Examining the IoT from a Cyber Security Point of View
Before we start, here’s a fun fact:
It wasn’t a researcher or an analyst to first use the term ‘Cyberspace,’ it was a science fiction author named William Gibson. It was used in 1982 in a short story; he later elaborated on the term in his novel ‘Neuromancer.’
Ironically, whatever he wrote as a fiction, is anything but fiction today.
Since 2009, the Internet of Things (or simply IoT) has become immensely popular and is gaining ground faster than ever. In fact by 2030, 500 Billion devices will be connected to the internet. From home appliances to medical instruments, everything is getting connected and linked together. Smart cities, which offer better and efficient facilities to the citizens, have been made possible because of IoT.
Now, in a cyberspace saturated with plethora of attacks and malicious content, a full-blown implementation of IoT has the potential to be disastrous for consumers and organizations around the world. In the nascent stages, a lot of aspects remain undiscovered. Yet, already a number of attacks have been launched and demonstrated against IoT.
The current losses, owing to cyberattacks around the globe, are an estimated 445 Billion USD, which almost equals GDP of Austria. In the coming years, it’s bound to increase. Security in IoT is paramount: if your social networking account gets hacked, that’s a nuisance, but if your vehicle is hacked and made to crash, that’s a pretty serious, life-threatening issue.
The term, Internet of Things first came into existence in 1999 and was coined by the British technology pioneer known as Kevin Ashton.
He said “if we had computers that knew everything there was to know about things using data they gathered without any help from us, we’d be able to track and count everything and greatly reduce waste, loss and cost. We’d know when the things need replacing, repairing, recalling and whether they are fresh or past their best. The Internet of Things has the potential to change the world just like the Internet did and may be even more so.”
ISACA defines IoT as,“ ‘The “Internet of Things,’ which refers to physical objects that have embedded network and computing elements and communicate with other objects over a network.”
The fact that IPV4 could only offer 4.2 billion addresses, along with the low battery back-ups, poor network coverage and high costs, was main reason why IoT was never fully implemented at that time.
The Internet Engineering Task Force came up with IPV6, which has a 128 bit address space and provides enough addresses to give each person on earth 6 IP addresses. That’s a humongous amount, considering the fact that, as of 2015 we already have crossed the 7.3 billion mark.
It’s worth noting that when we talk about Internet, we’re talking about devices that are connected. When we bring IoT into the picture, we’re talking of devices that are not just connected, but also communicating.
Now that IoT can be freely implemented, what are the advantages?
The biggest example of IoT implementation is Smart Cities.
What’s a Smart City? Simply put: it’s a city which has/employs smart energy, smart water, smart mobility, smart public services, smart buildings/homes and smart Integration.
Examples include London, Singapore, Nice, New York and Barcelona, which are also the top 5 Smart Cities in the world.
IoT aims at improving our lives and reducing effort. For example, AT&T provides remote controlling of services like security and lightning for homes. Samsung is rolling out similar services under the name ‘Smart Things.’
‘Smart Things’ include:
- machines troubleshooting themselves
- integrated medical services, which can serve as boon for old people as the wearable devices continuously monitor their statues
- patients’ conditions updating automatically
- really Smart homes (not just connected – but Smart).
The possibilities are endless with IoT. So, why are some security researchers cynical about IoT? Eugene Kaspersky recently said that it’s more of an Internet of Threats!
Let’s see why.
In an episodes of the TV series Homeland, terrorists hack the pacemaker to kill a target! Fancy stuff, eh? And, it’s truly possible to pull off something like that.
Not just pacemakers, but even Defibrillators can be hacked and their default configuration can be changed, according to the US-CERT.
It’s also possible to cause Insulin overdose remotely to kill a target.
Researchers port scanned an MRI machine and they found 140 open ports!
Moving on to vehicles, security researchers Charlie Miller and Chris Valasek, hacked a vehicle a few years back sitting in the back seat. Very recently, they hacked a Jeep Cherokee wirelessly.
In case you don’t know, a modern car is a rolling computer network. To give you an idea of the computing power, consider this: modern vehicles carry more computing power than what was used in NASA’s moon mission. If you want a car without a computer, I guess 1960s models are a good option.
Another TV series, CSI Cyber, showed how baby monitors can be hacked. It was a cake walk with right tools and tricks.
Hacking a webcam ain’t anything new, but it’s certainly easier with a greater number of devices (your household appliances) on the same network.
Recently a worm named ‘Linux.darlloz’ was found. The worm hijacked home appliances to mine crypto currency like bitcoins.
I hope by now, you’ve got the idea that you can connect your home appliances, including your thermostat, set top boxes, watches, washing machine and what not.
As you can see, IoT devices require multi-layer security. Simple SSL is not enough.
These devices need to be able to differentiate whatever information is received or sent is by an authorized user or an intruder. Inside Secure introduced MatrixSSL tiny, an extension to the SSL and showcased it at the Black Hat conference in Las Vegas. This MatrixSSL tiny is a lightweight software implementation for the IoT devices with limited memory. Once an operation or a procedure is completed, the software nulls the memory which is highly beneficial considering the fact that most IoT enabled sensors have a very limited amount of memory and processing power.
Can we keep up with all of this? Below are some mind boggling facts to consider:
? We will have 500 billion devices connected to the Internet by 2030
? A survey done by the firm Ernst & Young showed that as few as 6% of the firms had a credible Incident Response program in case of a cyberattack. Around 30,000 websites are hacked every day and 97% of all the data loss in organizations around the globe is due to cyberattacks.
? In 2014, Kaspersky did a survey and found that 38.3% users globally had experienced a cyberattack at least once, when online. In fact, the global loss by consumers amounts to 113 Billion USD, which is enough to host the 2012 London Olympics more than 10 times.
? In 2013, the Identity Theft Resource Center did a survey and found that 44% of all registered data breaches targeted medical companies.
? Recently, a list of 7 most vulnerable smart cities was released which included Santander, New York, Tokyo, Hong Kong, Aguas De Sao Pedro, Songdo and Arlington County. The perimeters included smart cars, traffic, wearable devices for citizens and emergency services among others.
? HP did a survey and found out that 70 percent of all IoT devices were vulnerable to some type of cyber attack.