The internet of things promises amazing possibilities. It also threatens chaos if security isn't taken seriously. Thomas McGrath considers how we can ensure we stay safe and still enjoy the new technology’s benefits.
If you were selling smart home lighting systems just a few summers ago, you would recall how enthralled and transfixed your clients would get, knowing about its astonishing features and the swag tag that went along with it. And if you told them that they could zap their lights on or off at home simply by using their smartphones even when dog sledding on a snow tour in Norway, they would probably look at you quirkily with quiet disbelief, smirking and thinking it to be your flight of fantasy.
Jump to the present. On this very day, as you read on, close to 5.5 million smart devices across the world have connected and are talking to each other over the internet. This is the present size of this exploding, gargantuan universe of the internet of things (IoT). While all this suggests that the line of distinction between science fiction and reality is increasingly blurring, it also throws light on the risk associated with staying in the fast lane of technology.
The figure of over 1 million malware attacks reported on a daily basis leaves us without an 'IoT'a of doubt that this threat is real and looming large.
Right from kettles and Pan-Tilt-Zoom cameras to pacemakers, and even power grids and dams have seen attempts at being hacked and attacked. Security threats of this nature can snowball easily, with vulnerabilities found in one device cascading into others.
According to Bruce Schneier, Chief Technology Officer at Resilient, risks from IoT devices emerge due to three things: software control (whether a device supports software updates), interconnections between systems (eg a Gmail account getting compromised due to vulnerabilities in a Samsung smart refrigerator), and the autonomy that a device is endowed with (eg computers that are capable of firing or cooling down furnaces through an automated program, or driverless cars that are capable of independently navigating their way around traffic). Here's a list you can't afford to ignore:
While these factors are enough for us to lose sleep over the security positions of our devices and networks, thankfully, there are measures that can give us a fair amount, if not total immunity against IoT attacks. Let’s look at some of these.
As time and technologies advance, the security positions, challenges and remediation measures would get remodelled. Be prepared to ride the char'IoTs' of fire.
Security of something like the IoT requires a holistic view. It's not just about risks *from* IoT such as encryption, privacy and vulnerabilities. The great looming risk *to* M2M/IoT relates to availability (and therefore to some extent also *from*).
This is a common mistake, e.g.: Sicari et al, 'Security, privacy and trust in Internet of Things: The road ahead' (2015). Schneier has been guilty of this in the past though more recently he's started to talk about the "A" in "CIA", e.g.: http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html.
Need an example? The 2G sunset. Millions upon millions of devices are going to stop working and require total or component replacement - vehicle/insurance trackers, smart meters, smart home hubs, offender management tags, child tracking bracelets, building alarms, pet and livestock tags/collars, ...
If you want connected products (which become infrastructure over time) you need to consider risks and dependencies decades ahead with as complete a framework as is possible.
Interesting recent paper Cheng et al 'Securing the Internet of Things in a Quantum World' (2017).
Very Interesting and a good indication of what one needs to do. I do however fear for individuals and small business that do not have the knowledge or the resources to manage the type of security that is needed in this day and age. For a small business the cost of IT and all the associated security is potentially a major overhead that they can ill afford or even appreciate that they need. Individuals and small businesses need cost effective help and reliable secure devices that can be maintained as technology advances.