Delivering Security to Internet of Things (IoT) Devices
Last Updated: August 11, 2016
Internet of Things (IoT) devices have gained in popularity over the last few years. Simply put, IoT devices communicate with other machines through the internet that help to automate tasks in your life. Examples of these devices include outlet plus that allow you to control the lighting in your home remotely, the Nest thermometer where the temperature of your home can be controlled remotely, and the Amazon Echo that can control many items in your home through the sound of your voice. As virtual reality expands and the cost of existing devices decline, IoT machines are likely to take a greater role in all of our lives.
One concern emerging with the internet of things though is security. As alluded to in their name, IoT devices require access to the internet and thus are vulnerable to outside hackers. This risk is being addressed actively by device creators like Tesla. Tesla’s long-term goal is to have fully autonomous cars that completely run on renewable energy. This is obvious by the many test-drives where the vloggers take their hands off the wheel and let the computer drive their car. While this technology opens up amazing possibilities, it also opens potential dangerous situations. What if someone from the outside hacks into a Tesla and intentionally causes it to crash? It’s not unreasonable to see terrorist actors trying this from abroad to target well-known citizens in western countries. Tesla has recently hired the Apple OS security expert to address some of these concerns. Tesla is also attending major security conventions like DEFCON to recruit security and software engineers. At that same conference, hackers admitted that they were able to send a software command to the car after the connected a laptop to it as an alternative to “hot-wiring it.”
Bounties for Hackers
Bounties have long been a method companies have used to attack the risk of hacks. In these terms, a bounty encourages hackers to do penetration tests against systems in a controlled setting. By revealing their methods to the company security experts, the companies are able to patch their vulnerability. In return, these hackers receive a wide variety of prizes ranging from small swag to potentially millions of dollars. The website “Bugcrowd” provides an entire list of companies that have active bounty programs. There has also been a long history of companies and governments providing employment to ex-hackers. In 2011, eWeek listed 10 hackers who later went to work for “the man.”
Stuxnet for IoT?
The greatest threat to the adoption of IoT devices is the potential for government actors to use their hacking abilities to commit acts of war. In 2010, the United States government used a computer program to essentially destroy Iran’s uranium enrichment program. The “Stuxnet” virus was different than any other prior hack seen to that point. It had the ability to physically damage equipment the computer controlled. The virus had the same impact as if the United States bombed vehicles that were transporting items used in the process, but without the same legal ramifications. This new class of warfare that can be conducted remotely leads to many dangerous potential situations. Aside from just Tesla cars, the energy grid, home climate systems, and many more devices are now on the internet. This leaves them vulnerable to potential hacks if the software used to control the physical objects are mass-produced. In the future, you could see terror plots where foreign actors manipulate these mass-produced devices to force innocent civilians into an area. Whether this be hacking a Nest device to raise the temperature or triggering a fire alarm, these situations must be considered by both the producers of these devices and consumers. It may seem a little creepy, but one hacker was able to create a “Hal” like situation from the movie 2001: A Space Odyssey. The company TrapX also showed how hacking a Nest can be used as a starting point to control an entire house.
The Cost to Secure IoT Devices
When a “thing” gets protected, it’s no different than any other device like a laptop or smartphone. Gartner estimates that 6.4 billion things will be in use this year and it will cost $6.89 billion to secure them. In other words, it will cost $1-per-thing to protect these devices on average. This number is highly relevant to venture capitalists and companies creating this device as it will put a floor on the price of a device. The issue of device security isn’t lost on big players in the traditional anti-virus space like Symantec. Symantec has an entire page dedicated on their website to address the IoT space and claims to currently protect over a billion devices already world wide.
A New Reality
Part of the decision to use a “thing” may be to accept it could be hacked. This writer suggests that they don’t care that the Amazon Alexa isn’t even remotely secure. The Nest hack mentioned earlier was done by going through the device’s USB port. With the way the hardware is built, the hack still hadn’t been fixed even a year later. Even Nest admits that many USB-based hacking techniques are possible. Recently, the Democratic National Committee was hacked and some people shrugged with the comment “Everyone should expect that any email they write could later be revealed to the public.” This may be the new reality that everyone must accept with IoT devices. Reduced privacy and control in exchange for convenience. Either way, it will be an ongoing battle between companies and hackers to keep devices secure.
Are you located in Pennsylvania and are looking for security support for your devices? At Laughing Rock, we offer IT security services to businesses. Please contact us today if you need assistance in this area!