But despite the positive attributes they bring, there have been some bumps in the road for IoT-ready devices. For example, there was the issue regarding Samsung’s Smart TVs, and how they were recording their users’ conversations. The information obtained would then be transmitted back to Samsung and subsequently flipped to an unidentified third party. This caused a large-scale imbroglio for the tech retailer, and angered Smart TV owners.
The Samsung debacle led to some important questions from consumers and security gurus. Just how secure are these IoT-connected devices? And more to the point, what steps could be taken to ensure that these devices could not be hacked into?
In order to find out, IT in Canada spoke to Ted Harrington, executive partner for Independent Security Evaluators.
IT in Canada: What led to the rise in popularity of the Internet of Things?
Harrington: When you think (about) the business case for why IoT has really risen to prominence, it makes a lot of sense from the perspective of the improvement of the business and consumer experiences. From the business perspective, some of the things that IoT is able to do provide is better analytics of data (and the) easier ability to predict and map trends.Effectively, what all of these data analytics allows companies to do is to better understand their customers (and) deliver more precise services or marketing campaigns.
From the consumer experience, IoT allows new things to be enabled. For instance, the individual consumer can now lock the front door of their house remotely, or can send a key via an app to their housekeeper so that they key only works for a one-hour window for the time the housekeeper is there. It eliminates some of the headaches of dealing with certain products (and) the overall user experience is improved with certain connected devices.
There is also an undeniable “cool” factor, with the idea that, from a smartphone, you can do so many things that previously were purely analog, like locking your car or turning on the air conditioning in your house.
ITIC: Why is important to ensure the security of IoT and all connected devices?
TH: There are two pieces of the problem that are different but related, and it’s important to disambiguate the two because they’re often confused with each other. Those two pieces are privacy and security, and in the mainstream, those two are often used as synonyms.
Privacy issues relate to things about an individual person’s life that they may or may not want to be known by others. These are things that could sometimes be embarrassing if they got out, or might otherwise violate a person’s sense of their own barriers.
The other problem is security. Whereas privacy deals with information that a person may or may not want to be known to others, security is about challenges that could lead to some sort of damage, whether that’s reputational damage or financial damage. There are aspects of IoT that could lead to physical harm and all kinds of implications that are much more important than the fact that someone knows how much more I weigh this week than last week because they compromised my connected scale.
From a security standpoint, the reason why (securing) IoT is immensely important is because what connectivity is doing is enabling remote access, and more remote access to systems that were previously more difficult to access. For instance, when you look at the consumer’s home environment, all these connected devices introduce new ways for a remote adversary to break into the digital realm of a consumer’s home.
ITIC: What are hackers doing to gain access to IoT-enabled devices?
TH: Their (actions) range from the trivial to the sophisticated. One of the challenges that is presenting and repeating itself with connected devices is how security is not the first, or not even in the list of top priorities for the development efforts of these devices.
As an example, one of the things I see very frequently is default passwords that are hard-coded into the devices, so you can’t actually change the password, or it’s very difficult to change. The average consumer buys a device and starts using it, and they aren’t necessarily computer scientists, so they might not have the easiest time changing that credential. This is a very trivial way that an adversary might compromise a connected device because they’re able to look up what that default password is, and across enough devices, that access will still be granted.
On the other end of the spectrum is where the sophisticated attacks are happening. The OWASP Top 10 Vulnerabilities list enumerates the most commonly-seen vulnerabilities in web applications, and what this list effectively does is articulate the issues that continue to persist in web apps. These web app issues are being seen in IoT devices as well. Examples include cross-site request forgery and injection attacks.
They require a level of technical sophistication in order to pull off, but for any adversary who’s in the business of attacking systems in this way, they’re perfectly capable of performing and succeeding at these types of attacks.
ITIC: What is being done to thwart the efforts of attackers?
TH: Certainly, something like what we’re creating with the IoT Village at DEF CON is an effort to try to thwart these adversaries. The most effective way for an organization to harden its products against these types of sophisticated adversaries is by engaging a neutral third party security firm to perform a white box manual security assessment.
What we’ve seen is that some organizations are definitely doing that, but others are not doing that at all. In the cases where organizations are not doing that, they may be relying on things like automated scanning, or attempting to comply with some sort of framework, such as NIST. Or, they may just be relying on their own developers, under the assumption that that their developers understand the security implications.
The challenge with all of those approaches is that none of them are really looking at something from the way a malicious adversary would be looking at the same system. Those organizations are really not doing much to effectively thwart the adversaries.
Organizations that are baking security into the developing security into the development process and are having those third-party security assessments performed in the right way are effectively mitigating more abilities as they are introduced. But it appears that those firms are in the minority certainly not in the majority.
ITIC: What does the future hold for IoT security?
TH: I think that eventually, we will get to a better state, from a security perspective, although today, it is pretty dangerous to use connected devices because they don’t really have that security properly baked in. Any evolution of technology goes through certain cycles that are consistent throughout the release of emerging technologies.
A good example would be when people started utilizing cloud systems the way they do now, or the whole movement of Bring Your Own Device in the corporate environment. These are things that went through various states. The first stage was there was an innovator who said, “Here is a different way that we can utilize technology to improve a business or consumer objective.”
Immediately following the innovator is this mad rush into the market by companies to provide products and services that meet the demand that has been created by innovation. That’s really where we are right now with IoT. There is this mad rush to get connected products out there, but security is not actively considered yet.
The next stage in the emerging technology process is when security professionals can metaphorically shake down those product manufacturers and help them build security into their products. It gets to a point where it should be an expectation of someone, where they are an individual consumer or a business, that when you buy a product, security has been properly configured as part of it.
We are not there today; that would be a wholly invalid assumption. But if we can continue to drive towards the security implications of connected devices, we will eventually get to a point where that is potentially reaching a more realistic assumption.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…