In many ways, the current obsession with the Internet of Things (IOT) is understandable. The tech press is constantly on the lookout for something cool and fresh to write about, and IOT is this year’s hot topic. Plus, the idea of connecting essentially everything to everything is pretty compelling at a conceptual level.
However, there are some harsh realities that really shouldn’t and can’t be ignored. Whether we want to admit it or not, anything that gets connected to either a wired or wireless network has the potential to be—and probably at some point will be—hacked. Whether it’s a security camera we install in our homes, a connected module inside our new cars, or an automated building HVAC (Heating, Ventilation, Air Conditioning) system within the buildings we work or visit, the threat is there.
Unscrupulous individuals could leverage the connection to these devices to either cause functional difficulties on the devices or systems themselves, or simply to use them as a backdoor entry into other devices on a connected network and create problems there. We’ve already seen incidents of individuals who’ve shown that they can “break” into various car systems to cause potentially lethal issues to still or even moving cars. It’s also been reported that some of the bigger hack attacks on large corporations actually came through seemingly innocuous devices (like connected HVAC systems) sitting on their networks.
Of course, security-related issues for connected devices are nothing new. We’ve been reading and hearing about computer-based hackers for several decades now. But what is new is the amount and range of devices being connected to a network. With IOT, the number of connected devices goes through the roof. On the one hand, you could argue that this makes the likelihood of an attack on any particular device go down. However, the overall attack surface is increasing so much that it’s creating an extremely attractive target for the more sophisticated, organized and aggressive hackers now initiating these attacks.
A big part of the problem is that most of these new IOT devices are not being brought to market with a robust security model in mind. Instead, the focus is on offering simple connectivity in order to give them new functionality, with easy access being a core part of this new capability. Combine this with all the well-intended efforts that have been introduced over the last several years to make networking easier, and you’ve got the recipe for a potential disaster.
Another key part of the issue is that it’s difficult to think through all the potential scenarios that these kinds of IOT devices might be put through. What we really need are extremely simple tools that can tell us things like what kind of information is being broadcast around our networks; what sorts of “requests” for information are being sent to our networks, how to block and/or stop this kind of information, straightforward explanations of what it all means, and so on.[pullquote]I’m concerned that if we keep moving in the direction of letting everything just start connecting to everything else, just because it can, we’re in for some very difficult challenges.”[/pullquote]
At the same time, despite the potential hit on convenience and ease of use that this might entail, we need to give serious consideration to making more network and communication settings “off“ by default. Admittedly, this a different (and difficult) mindset for most vendors to adopt, but I’m concerned that if we keep moving in the direction of letting everything just start connecting to everything else, just because it can, we’re in for some very difficult challenges.
As technological improvements around IOT connectivity start moving faster, it’s not only worth our while, but essential for us to step back and really start thinking about what the implications really are and will be. There will always be tradeoffs between convenience and capability and ease-of-use and privacy, and sometimes and for some people, those tradeoffs will be worth accepting. However, for many, the potential risks outweigh any minor potential rewards. If vendors, and the tech industry overall, really want IOT to reach the kind of potential that many believe it has, they’re going to have to put security (along with clear explanations of security issues and settings) at the forefront of their efforts.
11 thoughts on “Breaking the IOT Connection”
It is still an early days of IoT and as you say there are some tradeoffs and a security may be not at the forefront of wireless protocols. In an application when it is critically important, a workaround can be put in place by the hardware or application developer till the security specification is stable enough.
Fair enough, but my point is that the security-related issues need to be made much more clear….
I am not an expert on the issue, but it would seem that the article in a link above presents the technical tradeoffs and lists workarounds. An application or a hardware developer should be able to look at it and a particular implementation and come up with a solution.
In general, we have technologies that can ensure very good security. But the electronics industry is known for penny pinching ,so most products don’t use them.
Add that to the lack of ability of consumers to measure security of a product (which i would say is the core problem here) and you get a problem of bad security.
This is true for B2B , but if we talk about consumer products, most users don’t even care.
Mature companies (MS, Adobe, Google, Apple…) with large resources, dedicated teams/procedures/experience.. are having security issues… about every month ? on a limited number of rather mature products.
I shudder to think what the security (I’d expand that to reliability even) of IoT will be for loooong time.
And yet if you look at integrity-OS(which is an operating system for aeroplanes), for example, it has been certified by the NSA.
Does the NSA certify an OS because they can’t hack, or once they have hacked it ? :-p
Funny you mention an “OS for airplanes” didn’t someone get arrested for allegedly hacking air commercial liner recently ? Will my IoTs be safer than an airplane ?
As far as i know , the internal networks on a plane either physically isolated the control parts(engine control etc) from stuff that’s more open , or if that’s not used , they used a special switch with a fixed non changeable list which determines which device can connect to which device , thus again not allowing connection from unsecure places to secure parts of the plane.
So it’s not even possible to get to the OS remotely.
With regards to the latest airplane hack , i’m not sure which case you refer too, do you mind linking it so we can discuss about it ?
see  :comment by neurotech1 “At worst this guy could send a fake message to other passengers, and maybe cause a IFE system warning in the cockpit.Oxygen Masks are controlled by a completely separate system to the IFE.”
IFE – in flight entertainment.
Basically , no access to the secure network.
I think that the access to a hardware should only be allowed from the high level interfaces, no USB drives, low level commands etc.