The challenge around the Internet of Things (IoT) is less around smart devices in the home, but more about devices in the workplace and in the data centre.
Peter Wood, ISACA member and CEO of penetration testers First Base Technologies said that as devices are often built small and cheap, they have little in the way of authentication and encryption built-in. It works in the background, but an educated attacker could leverage devices to get access to the rest of the network.
“As we get smart buildings with connected heating, ventilation and air conditioning it is not unfeasible for an attacker to switch off the air conditioning in the data centre, or to turn up the heating so everyone has to leave,” he said.
“The challenge is all of these devices can talk to each other. A smart building will have servers to address all of the endpoints, but it is not difficult for an attacker to impersonate that server or take the devices over completely. In the Far East you will see smart cities sooner rather than later.”
Talking about the security around the IoT, Wood said this is not the issue as the “thing” is not connected in the first place. “So you don’t log onto the kettle, you connect to it and it doesn’t require incredible skills, but you have to sit down and read how the devices work, that is all.
“It doesn’t require hacking but devices are at the opposite end from computer and most are not intelligent enough to execute a virus as there is not enough space, but it will tell you what it is doing. There is no reason to tell it to turn on or off, but if you have a similar device sitting in a data centre that is supporting a more important infrastructure then it becomes more significant.”
Wood referred to research by Proofpoint around a spambot using connected devices including a fridge to send spam mail, and said that if this did happen then it is not about how much power the fridge has, as the devices do not log onto the network as they don’t authenticate and they do not encrypt.
“It is one of those things that people don’t think about, but at some point someone will exploit it and we will be running to catch up to learn what we should have done in the beginning. Just like we did with wireless and just like we did with smartphones and PCs. Someone will ask why it did this, and then someone will say that it wasn’t designed that way. So you layer things on top and you get the situation where security is a barrier to what you are trying to do. IoT is exactly like that.”
He likened it to SCADA security, as the nature, integrity and cheapness of the product means that you do not build security in from the beginning. “It will only take imaginative attackers to use them to screw things up,” he said.
“Business and manufacturer doesn’t think about security and the user doesn’t care until there is an issue. It is just happening and creeps up on us. When we see people hacking cars, ATMs and the like, there will be opportunity for that sort of behaviour. You are making more holes in firewall, not that people don’t care but should understand how it works and what the risks are. And how they should segregate them.
“We will not stop people doing it, but we need to raise awareness of how to do it securely as it will not be done for them. Cheap and cheerful always means insecure.”
He concluded by saying that there were three key points to consider:
1. Smart devices are promiscuous and talk to each other across networks by design. “Gartner predict 50 billion devices across the planet – unless you take active steps to stop that being the case, the potential is terrifying.”
2. Devices are stupid and designed to be so, and cannot support encryption. “In many cases they do not authenticate and cannot support it so you build it on top that stops people from doing want they want to do with it.”
3. People who own devices are not aware that they are as vulnerable as they are. “Most IoT things are designed for an ignorant audience who doesn’t care, so people don’t care and don’t know they were making themselves vulnerable.”
Dan Raywood is editor of The IT Security GuruLeave a comment on this article