The rapid expansion of the Internet of Things (IoT) and the security issues created in its wake have quickly captured the attention of governmental and regional bodies and consumers.
According to a survey by Auth0, more than 50 percent of consumers and 90 percent of developers are skeptical about IoT security.
The security problem — and, just as important, the security risks that consumers perceive in internet-connected devices — represents a real threat to the hundreds of millions of dollars companies are pouring into connected devices of all stripes.
And with the technology still in its infancy, defining a finite framework for its security is a challenging task.
“The Internet of Things is a complex idea and organism, constantly evolving to both its own needs and the needs of consumers. As such, to provide hard and fast security rules would be similar to knowing the workings of a biological creature,” wrote Jen Martinson, editor-in-chief of Secure Thoughts.
Taking lessons from past experiences, the tech community is scrambling to plug the leaks before the situation spins out of control, and many startups and established companies in the tech industry are using this window of opportunity to mitigate the threats and decide the fate of this fast-growing phenomenon.
From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security.
Dealing with network connectivity threats
The always-connected nature of IoT devices makes them especially vulnerable to breaches from outside attackers or from compromised devices sharing the same network.
Surveys show that there’s a general negligence when it comes to securing communications protocols and many IoT devices are still suffering from the famous HeartBleed vulnerability — which could allow hackers to stage man-in-the-middle attacks and steal sensitive information such as passwords.
Since engineers who build IoT devices aren’t necessarily network security experts, it’s only natural that they leave security gaps behind.
Patrick Foxhoven, CTO of Emerging Technologies at ZScaler, explains, “More often than not, IoT devices are developed by companies with a different mindset – they think about user experience before security or compliance. These devices increase the attack surface of a network, and IT needs to put a plan in place to secure them.”
The results from the Auth0 survey indicate that many developers ship their products while feeling pressured to rush an application to the market. Under such circumstances, they normally overlook security concerns and stick to being feature complete on their products.
Therefore if there was some way to abstract and outsource IoT device connection into readymade packages, a lot of the security issues that are being faced by this fledgling technology could be overcome.
This is the idea behind GENBAND’s new product, Kandy Communications Platform-as-a-Service (CPaaS).
According to Paul Pluschkell, who runs the project, Kandy “provides multiple layers of security that are important to IoT applications.” As Pluschkell explains, Kandy uses a combination of secure protocols and encryption technologies, including HTTPS and Secure Real-Time Protocol (SRTP), to provide data privacy, end-to-end encryption, and advance authentication mechanisms in order to ensure device integrity.
GENBAND offers its Kandy platform through simple and flexible APIs and wrappers, which allows systems to communicate without compromising or accessing each other’s underlying data and structure.
On-device data protection
Physical and on-board security is something that is generally neglected in respect with IoT devices. This can become the source of serious security headaches given that a wide range of these devices are often left unguarded in the open and attackers can gain direct access to data stored on devices.
But sensitivity varies for different devices. “A lot of innovation and development comes down to context,” says Martinson “Weather data doesn’t need to be protected, but someone’s GPS coordinates should be.” And device data context changes over time. “When our toasters eventually adapt to take biometric readings for optimal toasting efficiency,” she says, “security measures will form to protect that information.”
The most obvious solution to on-device protection is the encryption of data, an approach that is being endorsed by more and more vendors, including Apple and Microsoft, which are implementing default disk encryption on their new mobile operating systems.
Smaller vendors are also grasping on the idea of on-device encryption and including it as an out-of-box feature of their products. Sports Performance Tracking, a manufacturer of GPS performance trackers for contact sports, employs heavy encryption on all data kept on its devices.
Other companies such as Finnish VPN company Tosibox are providing versatile encryption solutions that add an encrypted control layer to remote data access mechanisms in order to improve file access security on devices that are lacking such features.
Without isolation, IoT devices allow attackers to move laterally across a network after they gain an entry point. This way, hackers infiltrate one device and start probing the entire system until they find the real prize, e.g. a database or repository that contains sensitive customer or business data.
“If one ‘thing’ is attacked,” says Foxhoven, “it can bring down the network and compromise the business.”
This issue is being tackled by companies like Luma, a WiFi home router shipped earlier this month by a tech startup with the same name. Aside from being a normal WiFi router, Luma is equipped with an Intrusion Detection System (IDS) that monitors traffic in your home IoT networks and looks for signs of infection or communications with a command-and-control (C&C) server. This can help in identifying and isolating compromised devices before they become conduits to breach other devices.
Describing Luma, Paul Judge, who cofounded the company, says, “We look at outbound traffic and do vulnerability scanning of all devices on the network: is the connected fridge talking to your cameras? The [networked] doorknob to your new light bulbs?”
F-Secure is taking a different approach by introducing the Sense security monitor, a device that sits between the home router and connected devices and scans all incoming and outgoing traffic for abnormal behavioral patterns, malware and phishing attacks.
According to Samu Konttinen, the company’s executive vice president, both the device and its cloud infrastructure “are not hackable.” F-Secure hopes that with Sense, consumers will never have to buy another security solution again, a goal the company wishes to achieve with the backing of 27 years of experience in the security industry.
F-Secure has many other IoT security items on its agenda is an idea called “device reputation,” a system that is supposed to scan all devices within a network and give owners indication of where they are lacking in security.
What else needs to be done?
Great strides have been taken, but we’re still very far from saying that we have the IoT security dilemma under control.
For one thing, updating mechanisms on IoT devices have become a sort of Rubik’s cube problem. Too many IoT device vendors have intentionally forgone including a means to patch and update their firmware, fearing that doing so will open up security holes to be exploited by hackers.
Others that do bake updating interfaces and features into their devices fail in implementing a secure delivery mechanism, effectively leaving openings for hackers to install and execute arbitrary code on IoT devices. Combined with poor network security, this kind of vulnerability can lead to remote hijacking of connected devices.
Another complicated issue is the huge amount of data being collected by manufacturers and stored on cloud servers. These servers are very attractive targets for hackers, and failure to secure these repositories can lead to the theft of company secrets and consumer information.
Martinson suggests user-end encryption, a method that is fast becoming popular as big data storages are increasingly being attacked by large-scale hacks. This way, even if the data vault is breached, the user data will remain safe and unusable. “The best way to not worry about cloud security breaches,” Martinson says, “is to make a server breach irrelevant.” But since vendors are one of the main beneficiaries of cloud-stored data, and they use the data for ad and sales-improvement purposes, whether they will actually opt for such a procedure remains in a “cloud” of doubt.
What the future of IoT withholds
At the chaotic pace that it is growing, the IoT industry will surely reveal great many surprises in the future months and years. The combined efforts and determination of the tech community can help us to enjoy the good surprises and avoid the bad ones.