As the Internet of Things (IoT) and connected devices rapidly gain popularity and traction, security has come into the spotlight. Long gone are the days when security was an afterthought for “smart” devices. Today, security issues are at the forefront of developers’ minds. Developers are being trained to handle IoT security challenges, and more is being publicized in the Blackhat community about exploiting these types of devices. There is even a sub-conference at Blackhat 2015 that will be aimed at extracting, analyzing, and, for all intents and purposes, hacking IoT devices with a purpose of training developers how to prevent IoT security vulnerabilities.
At Link Labs, we feel there are four important security challenges facing the IoT community in 2015, and we’ve summarized them here.
SEE ALSO: The 2 Hows Of IoT Security
1. Wi-Fi enabled devices are being added on local area networks (LAN) without proper security.
This is the biggest threat to IoT security. When TCP/IP-based endpoints are allowed on a LAN without enterprise-level security protocols in place, there is a great deal of risk involved.
To illustrate how this could (and does) happen with IoT products, imagine someone has purchased a device with a Wi-Fi module that takes their normal fish tank and makes it a “smart” fish tank. If someone purchases this product and allows it on their LAN, they have now allowed a potentially malicious endpoint behind their firewall.
Here’s the problem: firewalls and NATs are a network’s first line of defense against direct host attacks, and if you add something inside your LAN, it’s already behind the firewall. Once this smart fish tank device is installed, it can reach out and connect to malicious servers. This process is known as “reverse tunneling,” because the device inside the firewall can make an outbound connection through the firewall, and open a socket connection more easily than an inbound connection. Firewalls don’t block most outbound requests, since it would be hard to use most applications otherwise.
Bad software isn’t the only challenge here—bad people could be at play, as well. In other words, the creators of the smart fish tank could have malicious intent, and they may want to exploit every network they can get their hands on. IoT products simply don’t have the benefit of robust operating system (OS) security. Most major operating systems—like those created by Apple and Microsoft—make it very difficult for someone to exploit a system, even from inside a LAN. That doesn’t mean it can’t happen regularly, but it is more difficult. But with IoT products—since most are running a less sophisticated operating system—the only thing consumers have to rely on is that the people who sold them the Wi-Fi enabled device did so with good intentions.
2. There are issues with upgradability and patchability of IoT endpoints.
One of the nice things about Mac and Windows OS is that they are completely configured and regularly updated. They both have automatic upgradability, so when your computer’s OS needs to be repaired due to a security vulnerability, it can reach out and gets updated, or “patched,” automatically.
With IoT devices, it’s up to the companies that sold them to have a mechanism in place for any kind of patch related security vulnerabilities. The problem is, that may or may not ever happen. This isn’t a new issue—but it is an issue nonetheless. (In fact, the network equipment industry has dealt with—and is still dealing with— the same problem, as sometimes routers, etc., have vulnerabilities that don’t get patched before there’s a security problem.)
In this VentureBeat article, author Michael Coates says “effective patch deployment is a big problem” for IoT. He explains that some security breaches will go unnoticed, but others will be discovered—and consumers will demand a solution. He goes on to explain how a scenario like this may unfold—and why it’s troubling:
“In these situations a manufacturer may scramble to issue a patch. But then what? How is the patch actually delivered to the device? Will all customers be requested to reboot their oven, car, or pacemaker and navigate through an update process? Or will the updated software only be available in the next release of the physical product? This would mean customers would be unpatched until they bought a new toaster, baby monitor, etc. Unfortunately, one of our current challenges with IoT is that, even if a patch is issued, there is not an effective channel to reach the majority of devices in a timely fashion.”
What it boils down to is this: the more things that are added to a LAN, the greater the security concerns. We’re remaining hopeful that the industry will create some kind of standard around the expectations of security patches for IoT devices.
3. Problems have arisen around protecting physical access.
Let’s return to the example of our smart fish tank app. Consumers often don’t consider this, but with any physical device, there’s a chance that a hacker could manipulate it and get into exposed USB ports or a debugger interface. If someone is able to successfully hack at the embedded level into an IoT device’s memory and can read the encryption key, every device that is or has been shipped becomes vulnerable. This is a real problem for both consumers and for the industry as a whole.
4. There’s a ton of hype from developers and consumers.
Because there is such frequent and intense press around the Internet of Things, there is an urgency amongst companies to get to market with their IoT devices more quickly. While the current hype is, on one hand, pushing innovation forward, it is also putting developers on a tight timeline. When time is of the essence, and all efforts are centered around a quick deployment, security can become an afterthought. When this happens, IoT devices can go to market with poor encryption, unpatched operating systems, and more.
You can see how IoT security has become it’s own discipline and is just as important of an issue as standard network security. IoT has left the “early stage” of development, and with its mainstream popularity comes a responsibility to keep consumer information secure. Product developers and consumers are, and need to be, taking these issues seriously.