Image source: IBM
The "Internet of Things" (IoT) has taken off and will accelerate exponentially in the coming years. With everything from refrigerators to smoke detectors to sprinkler systems becoming network/Internet accessible, Gartner, Inc. forecasts that 4.9 billion connected things will be in use this year, up 30 percent from 2014, and the figure will reach 25 billion by 2020.
But while IoT promises many benefits to end-users the biggest challenge of the young movement is the alarming lack of unified guidelines for ensuring the security of IoT applications. As a result, IoT devices will typically not incorporate anti-virus and anti-malware protection, nor will they likely receive patches to address new security issues as they arise. Why? Gartner points out that by 2017, 50 percent of IoT solutions will originate in startups that are less than three years old. These companies, often funded via Kickstarter and similar sources, usually can’t afford to put their devices through rigorous security testing and they may not yet employ engineers or managers with IT security backgrounds.
With billions of devices suddenly coming online, cyber criminals may well feel they have won the lottery as these lightly protected, internet-connected devices provide access, through a home network, to unencrypted information about people’s health, purchasing habits, and finances.
Last year the security service provider Proofpoint uncovered what may be the first proven IoT-based cyberattack involving conventional household "smart" appliances. The global attack campaign involved more than 750,000 malicious e-mail communications coming from more than 100,000 everyday consumer gadgets such as home-networking routers, connected multi-media centers, televisions and at least one refrigerator that had been compromised and used as a platform to launch cyberattacks.
Last June HP Security Research reviewed 10 of the most popular IoT devices from manufacturers of TVs, webcams, home thermostats, hubs for controlling multiple devices, garage door openers, and more. All devices included mobile applications which could be used to access or control the devices remotely. The study found that 90 percent of the IoT devices collected at least one piece of personal information about users via the device, the cloud or through the mobile application. The data collected included names, addresses, and credit card or health data.
In its report, HP revealed that 70 percent of the IoT devices used unencrypted network services, and that 80 percent of devices “failed to require passwords of a sufficient complexity and length” for access. The study strongly suggested that IoT device manufacturers carry out security reviews of their products, including automated web interface scans, manual reviews of network traffic, and checking authentication methods employed by the IoT devices.
Similarly, the global security firm Fortinet conducted a global survey that asked 1,801 home owners about key issues pertaining to IoT. When respondents were asked how they would feel if a connected home device was secretly or anonymously collecting information about them and sharing it with others, sixty-seven percent of Americans polled answered “completely violated and extremely angry to the point where I would take action.”
Consumers surveyed placed responsibility squarely in the lap of manufacturers if a vulnerability was discovered in a connected home device; 49 percent of Americans agreed that the device manufacturer was responsible for updating/patching their device. However, nearly 31 percent of the global audience surveyed indicated that “as a homeowner, it is my responsibility to make sure that the device is up to date.”
A string of high-profile hacking attacks on major companies has put cybersecurity firmly in the spotlight. But if large commercial enterprises, banks and governments do not have strong enough firewalls to thwart hackers, how can individuals have confidence in a new IoT product? The answer is they can’t but there are certain things that can be done to swing the odds more in your favor.
For one thing no one should assume that a new device added to a home network is secure.
You can also learn about application discovery tools. On the enterprise side network mapping tools regularly scan networks for any unauthorized sensors trying to join the network and access the server. These tools—which are now or will soon be available to consumers--conduct an 'IP sweep', automatically discovering all the devices present. They provide details such as name, device type, Operating System, services running and other important device configuration details.
Microcontroller companies are helping to reduce the possibility of IoT security breaches. Recently Atmel launched its next-generation CryptoAuthentication product for the IoT market. Atmel's ATECC508A is said to be the first device to integrate an ECDH (Elliptic Curve Diffie–Hellman) security protocol—which is a secure method to provide key agreement for encryption/decryption--along with ECDSA (Elliptic Curve Digital Signature Algorithm) sign-verify authentication. With ECDH and ECDSA built in, this device can provide confidentiality, data integrity and authentication in systems with MCU or MPUs running encryption decryption algorithms (such as AES) in software.
Last week NXP announced two new microcontroller families, LPC18Sxx and LPC43Sxx, to help embedded developers secure application code and data messages in connected applications against threats such as theft and cloning. The new microcontroller families add support for secure boot and secure messaging to the control, high-speed connectivity, display, advanced timing, and flexible peripheral features for which NXP’s LPC1800 and LPC4300 series are known.
In the final analysis users of IoT devices must determine if the benefits of a smart, connected product outweigh privacy concerns. We must ask ourselves if we really need a pet-food dispenser you can access via the Internet when it potentially could allow confidential information to fall into the hands of those with malicious intent.