Architecture, Network security

Appliance takeover?: Internet of Things

October 1, 2015

Had the recently departed filmmaker Wes Craven lived just a few years longer, the Internet of Things (IoT) might have provided him with the perfect fodder for one of his horror classics. After all, it has all the the potential to be the stuff that nightmares – or an episode of Phineas and Ferb – are made of.

Imagine smart, interconnected devices – from toasters and refrigerators to cars, planes and baby monitors – rising up during the night and revolting against their owners or society at large, spilling secrets and wreaking havoc. Kind of like Night at the Museum…except with malevolent electronic devices.

OK, that's a little dramatic, no?

In reality, smart devices on the whole haven't fallen under the sway of an evil nemesis, just a stray crook or two and a host of security researchers eager to expose and fix vulnerabilities. But while these devices haven't yet been marshaled to attack or serve as ever-present sentries in some sort of post-apocalyptic world, the IoT is poised to cause some security nightmares. 

OUR EXPERTS: IoT 

Larry Clinton, president and CEO, Internet Security Alliance 

Stephen Durbin, managing director, Information Security Forum 

Malcolm Harkins, CISO, Cylance 

J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals 

John Johnson, security industry executive

Sarah Lahav, CEO, SysAid Technologies 

Shankar Somasundaram, senior director, IoT, Symantec 

Craig Spiezle, executive director and president, Online Trust Alliance (OTA) 

Mark Stanislav, senior security consultant, global services, Rapid7 

Hilary Wandall, associate vice president, compliance and chief privacy officer, Merck & Co. 

Ken Westin, security analyst, Tripwire

“There's a lot of malice and a lot of devices all around us and people doing bad things, dangerous things,” says John D. Johnson, a global security expert, noting that, for example, commandeering a pin sweep on a factory floor and causing the laser cutter to rotate 180 degrees could have dire consequences. So could tinkering with smart refrigerators – on a large scale – to ensure food spoils. In the shared waters of the internet with high-functioning devices, “we're operating in an unsafe environment,” says Johnson.

Adds Craig Spiezle, executive director and president of the Online Trust Alliance (OTA), “in some ways it's the sleeping giant in the room that we can't ignore.”

No doubt, the much-anticipated IoT will bring much good to the world, facilitating the smooth flow of information – making us more productive by providing services and capabilities that we need (the fridge orders more milk, the toaster alerts to shorts and heads off potential fire, you can find almost anything by clicking on an app in your smartphone). And, in what could be a scene from your favorite sci-fi flick, Kaspersky Labs just embedded a chip in an employee volunteer.

Johnson himself is an advocate for the IoT – noting the quality of life, user experience, innovation and efficiencies it brings – and has worked tirelessly to bring security concerns about the IoT to the forefront where they can be dealt with and hopefully vanquished. The security executive, who sits on the Black Hat Executive Committee board and is leading the IoT track at the Global CISO Summit, contends the challenge of IoT “is a problem we can solve” with some thought, innovation and consensus.

Too big to secure?

But the security industry – as well as manufacturers, enterprise security pros and consumers – must work fast. The IoT, which seemed like a distant promise just a couple of years ago, is on the cusp of great growth. The number of devices is clearly exploding. Last November, Gartner predicted “that 4.9 billion connected things will be in use in 2015,” a 30 percent increase from the year before, and likely to grow to 25 billion by 2020.

“The good news is there is a lot of opportunity to secure IoT,” says Shankar Somasundaram, senior director, IoT, at security firm Symantec, which says it is now protecting more than one billion IoT devices. “The bad news: We've got to move now.”

We increasingly live in a more interconnected world, where smartphones, wearables and other devices have created “a complex ecosystem,” says Hilary Wandall, associate vice president, compliance and chief privacy officer of Merck & Co., a global health care company that operates in more than 140 countries. And Larry Clinton, president and CEO of the Internet Security Alliance (ISA), a trade association that seeks to combine advanced technology with economics and public policy, says, “A first grader can easily access things from all over the world.”

That level of connectivity certainly makes life much easier and gives a much-needed boost to productivity (information is at your fingertips in a couple of clicks), quality of life (workers can do their jobs at any time from anywhere) and efficiency (need to find a freight company that will haul your piano? There's an app for that!).

But all that connectivity and intelligence come with a price: The simplest device, a lowly toaster, for example, can become an entry point for an industrious hacker to use shared network resources in the benign environment of a home to access corporate assets that the homeowner taps into.

And the world at large is almost wholly unprepared. J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals, a global information privacy community, notes that the rapid forward march of technology is “exceeding our ability to manage.” 

Indeed, most IoT devices have not been built with security in mind. Nowhere is that more clear than within low-level products whose makers never conceived of them as the conduits of sensitive information. As a result, baby monitors, routers and the like are pockmarked with flaws and vulnerabilities that in the wrong hands can be exploited to access personal information, login credentials to corporate networks and other nefarious deeds. 

Take, for instance, video baby monitors. These household devices give parents peace of mind by allowing them to check on their babies without squeaking a door open and offer the opportunity for them to share cutie pie moments with relatives a continent away. But, in research that should strike fear in the heart of any new parent – and those professionals concerned about the security implications of the IoT – a security pro at Rapid7 found vulnerabilities in commonplace retail video baby monitors that not only offer prying eyes a look into a family's most intimate moments, but could also “provide a path to compromise of the larger, nominally external, organizational network.”

Mark Stanislav (left), senior security consultant, global services at Rapid7, a global security data and analytics solutions firm with U.S. headquarters in Boston, tells SC Magazine that he put 10 video baby monitors through their paces and found vulnerabilities in all of them. There were two aspects to his research, he says: establishing a checklist that “this is the way I think cameras should work for security purposes” and discovering what the vulnerabilities were and how attackers could break in.

“All the cameras I looked at did not come to close to what I expected,” says Stanislav, who himself is preparing for first-time fatherhood and was dismayed to find that outsiders might be able to intrude on his family.

Among the most troubling of products tested was the iBaby M6 from iBaby Labs, which featured a vulnerability that allowed “any authenticated user to the ibabycloud.com service to view camera details for any other user, including video recording details, due to a direct object reference vulnerability,” the Rapid7 research shows. A small object ID space lets hackers, through a brute-force attack, gain the cameras' object IDs, which are then used to view account details. Through broken links, hackers can then surmise a filename “intended to show available ‘alert' videos that the camera recorded,” the results reveal.

Another monitor, Philips In.Sight, was discovered to have multiple vulnerabilities, among them one that concerns the web service on the backend of the company's cloud service used “to create remote streaming sessions” and which is “vulnerable to reflective and stored XSS.” Another, found in the method the monitor uses to enable remote viewing, allows insecure transport. Administrative privilege, once uncovered, “is available without authentication of any kind to the web scripts available on the device.”

What's more, a live video/audio stream is accessible to the camera if it stays open for up to an hour on an established host/port combination. “There is no blacklist or whitelist restriction on which IP addresses can access these URLs, as revealed in testing,” the research shows.

Not only can privacy be compromised, but a would-be attacker could use some of the monitors to gain access to other assets on the network – and even break into corporate networks.

The trend toward BYOD, using connected devices and working from home have amped up the risks.

If baby monitors are on the suspect list, then just imagine the severe security challenges – and dangerous scenarios – that vulnerabilities in higher level, more critical “devices” might bring.

In July, a pair of security researchers revealed that they were able to exploit a zero-day vulnerability in the UConnect entertainment system of a Jeep Chrysler to remotely control the vehicle's engine, transmission, wheels and brakes, as well as other onboard systems.

Chris Valasek, former director of vehicle security at IOActive, and former Twitter executive Charlie Miller, now both lured away from their positions to join Uber's security team, say the vulnerability was found in late 2013 to 2015 models that have the Uconnect feature. If attackers know the car's IP address, they can gain access to the car through a cellular connection. From there they target a chip in the entertainment system and rewrite firmware to commandeer the computer networks that control the vehicle's physical assets.

The find prompted Chrysler Fiat to issue a voluntary recall of nearly 1.4 million Dodge, Chrysler and Jeep vehicles for a software update. (The carmaker, along with entertainment system provider Harman, now faces a class-action lawsuit.)

Scarier still is the case of the gun – that's right, gun – that security researchers Runa Sandvik and Michael Auger were able to remotely hack into.

The married pair was able to exploit vulnerabilities in a Linux-powered TrackingPoint self-aiming rifle's software through its Wi-Fi connection, which lets users stream video of a shot to a nearby device.

Yikes! In all cases, seemingly innocuous or common items were easily compromised – by those with the know-how. And, as recent security breaches at the Office of Personnel Management, Sony Pictures Entertainment and other organizations have demonstrated again and again, there's plenty of know-how out there and plenty of bad actors willing to use it – to accomplish a number of goals.

One of the problems that makes the IoT conundrum so hard to solve is that IoT devices are typically outside the purview of IT security. Organizations haven't planned for such smart and connected devices to have the ability to allow the bad guys to infiltrate their systems.

And why should they have? Fridges aren't typically viewed as a threat to anyone but struggling dieters tempted by their contents. 

“A lot of enterprises have ignored it, and perceived [IoT devices] as low risk,” says Johnson. 

And unlike with BYOD devices, where IT security teams may have set and clarified policies for users and understand what “assets” are hooked into their networks, when it comes to the Internet of Things, they often have no clue what's attached.

With BYOD you need Wi-Fi to get on the internet so IT knows when an employee steps through the door and logs on what they're dealing with, says Sarah Lahav, CEO at SysAid Technologies, a global firm with U.S. headquarters in Newton, Mass. that develops and provides IT service management software. But, she says, IT people aren't aware that someone went out over the weekend and bought a new thermostat or coffee pot that could be used to gain access to corporate resources.

The companies that make the devices haven't thought of themselves as information or data companies either. Yet, that is what their products do: gather information and transmit it over the internet to servers or systems located somewhere else – and possibly under the care of another organization. So they've not taken steps to protect their devices the way, say, a smartphone maker might.

“The vulnerabilities associated with these baby monitors are not particularly new, as a number of disturbing actual cases have illustrated,” says Ken Westin, security analyst for Tripwire, a Portland, Ore.-based provider of information technology solutions. “In many cases, security was either not a consideration, or was added as an afterthought in these products.”

Symantec's Somasundaram (left) adds that as most manufacturers never have had to deal with security before, some basic hygiene is not being done. That's a scenario that the OTA's Spiezle finds “alarming.”

Stephen Durbin, managing director of the Information Security Forum, explains, though, that the rapid uptake of BYOD and the continued acceptance of wearables is increasing an already high demand for mobile applications for both work and home and in an effort to meet this increased demand, developers working under intense pressure, and on paper-thin profit margins, are sacrificing security and thorough testing in favor of speed of delivery and the lowest cost.

Ultimately, he says, “this will result in poor quality products that can be more easily hijacked by criminals or hacktivists.”

But device-makers must disabuse themselves of the notion that they're not in the tech security business. Malcolm Harkins, chief information security officer at Cylance and formerly CPO at Intel Security, has repeatedly pointed out that nearly every company “is becoming a tech company or has a reliance on it,” as he reiterated to SC Magazine last spring.

Further complicating the scenario is that the security of IoT devices often hinges on consumer behavior, including patching toasters, guns and toys with software updates as they become available. Any IT security pro will tell you how difficult it is to keep up with software updates at the enterprise level. To trust consumers to patch them regularly is like expecting a small child with a wicked sweet tooth to plan and shop for healthy meals. 

“The majority of devices in consumer hands will already have the security inside,” says Symantec's Somasundaram, particularly second-generation devices made after manufacturer awareness has been raised. It's getting consumers to use them that poses the biggest hurdle.

Missing, too, from the equation are any real standards and guidelines for consumers or manufacturers to follow to assure that devices – a la the use guidelines and the energy ratings on air conditioners, dishwashers and the like – are as secure as possible.

Taming the monster

Heretofore, the IoT was a bit like the Frankenstein monster, stitched together on the fly from whatever parts were available without a lot of forethought. Now, proponents are still busy knitting pieces together to keep up with – or at least cut the lead of tech advances – but going forward they need the finesse of a Park Avenue plastic surgeon to smooth the puckers and seams, retroactively applying best practices and a strategy to close security holes and thwart them from yawning open in the future.

But that won't come without changes. The IoT is likely to turn both business and security models on their ear. Gartner has said that organizations must decide in the future who will govern and manage security. The company estimates that as 2017 draws to a close, more than 20 percent of organizations “will have digital security services devoted to protecting business initiatives using devices and services in IoT.”

What's certain is that enterprise IT security will have to set policies and procedures for IoT much like it has done for other tech-driven challenges. And asset management will have to extend to those non-typical devices that the IoT could bring into their corporate networks.

“If you know about a device, it's quite easy to set up a small firewall,” says SysAid's Lahav.

“The first step to address IoT is to enumerate what's on the network and put those devices in categories and assess risk,” says Johnson. “They have to build the knowledge and capacity to understand and manage these devices.”

What's also certain is that security pros, privacy advocates, human resources reps and others within enterprises will have to work closely together to make sure all stakeholders are represented, and that the benefits of IoT are reached while the organizations' assets and employee and customer privacy are well protected.

“IT people will have to be part of a decision for purchasing devices,” Lahav says, noting that security should be a requirement but, because it may add to the cost of a purchase, companies might shy away.

Device-makers also will have to pull from different factions within the organization to work with R&D within their companies to build products to the highest security standards. Google Glass failed to pass muster its first time because privacy concerns, the creep factor, weren't adequately considered and addressed. Today, R&D at companies like Google, Microsoft and Facebook seek the counsel of the company's privacy and security experts. 

IoT devices also must come out of the gate with built-in security. Consumers expect functionality, Johnson says, and companies are loathe to shortchange them, but there should be no shortcuts around security. “They should be threat modeling and identifying types of attacks, then design and architect the devices so they're resilient,” he explains.

Spiezle says there are a tremendous amount of teachable moments to be had. Device-makers need to “go in with a healthy perspective and understand how devices will be compromised and how that can be contained,” he says.

They also will need to respond quickly when a security issue crops up as Rapid7's Stanislav praises Philips for doing. Philips notes in a statement sent to SC Magazine that after becoming aware of the vulnerabilities in its In.Sight monitor, which has been discontinued since 2013, it alerted Gibson Innovations, the company that the product category is licensed to under the Philips moniker.

“As part of our Responsible Disclosure policy and processes, Philips has been in contact with both Gibson Innovations and the security research firm investigating this issue, to promptly and transparently address known and potential vulnerabilities in Philips products,” the company says. “Philips and Gibson Innovations are committed to ensuring the security and integrity of our products,” the company said, adding that “whilst the security vulnerabilities are a concern and are being addressed, at this time we are not aware of any consumers who have been directly affected by this issue.”

A behavior-based approach

As in other facets of security, professionals are advocating a behavior-based approach when it comes to the IoT. Johnson says that baselines should be set for devices so that any activity outside the ordinary could be flagged as potentially suspicious and alert IT or the consumer, depending on how and where the device is being used. “The toaster and fridge shouldn't be sending out a whole bucketful of SMS messages,” says Johnson.

Device manufacturers, too, have an opportunity – and some would say an obligation – to include features and processes that will bring the consumer inline with security best practices. In the same way some phones or apps require users to change settings during setup, IoT device-makers could require consumers to change admin passwords and other login information as they're setting up their devices. Applications and functionality could be made to “go dark” until they apply patches and heed updates as they are issued.

“It is possible for a manufacturer to force a user to change a password and include two-factor authentication, but you can't expect consumers to do sophisticated settings,” says Lahav. “Manufacturers have to build in security from the beginning and make sure everything is there. That's the big business shift.”

And Johnson (left) points to Tesla as a company that “does it well,” noting that if any funny business is detected in a car's operation, the car won't be allowed to accelerate and could be made to slow, then come to a stop. “I don't think as much thought goes into toasters and refrigerators,” he says.

What all factions – consumer, manufacturer, enterprise, security pro – need to move forward are guidelines. Bereft of specific standards aimed at the IoT, the industry – and consumers – could benefit tremendously from a set of agreed-upon requirements, or at least a blueprint for securing the IoT. That's more complicated than it sounds, for a number of reasons, not least among them that industries are, as Somasundaram notes, working separately, vary in maturity and are at different places in the IoT cycle.

Spiezle points out, though, that seamlessly working together in the industry is doable – albeit not easy. “I've lost a lot of hair over that in the last few years…trying to work on collaborative matters with multiple stakeholders,” he says. 

“Communication, collaboration, sharing – we talk about it, but we're still not good enough as an industry at doing it,” explains Durbin.

To fend off IoT security threats and to fill the standards void, a number of alliances – some representing different industries, others widely diverse members – have come forward to focus their attention on sharing information and establishing IoT guidelines. The Alliance of Automobile Manufacturers and the Association of Global Automakers, for example, have joined forces to create an industry-wide Information Sharing and Analysis Center (ISAC) aimed at sharing best practices to mitigate automotive cybersecurity threats that let attackers gain control of vehicle systems. And, the OTA recently released an IoT Trust Framework created by a working group that included industry luminaries and determined to provide guidance to manufacturers for reducing and eliminating vulnerabilities and protecting information; providing privacy, security and sustainability best practices while advocating for a “privacy and security by design” model to establish a code of conduct that is both voluntary and enforceable. Those vendors who follow that code and meet a set of minimum standards will be rewarded for their efforts with “positive affirmation and recognition,” the group says.

Adopting any guidelines and endowing them with teeth can be challenging. “Advocates say you shouldn't do it and organizations say show me the harm,” says Spiezle. “No one has the courage to step up and say ‘This is what organizations must do,' and commit to it, largely because they don't want to assume the liability if standards aren't met.”

The OTA framework's recommendations include requiring companies to optimize the display of privacy policy “for the user interface to maximize readability” and revealing what kind of data is collected and limiting its use. 

Spiezle says the framework could be used in a number of ways, “as a checklist” for developers, a code of conduct and “must-dos” that become a regulatory framework and a “seal” program much like the UL certification program.

Regardless of how it is ultimately used, the framework and other initiatives are good first steps to assuring that refrigerators, toasters and guns don't rise up, under the sway of a bad actor, to wreak havoc on the world or just provide easy entry into private systems housing sensitive information. With more attention paid to security, consumers and enterprises alike are more likely to avoid the nightmare, and instead live the dream, of the Internet of Things. 

prestitial ad