Buckle up

March 2016

Car driving fast at nightDavid Bird asks, when it comes to the internet of things, is it a security car crash waiting to happen?

The decentralised microcomputing era that followed the information revolution of the 1990s, encouraged IT adoption on a global scale. Facilitated by the internet, and the world wide web that followed, usage transgressed borders and cultural diversity.

The internet of things (IoT) has emerged to become the next generation of internet adoption1, but inevitably it will present a plethora of security challenges.

IoT has already been trail-blazed by less intelligent RFID technologies, which is leading the way for wider adoption. The IoT term is used here to describe machine-to-machine (M2M) connected devices, ranging from consumer wearable technologies to capabilities that bridge the commercial sector such as the automotive industry or the smart-grid2.

Confidentiality

Privacy is a huge topic. By 2020 it is estimated that 50 billion devices will be connected, 20 billion of them to the internet3 and thereby produce immense volumes of data to transit global networks.

Technologies like smart-watches or the defunct Google Glass have already proven that wirelessly tethered front-end sensors are required to interface with other internet-enabled devices or remote back-end systems where the real computation occurs.

Presently domestic smart-meters operate by sending their customer’s data to a central hub, perhaps at a neighbour’s house in order to collate and perform bulk uploads to the service supplier’s gateway3. Personable attribution is a concern when data is captured before onward communication, when it could in fact be minimised/anonymised4 prior to volume shrinkage and pre-processing.

A form of detachment may be needed for data communicated from smart-devices in order to safeguard against user differentiation via retrospective data mining on back-end systems - this is called differential privacy5.

IoT development

Commodity innovation for consumer and commercial markets will inevitably mean that there is a race for the best price point over rival competitors.

However, in order to maintain a competitive edge, manufacturers may interpret this to mean cutting corners from an information security perspective. There is a risk that the lesser the machine intelligence, the greater the temptation to reduce the security profile of the product.

Therefore code development for IoT6 should include ethical considerations otherwise there is a real risk that bad coding practices will inevitably make internet-enabled sensors an ideal attack landscape for hackers7.

M2M communication

Existing low-powered IoT wireless standards include short range IEEE802.15.4 Z-Wave (~10m) and Zigbee (~100m) and a new draft standard called ‘weightless wireless communications’ (up to 10Km)8.

A variation of Advanced Encryption Standard-based cryptography is used to protect customer-attributable data between devices over-the-air; but there is already evidence of bugs or configuration issues exhibiting some flaws9 10 in manufacturers’ implementations.

In order to protect widely distributed internet-borne near real-time data transiting across mobile/fixed carriers, and to be free from alteration or capture, existing virtual private network methods are likely to prevail.

Therefore a proposed IoT security model could be the way ahead for devices employing a two-phase security profile:

  1. to securely boot,
  2. authenticated and secure connections to remote back-ends11.

IoT is being seriously considered as a carrier of road congestion alerts and quality monitoring or vehicle performance tracking data from sensor components embedded within cars - whether they are driverless or otherwise.

It is anticipated that 90 per cent of new cars will be IoT-enabled by 202012. If cars can be inter-connected to notify other drivers of traffic collisions13 using interlinked cascading-relay techniques coupled with internet carriers, this could prove to be a highly desirable selling point. However, there are serious security challenges14 too.

How can manufacturers assure data privacy15 and data separation in a paradigm where the vehicles could quickly become overwhelmingly dependent on such data for effective operation. If this conjoined vehicular vision becomes a reality there are serious safety risks; especially if hackers could launch a fire-and-forget attack that might cause systemic and catastrophic failures and cause cars to crash or breakdown without warning.

Warning signs

Always-on voice detection in smart-televisions has lead to unforeseen security issues such as an unauthorised ability to snoop on consumers16 proven in the ‘snitch TV’ exposé. It has already been revealed that a smart-fridge has been integrated into a botnet and used to send 750,000 spam17 emails.

The bring-your-own-device genre of consumer devices, such as smart-phones and tablets, brings pronounced security concerns based on the variable habits exhibited by users and their personal morality18. Correct device configuration and setup is a proponent of trust and the recent webcam hack19 is a case in point where user controlled setup still tends to err towards default passwords.

Industry regulation

IoT certainly encroaches into the big data category but at scale where massive amounts of data are to be processed. IoT embedded devices or sensors will also need a degree of ambient intelligence20 and differing autonomy21 depending on their complexity and function.

Therefore an interdisciplinary approach is required to discern the true impact of the cyber domain upon human kind to make sure IoT technologies are responsibly secure22. Regulatory oversight of IoT should be multi-disciplinary and collaborative between governments, industry and academia to ensure that a rounded and fully informed approach is taken.

Lessons learned

There is a distinct correlation to a similar problem encountered by critical national infrastructure industrial control systems (ICS) sensors and networks. Dumb front-end remote terminal units and simple programmable logic controllers send messages across serial networks to pass perishable data with low volume storage requirements23.

Traditional physical security segregation mechanisms were slowly eroded as these sensor networks were connected via converters to IP networks for the purposes of centralised control.

As a consequence of this convergence, and deficiencies in logical security controls, when ICSs were subsequently connected to the internet there was an increased susceptibility to harmful cyber attacks24. These are still serious concerns and arguably we still have not learned our lesson as we forge into the IoT dimension.

Minimising repercussions

The cyber domain information security discipline has been shrouded in fear, perpetrated through security deficiencies in solution designs, in-secure configuration of assets, and unpatched vulnerabilities arguably generated from macabre complacency.

Embedded security measures are just as important to ensure that IoT devices are not attacked by hackers or abused by organised crime to the detriment of progress. The likelihood of IoT botnets becoming a reality as an underground pervasive attack platform across the internet14 is worrying.

Traditionally security has meant sacrificing some functionality over lock-down. IoT security will be a balancing act between user data attribution through genuine collection versus illicit data attrition where data could be exfiltrated for unauthorised purposes.

The 21st century need for commodity information can be facilitated and nurtured with some semblance of inbuilt security; thus protecting ourselves, and any ability to discern datasets representing our patterns of thought22, whilst still retaining interactivity within specific risk appetites.

Perhaps removing retrospective security rigidity, by designing-in security25 ease of use26, can assist in retaining a translucent balance. The internet is a complex platform for the common good, but it can be used to inflict harm; without a common regulatory pathway into the future IoT will be abused, as other preceding technologies have been, where data may not be used ethically for the reasons it was collected.

References
 

Image: iStock/476430949

There are no comments on this item

Leave Comment

Post a comment