Stories of baby monitors being viewed across the globe, and your lights being controlled from a living room in a faraway land, highlight the vulnerability of many IoT devices.
In this blog we discuss:
- How has IoT security changed?
- What is the correct level of security for IoT devices?
How has IoT security changed?
The concept of the Internet of Things (IoT) has been around since the late 90's, although it took another decade before connected devices outnumbered human internet users. Today there are over 25 billion connected devices, and the number is expected to reach 40 billion in the next 5 years. That's a lot of devices, all manufactured without a common security standard, and consequently with varying degrees of security.
The IoT ecosystem has grown quickly, but security has not kept pace. In the early days of connected devices, security was not a major concern. The number of devices was small, they were not high-profile enough, and there was often little value to be gained from hacking the first incarnations.
The threats were generally perceived not to exist, and whilst some more responsible developers may have recommended improved security, the appetite for spending real money on the creation and maintenance of security infrastructure just wasn't there.
Securing IoT devices is not free: it's an "inconvenience" first encountered in design, and then again in manufacturing, distribution, provisioning and product support – one which many product developers will choose to avoid.
As more devices have become connected, the attack surface for adversaries has grown. And as attacks became more common, attitudes started to change as the public became aware of easily hackable baby monitors and home security systems, and larger attacks such as by the 14-year-old in Poland who hacked a city’s tram system with a homemade transmitter that tripped rail switches and redirected trains, resulting in derailed trams and dozens of injuries.
The ease with which it is possible to gain access to in-home devices online is frightening. Within minutes, it is possible to view images from a dozen web-cameras around the world. With inexpensive off-the-shelf equipment attackers can spoof a real network and collect and exploit data such as login details from any device that connects to it, and software is readily available for cracking passwords.
So, the threat is real, and today most companies recognise they need to implement security on their devices. We've seen a big change from the beginnings of IoT where security was afterthought, to one where security is now front and centre.
Should everyone implement the highest security level?
It's easy to say everyone should implement the highest level of security, but that’s not always a practical solution. We don't deploy the same security protection on every building in the world, and we don't need to apply the same security protection to every IoT device.
Consider the security requirements of an igloo in the arctic (none); a house in a remote village (low, as a deterrent); apartment in city with higher crime rate (medium, to repel active attack); prison complex (high, capable of withstanding serious attempts to breach); crown jewels, Tower of London (very high to prevent sophisticated, well-funded attacks). Not all buildings require the same level of security, and neither do connected devices.
On one end of the scale is a temperature logger in the greenhouse at the bottom of your garden, and at the other end is a device connected to a city’s traffic management or rail network infrastructure. If script kiddies hack the temperature logger, your tomatoes might wilt: the personal, social, political, and economic consequences are modest to non-existent. If malevolent actors hack the city’s traffic management system, the consequences don’t bear thinking about.
Further, there are many security threats to consider: denial of service, data theft, data modification, man-in-the-middle attack, device control, ransom attack, pivot attack, and physical hardware attacks. However, as illustrated above, the risk – expressed as the product of likelihood of the threat materialising and the impact if it does – will vary significantly with user type (private individual to large corporation), deployment context (‘air gapped’ to integrated network) and application (passive monitoring to closed-loop control).
The consequences may range from knowing the temperature in your greenhouse, knowing when your home is occupied, accessing your personal data, passwords, and bank details, or controlling your alarm system and other in-home devices, to data breaches and equipment failure in a major corporation or critical infrastructure, with the associated knock-on effects for these companies and the general public.
Yet, most connected devices are designed for lowest cost, with limited memory and processing power, and longest battery life. The cheapest connected device might only cost a dollar to produce but won’t be very secure. Security must be factored into device cost and into the business case underpinning the development.
The first step in getting IoT security right is to understand the relevant threats and consequential risks that must be addressed. Then designers can select appropriate security measures, which can be introduced in all aspects of the product design and development (in both hardware and firmware), including hardware protection against tampering, defensive programming, secure boot, signed images, secure storage, certificates, SSL, encryption, key management, authentication, event logging, run-time integrity checks and remote security updates.
By deploying the appropriate industry best practices where it matters, you can build devices with the right level of security – without breaking the bank.