I went to the very first Internet of Things (IoT) meet-up in New York City five years ago when the term “digital transformation” was just starting to become a buzz phrase and IoT devices were appearing everywhere. It was then that I realized the impact all those interconnected “things” would have on cybersecurity.
Devices before IoT where just that, devices. They ran on code and were made to solve a specific purpose. It could have been to program your thermostat, a garage door-opener or an EKG machine. Now all of these devices are interconnected. If you want your thermostat to change to a warmer setting as you pull your car into your garage, that is now possible. All of our devices are conveniently connected and able to communicate with each other either via central control systems or with some consumption device like your phone or tablet. Getting too hot? Just have your thermostat signal your blinds to close. Speak into your phone and have your front-door unlock. Washing machine in need of a check-up? It can request service by itself through an API call.
Realities of Modern Convenience
Sure, we call this modern consumer convenience, but it is also very convenient for an attacker. As more and more devices are connected, the attack surfaces infinitely increase and therefore vulnerability potential increases.
Some consumers may not find this concerning. “What is an attack surface anyhow,” they may ask? And manufacturers may be more concerned with getting products out to market before even considering the potential vulnerabilities that live in their products. Why would someone want to mess with your thermostat, your blinds, or read your EKG? Until we hear about what it could mean when someone hacks into our devices: maybe it's your baby monitor and scaring your family with weird noises and threats or what if someone hacked into and turned off your pacemaker, then we suddenly realize the potential.
Why is Securing IoT Devices So Different?
So how is securing these devices different than securing other devices such as desktops, servers and cell phones? Attackers hacking into devices with vulnerable code is not new. So, what is different with IoT and why is it hard to secure these devices?
There are multiple factors at play here, let’s look at some of them:
Failing To Completely Understand The Risks
Manufacturers always want to be first to market, launching the latest device but failing to understand the true security risks that these devices may hold. This means that in a race for functionality, some security defects may be overlooked. Often consumers do not understand the security risks of these devices and thus, do not hold the manufacturers responsible for these risks. I have heard a personal EKG device manufacturer say “I don’t think anyone would care to hack our device,” and a potential consumer in the same setting back them up.
When “things” are attacked, it is difficult to detect the attack and ultimately place responsibility on the manufacturer. After all, if Windows® crashes, resulting in the loss of a days’ work, it is easy to blame it on Microsoft®. However, if a Wi-Fi router is being used by attackers to mine Bitcoin, it may be using a bit more electricity, but is likely unnoticeable to a consumer.
Ease of Set-up and Authentication
Deployment of IoT devices has inherit security flaws as well. Typically locking down a device by setting a secure password or installing security keys for communication requires some work on the consumer side. However, these devices are designed to be installed as easily as possible, with minimal to no configuration. Unfortunately, this means that default passwords are hard-coded into the devices, insecure communication protocols are used, and the most lax permissions are selected.
Lack of Patch Management
Finally, when vulnerabilities are discovered in servers, desktops or phones - they are patched. Patches are distributed and installed on the affected systems. Patch management however, becomes more difficult in embedded devices. Here, patching mechanisms either do not exist, or are poorly implemented. Sometimes patching may not even be possible. While you can update a Windows machine with some downtime for a reboot, rebooting a pacemaker is probably not in the best interest of the user.
Working Towards Better Secured IoT Devices
These reasons and more are what make the IoT world so lucrative for attackers and so difficult for security practitioners. Nevertheless, this does not mean that we should just give up. There are ways of making IoT devices both convenient for the consumer and secure from attacks. It just requires a little effort and rigor.
To learn more about IoT Security, please join us June 12, 2018 at 2:00pm ET for our live webinar, IoT Security: Debunking the “We Aren’t THAT Connected” Myth.