We’re living in a time where it is difficult not to come across the industry buzzword of IoT, the Internet of Things. Generally, I don’t like buzzwords; i like getting things done, helping consumers and businesses by using the latest and most promising technology. But, no doubt, the Internet of Things surely represents a disruptive wave of possibilities that will affect everyone over the course of the next years. And as it is with so many other technologies, products and platforms which are currently setting out to change the world because they are based on exponentially developing ingredients, the Internet of Things is set for this exponential development, too.
There are several drivers and catalysts rocketing the Internet of Things into those ubiquitous usage scenarios. It is computing devices and processors, which get ever more powerful and further decrease. It is faster and more efficient radio network technologies, incl. mesh (e.g. ZigBee, Z-Wave, etc.), cellular (e.g. 3G/4G/5G, Sigfox, etc.) and internet networks (e.g. Wi-Fi, Ethernet, etc.). And last not least, it is rapidly advancing battery technology that enables billions of connected devices in every aspect of our lives, stretching into our homes, offices, cars and even our bodies. The upcoming 2016 Consumer Electronics Show will bring a lot of news on respective products. It is a key theme of this year’s exhibition.
IoT related devices, products and platforms are set for an extreme growth path. To get a feel for the ballpark, e.g. ABI Research estimates that by 2020 there will be more than 40 billion actively connected devices. Business Insider projects around 34 billion at the same time.
Looking at the bright side of this, I can’t wait to see use cases and services becoming possible, that we have never before imagined. This post here does not focus on that, though. It looks at the ‘dark’ side of IoT: the increasing security risks arising out of a totally connected world and its individuals. More than ever before, critical, even literally life critical aspects of our life are exposed to the threat of cybercrime. Cameras, sensors, highly personal data, incl. biometrical data, etc. are all being sucked into the super-connected Internet of Things world.
Questions like the following give an idea what we will concern us: Can someone hack into my TV, my refrigerator or my thermostat? And if yes, does that open a back door into my home network, my computer and all my critical and confidential information? Obtaining access to these and the chance of compromising critical system functions it is a key interest of hackers. And more connected devices and mashed up services and products create more attack entry gates and more possibilities for hackers to target us.
Just one example how substantial the risk is and how it is starting to get the right attention is a US government warning on released on the Internet of Things last September. This shows it’s time to very decisively — and in parallel to the creative process of designing the products and services — address the security concerns and consider them right from the start. Security must be one of the foundations of IoT.
What is the threat? New opportunities for hackers
There are real threats which we can think of today or which have already occurred. Some of them are more frightening than others. Here is a brief overview that is by no means exhaustive:
- Wearable devices can become a source of threat to a user’s privacy, as hackers can use the motion sensors embedded in smartwatches to engineer and obtain information a user is typing on a keyboard, or they can gather health data from smartwatch apps or health tracker devices.
- It was proven that Internet-connected cars can be compromised, and hackers can carry out any number of malicious activities, including taking control of the entertainment system, unlocking the doors or even shutting down the car in motion. People have a valid point when worrying about if their smart cars be hacked and controlled, either putting them in danger or exposing confidential information about them.
- It has been uncovered that critical vulnerabilities exist in a wide range of IoT baby monitors, which could be leveraged by hackers to carry out a number of disgraceful activities, including monitoring live feeds, changing camera settings and authorizing other users to remotely view and control the monitor.
- Some of the most worrisome cases of IoT hacks involve medical devices and can have detrimental, perhaps fatal consequences on patients’ health. There is a huge risk that the great advances in mobile or electronic health concepts and products translate into sensitive medical information being accessed by the wrong people for the wrong reasons.
- It is imaginable that smart home systems are being hacked, including surveillance components and their disabling
- It is common that smart TVs gather and send usage data back “home” which could be intercepted. It has been proven that Samsung’s TVs even send unencrypted voice recognition data across the internet.
- Amazon’s Echo voice recognition digital assistant is always-on listening to spoken words in the personal environment. It is fishing for commands to respond to with information or by triggering a task. Every spoken word goes thru its microphones. Something of major interest especially for individually targeted attacks.
- A huge concern are central repositories where IoT data is being stored, which can become attractive targets for corporate hackers and industrial spies who rely on big data to make profits. In the wake of massive data breaches and data theft cases which have increasingly occurred in the last years, privacy of consumers and the functionality of businesses and corporations is at enormous risk.
- It lies beyond imagination when you let your eye wander to the threats that hacks to smart traffic management systems or even municipal power supplies, etc. pose. What about the smart traffic grid connected to the smart city infrastructure? Does the electric grid or the water supply become vulnerable?
Internet security specialist Kaspersky Labs last year named it “the internet of crappy things”. Sure, it it obvious which intentions the internet security industry has when raising their voice in this topic. But they sure have a point. To put some more meat to the list of concerns, here is a frightening piece of research Kaspersky did on electronics gear in the home, including smart TVs, game consoles and storage devices:
What sums up the look at the real and potential threats is a brief and not very optimistic assessment of the hardware situation. The small size and limited processing power of many connected devices is a major challenge for encryption and other robust security measures. What’s further inhibiting is that some connected devices are low-cost and essentially disposable. When vulnerabilities are discovered on such type of devices, it may be difficult to update the software or apply a patch — or even to get news of a fix to consumers.
Currently IoT security is where the internet was in its early stages. There is no naturally baked-in security, encryption or authentication. But things are starting go in the right direction.
What is being done already?
There is some promising evidence that IoT security is moving higher on the agenda at a couple of key internet, connectivity and hardware players as well as innovative startups. They are pushing forward measures to gap holes and prevent security breaches at the device level as well as in the software stack. Not alone, but for sure to a high degree the Jeep Cherokee hack was a wakeup call for everyone with serious ambitions in this industry.
There are a variety of examples and promising activities aiming at securing the Internet of Things world before things get out of control:
- Google is pushing Brillo, an Android-based embedded operating system platform they have announced at Google I/O 2015. Brillo aims at bringing the simplicity and speed of software development to hardware for IoT with an embedded OS, core services, developer kit, and developer console.
- Microsoft is actively shaping the landscape with their Secure Boot technology and BitLocker encryption which ship with Windows 10 IoT, Microsoft’s operating system for IoT devices and platforms. The security standard ‘Secure Boot’ aims to make sure that respective computing devices boot using only manufacturer trusted software, to prevent device hijacking. It has been developed using IT industry wide collaboration. The encryption technology “BitLocker” is able to code entire disk volumes and secures on-device data. It has been around and further improved since the Vista edition of the Windows operating system.
- Gemalto, a world leader in digital security and smartcards/-chips leverages its experience and expertise from its mobile payments business to expand into IoT device security. Their Secure Element (SE), a tamper-resistant component can be embedded on device level to enable advanced digital security and life-cycle management via encryption of and access-control limitation to sensitive data.
- The AllSeen Alliance, strongly pushed by Qualcomm provides an open source platform and software framework for the Internet of Things called AllJoyn that lets compatible devices and applications find each other, communicate and collaborate across the boundaries of product category, platform, brand, and connection type. It wants to help ensure interoperability across device types and operating systems and aims at providing coherent security measures.
- The Industrial Internet Consortium (IIC) is an open membership organization, with more than 200 members. It was formed to accelerate the development, adoption and wide-spread use of interconnected machines and devices and intelligent analytics. It has been founded and is strongly backed by AT&T, Cisco, General Electric, IBM and Intel.
- Another alliance of leading tech firms, including Vodafone, British Telecom, Siemens, Infineon and many others initiated the Internet of Things Security Foundation (IoTSF). They want to increase awareness by fostering cross-industry and cross-company collaboration. It is a non-profit organization with the mission of vetting Internet-connected devices for vulnerabilities and flaws. Both providers of IoT products and solutions as well as users and adopters can receive security assistance.
What is most pressing to still be done?
Those are all notable activities and objectives that are going in the right direction. The more players — ideally in joint efforts — who tackle Internet of Things security issues, the better. But it probably is not yet enough to make sure the full potential of this new technology can be unleashed in a fully secure environment. More effort needs to be made to secure IoT-related data to ensure the privacy of consumers and the functionality of businesses and corporations.
For me there are 3 key areas which are most pressing to quickly find convincing solutions for:
- (One-time) Authentication: IoT devices are always connected and always on. In contrast to human-controlled devices, they usually only go thru a one-time authentication process, which can make them perfect sources of infiltration into company networks. Therefore, more security measures need to be implemented on these gateways to improve the overall security of the system.
- Hardware foundation & capabilities: There needs to be a sufficient answer to the obvious hardware related dilemma. Common chips and chipsets usually applied in IoT devices are not big money-makers since they are tiny and usually based on outdated architectures. A good example is the 1st generation Intel Edison platform which is widely utilized. It is based on Quark processors that to a high degree rely on the same CPU instruction set and design of the ancient Pentium P54C processor. The next-generation Edison version is based on a clearly more powerful processor that is based on Atom Silvermont cores. They can be found in many of today’s Windows and Android tablets. So the outlook is that we could see a lot more fairly modern 64-bit x86 CPU cores in Internet of Things devices, but they also come with a different price tag and will also be more battery demanding. And that’s why e.g. very cheap and disposable wearables and other ‘things’ cannot and will likely not be powered by such chips, at least for quite a while.
- Security updates & related processes: There must be a convincing solution and process for providing and installing security updates on IoT connected devices. So far it seems that there isn’t a compelling concept for this. Everyone of us most likely will soon possess of dozens, maybe hundreds of connected devices. Imagine manually installing updates on so many devices. That’s not an option. On the other hand having everything carried out automatically in the background could pose a risk, too. We need concepts for ensuring that those update systems and interfaces do not become security holes of their own.
Where are we heading?
Without doubt, the Internet of Things will be an important part of our lives very soon. Robust security measures are a key ingredient which must be addressed via active participation by the entire global technology community. Only then this emerging technology that has the potential to revolutionize the world can unleash its full positive potential. We don’t want to end up in a world that more than ever relies on technology and software with everything being connected but where there are systems working in extremely private, sensitive, crucial, health and life determining areas that are flawed and vulnerable to hacker attacks.
Read on my Blog @andrecramer.net