The insecurity of the internet of things has been thrust into the limelight of late, thanks in no small part to a rash of DDoS attacks from the Mirai botnet. During an in-depth panel at the Infosecurity Management Conference in Boston this week, speakers spoke of the very real business obstacles that make IoT security so difficult.
For one, IoT-watchers have a difficult but necessary dream: That products must come out of the gate with easy and natural security that doesn’t rely on consumer awareness. And while manufacturers create devices to be plug-and-play to aid adoption, but easy plug-and-play is antithetical to making them secure.
“You can’t rely on consumers to protect themselves,” said Gene Carter, director of product management and marketing, Security Innovation. “So vendors need to change their processes. However, IoT is much more difficult to secure than, say, a standard website, so there’s an operational challenge even if they wanted to put it in.”
For instance, security must be baked in from the start, by engineers that understand it.
“You can’t just tack security on at the end—you have to do threat modeling, reviews of the code, look at the old architecture—and then you can make meaningful advances in security,” Carter said. “But engineers and software developers learn fast coding and efficient coding, but not how to write secure code. So it’s not only consumers that need education, but the software developers themselves.”
Guidelines and regulations are one idea on the table, but it’s unclear how helpful they would be.
“Manufacturers are under pressure to get stuff out of the door. Security is not the business” explained Steve Christey Coley, principal security engineer in the cybersecurity division, MITRE. “But there are two potential drivers for the C-suite to mandate security-minded development: One is industry consensus: What are my peers, my colleagues doing? Another is regulation or industry standards that require that the cybersecurity of their products tested to gain a stamp of approval.”
In the US, the Department of Homeland Security (DHS) for instance has issued strategic principles for securing the IoT, while the Federal Trade Commission (FTC) has taken a proactive role in going after some providers of IoT devices if they’ve made security promises that haven’t held up. The Food and Drug Administration (FDA) is also working on a draft version of guidance for medical device manufacturers to include security within the design of their devices, along with safety analysis parameters.
“However, we have spoken to a lot of manufacturers that say it’s just guidance, and that none of this offers a boost to help them internally convince the boards and the C-suites to bake in security,” said Christey Coley. “There are independent testing labs though that are independent of government and are working towards setting up at least minimal expectations, and a grading and labeling system—like nutritional labels for security products. That could be a differentiator for consumers.”
And up until manufacturers start taking a security-first approach, the users themselves do have a part to play.
“Consumers and IT staff should be somewhat educated—I think everyone knows how to create a secure password and to choose not to isn’t a good thing,” said Chad Dewey, computer science and information systems instructor, Saginaw Valley State University in Michigan. “There has to be something before we get government mandates, in the form of best practices and user education. Consider the Shodan.io IoT search engine. Anyone can scan for things in IP address ranges. Type in ‘tank gauges for gas stations,’ and you’ll get a list of them, unsecured or not. And it’s the same for thermostats or connected light bulbs. People need to be aware of how discoverable their things are.”
It's hard enough to get average consumers to change a default password on a home gateway; certain types of devices have their own unique issues. For instance, medical devices and connected cars have long life cycles.
“Manufacturers of medical devices can’t say, no I’m not supporting that anymore, and automakers they can’t say, I don’t care if you get hacked in 20 years and they literally drive you off the cliff,” said Christey Coley. “IoT devices can be in the field for 10 or 20 years—compared to phones, which last two on average, or laptops, which last three. This is a whole different order of magnitude for support from manufacturers and for patching on the part of end users.”
And monthly updating and patching is difficult when there are devices—often outdated but still used—on the scale at which hospitals have. Consider bedside monitors, which typically contain connected panels from two manufacturers along with a single software stack. “If someone compromises that software stake, these are exposed 100%—and we’re talking about thousands of devices,” said Esmond Kane, deputy CISO, Partners Healthcare. “It’s a pandemic-level problem.”
There’s also the issue of expense.
“If you just spent tens of millions of dollars on an MRI machine that you need to take off a side of the building to get into the hospital, if someone tells you that you have spent however much in employee labor to patch every month, you’re likely to tell them where to go,” said Kane.
Nonetheless, these are unsolved problems that need solving, and soon—the stakes are incredibly high, thanks to the intersection of the physical and IT—especially in medicine.
“We are probably not far away from a fatal event—we’ve all seen insulin pumps and pacemakers attacked and we’re all watching what happened with the connected Jeep,” said moderator Steve Hoffenberg of VDC Research. IT isn’t just an enabler—if you don’t have IT with a proper level of rigor around security, you can’t offer patient care.”
He mentioned implantables and the proliferation of in-body devices like smart hips.
“There are devices that fit under the cranium that trickle electricity into the brain in order to combat seasonal affected disorder,” he noted. “We are looking at the next generation of medical devices where someone can actually hack your body. We need to prepare for the next generation of patients now.”
Even in the comparatively pedestrian world of consumer products, the stakes are high.
“We typically wait for a crisis and then respond to it,” said Kane. “It’s difficult to spend money on offense when you don’t have a hard return—and it’s easier to fight yesterday’s battles instead of trying to plan for tomorrow’s war. In 10 years there will be 10 to 20 billion smart things connected and talking to each other. If we don’t deal with this avalanche right now it will be unpleasant, to say the least. Mirai is just an early wakeup call.”
Photo © fotogestöber