Internet of Things is proliferating. In a few years’ time, you will wake up in a world where almost every device you interact with is equipped with some kind of a “sense”. But there is a price for giving devices the ability to communicate with the outer world, namely potential security vulnerabilities. Is there a way to diminish the threat and provide users with a safer product?
It’s 7:07 AM, Monday. The clock alarm starts ringing. Your smartwatch, together with a sleep monitor, just decided that it is just the right moment for you to get out of bed. The moment you turn off the alarm and leave the bed, your smart coffee maker starts making your favorite arabica. As the coffee is brewing, you brush your teeth with a smart toothbrush, which says to you through the shower speaker “this time don’t miss the wisdom teeth”.
You grab the coffee, which has just poured into your smart mug, take a sip, put on clothes and smart shoes and leave your smart home. When you’re getting into your smart car, your smart home tells the smart door lock to lock itself and your smart vacuum cleaner to start cleaning.
On your way to work, you love to read one of your favorite Stanislaw Lem’s stories. You don’t drive by yourself – you are not a racing driver, are you? Besides, your car doesn’t even have a steering wheel.
The trip to work goes smoothly as usual. Unless…
Internet All the Things
We’re surrounded by a vast network of interconnected devices, communicating with each other directly or through intermediate subsystems. We are creating complex, interdependent, ubiquitous, real-time systems which make decisions and take actions with little or no human interaction.
Making these devices interconnected means they need to have a way to communicate with the external world. They can use the Internet, Bluetooth Low Energy, or other communication technologies, and doing that, they become exposed to potential security vulnerabilities.
Since 2014, when the IoT/smart devices topic started to gain momentum (i.e. hype), we have witnessed many security breaches of those technologies. Some examples:
1. October 2016: A large group of malware infected IoT devices such as IP cameras, home routers, and baby monitors (!) performed a Distributed Denial of Service attack on a company called Dyn, a major DNS provider. Thousands of devices were bombarding Dyn’s servers with garbage data in an attempt at clogging their services and preventing legitimate users from accessing them. Users of some of the biggest portals such as Netflix, Pinterest or Spotify were affected by this incident – users weren’t able to reach their websites.
2. December 2016: a security research company reported on a vulnerability discovered in some models of Sony IP cameras, allowing attackers to take over their controllers. Attackers were able to spy on users or send manipulated images. Sony released patches for the affected devices to fix the problem.
3. December 2016: An electricity distribution substation station near Kiev experienced an outage, depriving a part of the city of power for about an hour. As reported by security research companies later this year, this might have been only a test before large-scale attacks that may occur in other countries in the future.
4. February 2017: Media report that user database records of CloudPets products – an Internet-connected toys brand – are easily accessible to anyone. The database was exposed to the Internet without any protection such as username or password. Anyone who discovered its IP address had access to all data, including email addresses, logins, and passwords to CloudPets’ services and users’ voice recordings stored by CloudPets.
Those are only a few IoT-related security incidents that took place in the last years.
It is clear now that the Internet of Things brings a whole spectrum of risks not only to the world of technology but also to society in general.
What’s Wrong with Internet of Things?
Vendors rushing products releases, putting security low on their priority list expose not only their users but also themselves. Patching devices may not even be possible if a company has not considered an emergency scenario before releasing the products. PR damage may be the easiest part to handle after an incident. Lawsuits, damages, and fines will almost certainly follow.
The range of devices and systems at risk is wide. From critical infrastructure such as power grids, water supply, health system, through autonomous cars, smart homes, health monitors, to innocuous gadgets such as toys.
The cost of making a thing smart is bound to drop every year, while new applications of the IoT appear on the market. That’s just how technological cycles work. With lower costs, the vendors of all kinds will be even more eager to make their products “smart”.
Year by year, we will rely more and more on these kinds of systems as individuals and as a society. At some point, it will be impossible to escape the IoT.
What can we do as individuals and organizations involved in building IoT related products to make them more secure?
It is simple: care more about the security and social responsibility behind IoT.
With Great Power Comes Great Responsibility
The decision to implement security features should never be based only on a financial profit/loss analysis for your company. It is ethically dubious not to secure your product and, consequently, expose your users to risk because it is cheaper this way, or because you want to release it to the market early. In fact, it is always ethically dubious to consciously expose your users.
Making a product secure does not necessarily mean that you need to carry out time-consuming and expensive R&D, and most of us do not work on projects as complex as a smart car. Does who do should have resources to secure the technology they build.
Those who work on this kind of projects should have the resources they need to properly secure the technology they build.
While making a 100-percent hack-proof product might not be possible, researchers say that many incidents related to consumer electronics could have been easily avoided just by applying the standard best practices.
Thanks to such initiatives as the IoT Trust Framework or OWASP IoT Project, and the like, we have access to these best practices. The Internet is full of publications from security researchers explaining the pitfalls of the IoT. Much of the necessary knowledge is out there, you just need to reach out for it.
Security should be an important part of your organization’s culture. It’s not just about keeping you safe from a PR nightmare or lawsuits. It is about the responsibility for the potential harm your product can cause. And it’s our job to provide you with tools and solutions that will help you protect users from as many security risks as possible.
Piotr is one of the developers behind Zapp Ride Share, the electric scooter rental service operated with a mobile app – designed and developed by 10Clouds.