Anyone who is remotely interested in technology knows that IoT is experiencing a boom. Amazon shipped more than 100 million devices with Alexa in 2018. Not only are the number of IoT devices but their applications are also increasing. It’s not just smart assistants and internet-connected video cameras anymore, it’s being used in medical devices to huge industrial machinery. Therefore the importance of security for IoT devices is growing ever more important daily.
Importance of IoT security
IoT is a revolutionary technology that has proven that it is a magic fairy dust that can transform whatever it touches. It has and is providing previously unnoticed data. And the data is showing a never before seen picture transforming the industrial landscape. Industry giants are recognising its potential as something more than a cool trick that changes the colour of light in your room.
This brings us back to the exponential growth of IoT and the importance of securing IoT devices.
Securing IoT: Malwares and botnets
A much often discussed case study in IoT security is that of Mirai botnet of 2016. The botnet infected devices such as cameras and routers and used them for a DDOS attack on many websites. The same malware also caused the infamous Dyn attack which took down many social media websites.
The malware highlighted the lack of security for IoT devices. Mirai essentially had a list of around 60 commonly used factory default usernames and passwords for these devices. All the malware had to do was identify vulnerable devices on the internet and try these credentials(Oversimplification? Yes).
The incident presents a potential for a stuxnet-like scenario, without even the need for an infected USB stick.
In another incident in 2017 which luckily did not cause any damage, it was revealed that cardiac implants from St Jude’s were vulnerable to attacks that could deplete its battery or send unauthorized commands. IoT is coming to medical implants whether you like it or not. And it’s not without its use. Internet-connected devices can help patients manage their conditions easily. Even something as simple as atrial fibrillation detection by the Apple watch has already saved lives. But it’s also important to keep these devices secure.
Legislation about securing IoT devices
Keeping in line with these, the State of California passed a law in 2018 banning device makers from using default passwords on their devices. Instead individual devices will need different passwords out of the box. The law also mandates that all new devices need a feature that requires a user to generate a new means of authentication before accessing the device. Similarly the UK is drafting a bill with similar provisions, as well as mandating OEMs to show users for how long they will provide updates after the purchase.
Apart from the obvious, these new rulings will be an additional incentive for IoT developers to focus on the security of their devices.
Challenges in keeping IoT secure
As you can imagine, the sheer number of devices is a major challenge. Each device presents an opportunity for a bad actor to compromise the security of the entire network. The large number of devices creates multiple challenges.
Lack of customer awareness
For industrial software systems or IoT solutions, it is possible to provide extensive training to the users about good security practices. Even though IoT is relatively new, the importance of confidentiality, of not sharing passwords, are not unknown to industrial users. The same cannot be said for consumer IoT products.
This is demonstrated by the fact that “password” is still one of the most commonly used passwords. While the average internet user knows enough to avoid nigerian prince scams, there are plenty of people who don’t change their default passwords. For a customer, its a watch, but the reality is, it’s a pretty good computer. For an average user, a microwave that talks back is probably just a funny thing. But it is a computer with a microphone that can pick up any conversation in the room.
At least for the foreseeable future, until the average user is familiar enough with IoT, developers cannot rely on consumers to keep their devices secure.
Updating the devices
Most devices don’t have any known vulnerabilities when they reach the customers, but without frequent security updates, it won’t remain like that for long. When revealed, new vulnerabilities have to be patched up. But here the challenges are two fold.
The first is that releasing constant firmware updates is expensive. Manufacturers are not keen on spending more on devices not bringing in revenue. Obviously they’d rather invest in developing and launching new devices.
The case is true even for something like smartphones. Most people use their phones for at least 4 or 5 years. But most OEMs stop giving updates by 2 years or less(there are exceptions to this). Imagine a similar approach for other smart home appliances? You’re not going to throw away your smart refrigerator after 2 years, and your microwave oven after 5. Most users buy these products with at least a decade of use in mind.
The second challenge is in delivering these updates themselves. With smartphones or smartwatches, they’re pretty straightforward. Sure there are challenges associated with the large number of devices but most OEMs have overcome that. But what about devices with constraints on battery life?
For devices without a constant power supply installed for a long time, battery life is a concern. Sensors monitoring water or gas supplies to a city, or actuators controlling them are designed to work with low power consumption. The devices collect data at regular intervals, and send out these small amounts of data, and sleep the rest of the time. Sending over-the-air updates to these devices will be a challenge. Of course, you could always update these devices in person, but that presents its own set of challenges.
And these challenges exist for industrial devices too.
No standards yet for IoT security
As of now, there are no global standards for securing the internet of things. The recent California law and bill from the UK are among the small number of legislations for securing IoT. And many experts, while hailing them as a good start, have criticised the small scope of these legislations. There are recommendations from various concerned organisations, but without the power of legislation or benefits for adhering to them, they just remain as recommendations.
As demonstrated by the recent data breaches, current legislation regarding them are not effective or don’t have enough teeth. Even now social media companies take their sweet time before notifying consumers about data breaches.
The UK approach appears to be a good start, making consumers aware of the security levels of the devices they purchase may serve as an incentive for OEMs. Something similar to the IP ratings for water and dust resistance for security will help consumers quickly identify how secure their devices are.
Potential solutions for IoT security
Aside from better legislation and standardisation of security, experts have recommended practices to improve the security of your IoT devices. But for starters, don’t use default passwords for all your devices.
Security from the ground up for securing IoT
Instead of testing for vulnerabilities at the end of development, consider the security from the initial design. Consider the device lifetime, and plan how you’ll provide security updates for a large portion of that.
Experts have recommended involving “security champions” – experienced industry veterans already in your organisation- in your development process. The argument is that they’re well aware of the security challenges present and capable of prioritising based on the risk and resources available.
Don’t make security an afterthought.
IoT security: Follow the data
The major challenge in securing IoT as of now is preventing the devices from getting infected and used as zombies in DDoS attack or for mining cryptocurrency. The next major challenge is storing the data securely. So follow the data, from where data is collected to where it is stored. FInd out where an attacker can target in this pipeline. Of course, rather than simply leaking it, holding your data for ransom is a major problem. So keep your devices secure, and your data more secure.
Reach out to us for a free IoT consultation.