G20 Executive Talk Series

IOT

Authored by: David Clemens

Change your Wi-Fi Password NOW!
Assessing Tomorrow’s IoT Risks

Effective security will remain as one of the main roadblocks in the implementation of IoT technology unless developers can address new risks.

On October 21, 2016 the United States was hit with a massive DDOS attack that knocked out several websites for hours in the early morning. Disrupted denial of service attacks (DDOS) flood and overload servers with fake requests to disrupt online services for Americans and their companies. In this attack, security experts report that Mirai, a software program, was used to infect technology ranging from DVRs, to routers and even internet connected cameras. Mirai accessed these devices through malware from phishing emails, a process in which hackers send emails disguised as legitimate businesses in an attempt to gain access to one’s information. This method is new and unique because, unlike a traditional network breach, the hackers took control over insecure devices by using simple methods, like searching for open networks and devices that still use factory-default passwords. The most troubling element of this attack is that Mirai’s open sourced code was recently made available on the internet.

Today, Internet of Things (IoT) devices allow for hackers to conduct attacks at a reduced cost to what was previously possible. Looking forward, effective security will remain as one of the main roadblocks in the implementation of IoT technology unless developers can address this problem.

Hacking IoT Devices
The two main methods that can be used to hack into IoT devices come from the software and hardware part of the device. On the hardware side of the device, external control can be attached to a processor and enable external control of the system. This technology has been around since 1990 and is commonly referred to as the JTAG methodology. For IoT devices, the challenge with hardware will come from whether or not the device can authenticate if the user has the rights to debug parts of the system or if it is a hacker trying to gain access to the execution of code in the processor line by line. In layman’s terms, imagine owning a jump drive, which when plugged in, convinced the computer that the jump drive is part of the machine, and thus is given access to its internal workings.

On the software side, the greatest issue in addressing hacking into IoT technology comes from the ability to access the rest of the network. The idea of containers allows a user to access certain key parts of a devices infrastructure (the kernel of a system). As the number of devices increases so does the difficulty in applying security updates. Think of the differences between a webpage viewable to everyone compared to the developer page that contains additional commands. Currently, devices cannot prevent hackers from accessing all of the commands.

ON THE SOFTWARE SIDE, THE GREATEST ISSUE IN ADDRESSING HACKING INTO IOT TECHNOLOGY COMES FROM THE ABILITY TO ACCESS THE REST OF THE NETWORK.

Difficulty in Implementing IoT Security Systems
Security services have developed alongside other Internet technology. Since IoT devices are a new way to allow for internet connectivity, these new variables throw a monkey wrench in the traditional method of closed operation cyber-security which keeps the security elements on a closed loop. Systems such as CCTV cameras, when fitted with IoT devices, have a greater chance at becoming compromised. Even though IoT technology implementation is limited now, in the future when it is expanded to other sectors it can carry much greater security risks. These types of devices are difficult when control systems are attached to infrastructure. Nuclear power plants, banking, and autonomous vehicles are all at risk if effective security protocols are not made at the founding level. Implementing patches or security updates is difficult because the function and safety must not be compromised in the process.

Embedded devices such as GPS receivers or mp3 players, while convenient, are difficult for developing security for, because of their low power consumption and limited connectivity. Many times, the devices have to make decisions about whether to accept a command or execute a task without immediate human control. Also, IoT chips will not be big money-makers since these are tiny and usually based on outdated architectures. The cost in this instance actually can work against more current architectures, since the low cost makes it difficult to reconcile use when compared to increasing the security profile. If a vulnerability is discovered, then it is difficult to fix because it would be more cost effective to buy new devices, thus continuing the security dilemma.

Possible Solutions
The current methods used for security can be retrofitted right now for IoT devices, but true security innovations will have to be built from the ground up. The confidentiality of data will remain a top priority for both businesses and consumers, and nowhere is IoT security more important than in the security of data in motion between devices. Current controls such as using a VPN or physical encryption methods such as 802.11i (WPA2) and 802. 1AE (MACsec) offer additional protection, with most devices in the future will run in Internet Protocol version 6 (IPv6). IPv6 allows for 128 bits instead of the limited 32 bits of IPv4, multiplying the amount of address space which creates a security barrier against port scanning.

EMBEDDED DEVICES SUCH AS GPS RECEIVERS OR MP3 PLAYERS, WHILE CONVENIENT, ARE DIFFICULT FOR DEVELOPING SECURITY FOR, BECAUSE OF THEIR LOW POWER CONSUMPTION AND LIMITED CONNECTIVITY. MANY TIMES, THE DEVICES HAVE TO MAKE DECISIONS ABOUT WHETHER TO ACCEPT A COMMAND OR EXECUTE A TASK WITHOUT IMMEDIATE HUMAN CONTROL.

To avoid these related issues, security cannot be an add-on to a device, but instead must start at the hardware level, to which software security controls can be introduced on the operating system level. The current methods of using closed, proprietary systems trade ease of use for increased security measures and will be ineffective in the future.

While there is no “perfect solution” right now for IoT security, the current methods can be adapted to provide greater protection for IoT devices. Adapters of IoT need to stay weary of the tradeoffs between cost, security, and reliability. Once more smart technology is in the marketplace, industry and government will have to make the decision of whether or not IoT systems are the most cost effective method to achieve the standards required. Once this problem is solved, society can then begin to use IoT on a city, or even nationwide scale.

Editor’s Note: Experts recommend that Wi-Fi passwords should be changed every 60-90 days, keeping them set on default will only continue to allow them to get hacked.

David Clemens is a Contributor to Diplomatic Courier Magazine in Washington, DC.

Share: