Why Does a Coffee Machine Need Its Own Account?

David Balaban
Sep 12, 2018 · 4 min read

A story about a smart coffee machine that was used to contaminate the computer network of a European petrochemical factory with ransomware hit the headlines last year. This incident isn’t one of a kind, though. We are witnessing an increase in hacker attacks involving home appliances, robotic devices, drones and other IoT entities used in cities, enterprises, and offices. A few known examples of things going out of hand include the following:

· Cleaning robot switched itself on, got onto a kitchen hotplate, pushed a cooking pot out of the way and burned itself, almost setting the apartment on fire.

· Security robot drowned itself in office fountain.

· Robotic lawn mower escaped from its “workplace” and cut a fuel hose along the way.

· Robot surgeon that hurts patients during surgeries and grips organ tissues with its “hand”.

· Unauthorized control of drones.

· Shutdowns of industrial HVAC equipment.

· Hacked smart toys, watches, fitness trackers and other wearable personal and office devices.

All of these incidents make us question the security of smart systems and devices that we encounter day by day.

Some situations of that sort might occur due to garden-variety malfunctions of IoT devices, yet most of them are upshots of well-orchestrated interference in pursuit of certain benefit.

In the era of ubiquitous hacker intrusions and other cyber threats, it’s imperative to strengthen the security of personal and corporate devices. Companies, in their turn, should focus on safeguarding smart systems leveraged in business processes, industry, manufacture, medicine, etc. in order to reduce the risk of equipment failure due to third-party tampering and, of course, to protect proprietary data as it’s being transferred and stored. Basic security involves changing default passwords, regular software updates, and of cause establishing secure and encrypted connection by means of VPN.

Smart things are already everywhere: outdoors, at home, in office, in medicine, transport, production, industry, agriculture, logistics, power supply, and other domains. This list is continuously expanding and we are rapidly approaching a smart, but not yet secure, ecosystem.

In the dynamic IoT market, which is currently one of the most promising and revolutionary technologies around, the vendors neither spend enough time nor pay sufficient attention to the security of their devices. Instead, they are focusing on fast production in order to maintain their market niche and drive innovation in this environment.

This rampant development and manufacture race provides malefactors with a bevy of exploitation opportunities.

I won’t dwell on the types of IoT devices and their security on the whole here. I’ll instead focus on the issue of managing the accounts and user access to these devices, as well as the functionality required by IDM (identity management) systems that are shifting from applications to things.

So, what is IDM in the context of IoT? What needs to be taken into consideration when building IDM systems? What does the future hold?

The implementation of the Internet of Things presupposes a complex interaction between humans, things and services. Consequently, it’s necessary to ensure appropriate verification of accounts and access privileges for applications, systems, and devices (things).

Clear-cut interaction between devices and the transmitted data, as well as proper control of them — these are the fundamentals of a successful IoT implementation in both the consumer and industrial space. IoT solutions should deliver a set of components for managing accounts and privileges that can accurately define the scope of access a specific user has and also verify user identity while checking authorization policies and access privileges.

According to Gartner, a global research and advisory company, 40% of IDM vendors will have to upgrade their solutions for IoT by 2020, versus less than 5% today.

WHAT REALLY MATTERS?

Assigning “user” accounts to devices

Industry players will need to determine the attributes that compose an “identity” of a device. This way, the manufacturers of IoT entities will be able to leverage a universal scheme or data model in order to make the registration, verification and authentication processes simple and applicable to different scenarios. When these attributes are determined and collected from a specific device, they can be used to register this device’s account. For some smart things, the registration may require a certain additional verification, for instance, to confirm that the device itself is officially certified.

Interaction

Human-human interaction won’t be enough anymore, and it will be necessary to establish other ties between devices, things, humans, services, and data. Furthermore, the many-to-many relationship will come to the fore.

Some of these ties will be used for temporary access to data, while others (human — smart device, or smart device — smart production) will be permanent. These relationships need to be registered, verified, and then revoked if necessary.

Authentication and authorization

The components of authentication and authorization should be applied at each stage of IoT data streaming. The following protocols are currently supported: OAuth2, OpenID Connect, UMA, ACE, and FIDO.

Access rights management

The creation and/or management of attributes related to user access privileges should take place at the device startup and initialization stage as well as during user registration. The applicable standards include LWM2M, OpenICF, and SCIM.

As we know, traditional IDM systems are intended to grant access to a company’s internal systems within the network perimeter. The booming Internet of Things technology requires more dynamic IDM solutions that can support and add not only internal users, clients and partners, but also devices and smart systems regardless of their location, thereby expanding protection capabilities in the paradigm of digital transformation.

HackerNoon.com

#BlackLivesMatter

Sign up for Get Better Tech Emails via HackerNoon.com

By HackerNoon.com

how hackers start their afternoons. the real shit is on hackernoon.com. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

HackerNoon.com

Elijah McClain, George Floyd, Eric Garner, Breonna Taylor, Ahmaud Arbery, Michael Brown, Oscar Grant, Atatiana Jefferson, Tamir Rice, Bettie Jones, Botham Jean

David Balaban

Written by

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software.

HackerNoon.com

Elijah McClain, George Floyd, Eric Garner, Breonna Taylor, Ahmaud Arbery, Michael Brown, Oscar Grant, Atatiana Jefferson, Tamir Rice, Bettie Jones, Botham Jean

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store