The current state of things
The Internet of Things (IoT) exists to make our lives easier, but it also has a dark side. If security measures are not set in place, hackers can take control of your homes, your car, and even your body.
As innovative as the Internet of Things may be, recent security breaches are continuing to grow at an alarming pace. A recent HP Research study reported that the average Internet of Things gadget has an astounding 25 security flaws, and 70 percent have at least one such vulnerability.
A Columbia University study that ran a set of attacks against business systems and embedded systems in such consumer products as home entertainment systems, webcams, and Wi-Fi access points found problems in just 2.46 percent of the business products—and a whopping 41.62 percent of the consumer products. Even in the products that do have shields, undermined by default or weak passwords.
The problem is, too many manufacturers worry more about getting a product to market quickly than securing it. In some cases, a manufacturer has taken an apparatus designed for use in a private network and simply connected it to the Internet without building in any protection to speak of. It’s also true that the devices themselves are often so small that it’s hard to build in the right protection.
And most IoT products, even if secured, have no way to automatically update their security software when vulnerabilities are discovered. As things now stand, hackers can exploit any vulnerability they find for as long as the 10 or even 20 years the devices remain in use.
An inside look
To understand how breaking into the system works, we must first know how hackers operate.
Hackers who attack all these systems—home, car, health, and others —are typically trying to do one of three things: take control of the apparatus, steal information, or disrupt service.
The simplest way to stop these attacks is by preventing hackers from communicating with the gadgets they are trying to hack. And that means using a firewall and an IDPS.
A firewall acts as a gatekeeper, blocking traffic that should not be permitted to pass through. An IDPS monitors the computer system and the network to which it is attached to detect, block, and report suspicious activity. But the software for firewalls and antivirus programs takes up a lot of storage space and requires a lot of processing power to run. Most things in the Internet of Things can’t handle the software.
So, we have to take a different approach. For the most part, the gadgets that make up the Internet of Things are what we call embedded systems. These are dedicated computers that perform specific functions within more complex systems.
To do this, you need to pay as much attention to what you omit from the embedded security system as to what you include. What we don’t need are systems with powerful processing engines and large databases of virus signatures and other chunks of code that act like fingerprints to help detect known threats. Instead of databases, IoT security can use rules-based filtering.
The complete firewall policy may consist of as few as 5 to 20 rules as opposed to the 200 to 2,000 rules of a typical business computer’s firewall. This smaller, faster, simpler approach to an IoT security system does not compromise security. It allows anyone to use the machine while preventing malicious users from changing settings, downloading firmware, or performing other harmful actions. Other, specific sets of rules could protect door locks, cars, or pacemakers.
Some of the major players in the embedded systems market—Green Hills, Intel, McAfee, among others—are already incorporating such embedded security technology into the hardware and software of IoT devices. These companies typically don’t make the connected products themselves. Rather, they manufacture the processors and operating systems used to build the equipment. But given that some devices in the Internet of Things are rarely replaced, it will likely take a decade or two—or more—to bring all systems up to modern security standards. New systems will likely have higher levels of security, but vulnerabilities are bound to exist for the foreseeable future.
How companies can circumvent security loopholes
There are two approaches to secure existing systems. For newer products that support software updates or those that are still being developed, the manufacturer can build a firewall and security capabilities into the product’s software. The makers of gadgets like the Nest thermostat can take this approach. Many older systems have communication capability but don’t support software updates—say, older hospital-monitoring systems and older factory-control systems. Here it may be possible for consumers or the product manufacturer to add a firewall through the “bump in the wire” approach. This refers to a box sitting between the target apparatus and the Internet that contains hardware and software to shield the device from attack.
As equipment becomes more secure, this approach may no longer be needed, but it provides an immediate solution for vulnerable items.
A firewall, however, isn’t enough to protect the Internet of Things against hackers. That’s because manipulation isn’t the only problem—there’s also eavesdropping.
Data encryption is therefore critical for security. Smart locks and heart pacemakers need strong passwords: the kind that includes letters, numbers, and perhaps special characters as well. Products should also include certificate-based authentication—that is, an electronic document that identifies an individual, a piece of equipment, or some other entity addressing the gadget. This technology is used today in point-of-sale terminals, gas pumps, and ATMs, and it will likely be incorporated into future versions of home medical devices and home security solutions. It hasn’t reached these products yet in part because manufacturers haven’t invested in the up-front engineering effort necessary to make this kind of security work with their hardware.
The cost of additional memory and a faster processor could make a product less competitive. Even worse than cost, though, is the problem of integrating a product with the other Internet-linked products in a home.
To make the Internet of Things even more secure, product manufacturers can integrate a device-management agent into their products. This piece of software would allow the product to communicate with a security management system.
What you can do now
You can also do your part as a consumer in the meantime. Here are a few things you can do to protect your connected gadgets:
- Ensure that your antivirus software is updated.
If you are on a personal computer or mobile device, make sure that any available firewall and antivirus software is activated and up-to-date. Make sure you scan your system regularly to identify and remove any malware or possible intrusions. A computer infected with malware or breached by a hacker can be a launching point for attacks against the IoT equipment in your home, or it may store passwords for IoT products that the hacker can use.
- Set secure passwords.
If your apparatus allows you to set user names and passwords, make sure to turn that capability on and also create passwords that are not easy to guess. Don’t use your name, your kids’ or spouse’s names, or birthdays; instead, use unique spellings, number combinations, characters, and symbols, such as ampersands, question marks, or asterisks.
- Be wary of suspicious emails or phone calls.
Finally, watch out for phishing and social engineering. Hackers are very clever when it comes to sending e-mails and messages that ask for user names and passwords. Be very suspicious. If you get a phone call asking for this confidential info, don’t give it. Make sure you hang up and then call the number of the business or organization that the caller had claimed to represent. Don’t use any phone number the caller may provide.
It gets better
Manufacturers are becoming more aware of the need to protect their Internet-connected products. Research is underway to develop new biometric authentication methods for the mobile devices you use to control your Internet of Things, providing authentication based on retinal scans, hand geometry, facial recognition, and other hard-to-spoof human attributes. The fingerprint authentication introduced in Apple’s iPhone 5s is a huge step in the right direction.
While companies are working towards a safer and more secure IoT environment, let’s do our part in staying mindful and vigilant. After all, technology is supposed to make our lives easier.