The Tangled Web of IoT Security
May 6, 2014 7:06 AM PT
The Internet of Things, or IoT, consists of "uniquely identifiable objects and their virtual representations in an Internet-like structure," according to Wikipedia.
The IoT is "the network of physical objects accessed through the Internet," according to Cisco Systems.
In addition to there being no clear definition of the IoT, estimates vary widely about the number of unique devices it includes. There are an estimated 26 billion devices, according to Gartner, but a whopping 212 billion, according to IDC.
Which Technologies Are in the IoT?
The IoT includes GPS in cellphones and tablets, as well Internet-accessible technologies like RFID (radio frequency identification), QR codes and barcodes.
The global economic impact of these "things" lumped together as the IoT, often labeled "devices," is significant.
The Internet of Things has the potential to create an economic impact of US$2.7 trillion to $6.2 trillion annually by 2025, Microsoft said, based on statistics from McKinsey Global Institute.
As a result of the IoT, "potentially billions of devices will report data about themselves, making it possible to create new applications in areas as diverse as factory optimization, car maintenance, or simply keeping track of your stuff online," notes an MIT Technology Review report.
So Many Devices, So Many Security Issues
"The challenge we have is that each of those areas is really pretty separate ... . It's not going to be one-size-fits-all for IoT security," commented Bret Hartman, Cisco's vice president and chief technology officer for its security and government group.
Usually these endpoint devices aren't very big. They don't have a lot of compute power to do much, especially around security. There are IP-addressable light bulbs, for example. There's not a whole lot of processing power left in there for security.
If light bulbs are vulnerable, though, then a bad Internet player could darken a competing business, or turn off lights to commit crimes.
Where Is the Risk?
The "sheer scale of scope of the challenge" to manage so many devices in the IoT is addressed in a recent Computerworld report that provides a laundry list of IoT items:
"everything from home automation products including smart thermostats, security cameras, refrigerators, microwaves, home entertainment devices like TVs, gaming consoles to industrial control machinery and smart retail shelves that know when they need replenishing."
The IoT challenges "are around volume, stealth and persistence of attacks," Kevin Epstein, vice president of advanced security at Proofpoint, told Computerworld. "Now imagine the volume of attacks increased by [ten-fold] ... and no one could turn off the sending devices."
The IoT has been discussed since about 1991, particularly with the use of RFID. With the growth of the Internet, many new technologies have been included in the IoT, complicating management of security.
A variety of possible cyberattacks threaten data and IT equipment located in the cloud. However, the IoT includes all kinds of devices affecting individual consumers who may believe they have privacy -- for example, capturing consumer driving information when obstensibly collecting automobile insurance data and GPS data.
Point of Sale (POS) devices also are vulnerable to cyberintrusions, according to Verizon's 2014 Data Breach Incident Report.
"... restaurants, hotels, grocery stores, and other brick-and-mortar retailers are all potential targets.
From an attack pattern standpoint, the most simplistic narrative is as follows: Compromise the POS device, install malware to collect magnetic stripe data in process, retrieve data and cash in.
Recent highly publicized breaches of several large retailers have brought POS compromises to the forefront."
Encryption can help protect IoT data, the Verizon report recommends.
"Considering the high frequency of lost assets, encryption is as close to a no-brainer solution as it gets for this incident pattern. Sure, the asset is still missing, but at least it will save a lot of worry, embarrassment, and potential lawsuits by simply being able to say the information within it was protected. Also, periodically checking to ensure encryption is still active is right up there too. This will come in handy when the auditor or regulator asks that dreaded question: 'How do you know for sure it was encrypted?'"
A few years ago, the U.S. State Department first started equipping U.S. passports with RFID tags. That passport data could be read from as far away as 30 feet, raising alarm about the security and privacy of the passport data among privacy experts.
To prove how vulnerable passport RFID data was, protestors purchased equipment on eBay for about $250 and used it to hijack RFID passport data. They proved their point. As a result the State Department had to make changes to the RFID tags.
IoT is part of the Internet and everything is connected, yet many individuals do not realize how vulnerable IoT is, and what that vulnerability means to them, including the risks to their assets and their privacy.
Surely we will continue to learn more about IoT as it grows.