymore. Have a look at the Lets Encrypt project of the Linux Foundation.
We should always remember — as we embrace the IoT and an increasing machine-to-machine world — how a slight and unsuspecting negligence on our part can lead to our privacy being breached, and a weak IoT node on the chain of devices can be the cause of that. Stay secure.