Safety of IoT: progress, hype, headache
The Internet of Things is the same fashionable term as Cloud Technology. Similarly, it doesn’t make much sense from a technical point of view: it is a brand under which one million different technologies are hidden. And there are even more options to use. The reason for writing this text was to encourage the discussion about the IoT sphere. For example, can home routers be considered an example of the “Internet of things”, or does the IoT spread production and other industrial high-tech?
In order to avoid such problems in the future, let’s try to formulate a clearer definition of IoT, proceeding not from the tasks of production or promotion of the corresponding devices and systems, but rather from the need for their protection. In addition, we will provide a couple of links to interesting research of Kaspersky Lab specialists, will try to give an assessment of the situation with the security of the IoT at the moment, and even will try to look into the future.
The source of information about miraculous devices in this article is the Internet of Shit on Twitter — its author has been engaged in brave work for exposing the attempts of different manufacturers to direct the development of IoT in the direction of total failure. However, it is better to perceive this channel as a modern techno-satire: while we are rusting over a 100500th teapot with a Facebook inside, the real IoT comes to us invisibly, and without a demand. This is the real problem.
Something went wrong in a Smart House
Perhaps the main news in the context of the “Internet of things” this year was turning off the hub for a smart Revolv home. Developed by the similarly named start-up, the device went on sale in 2013. It is a smart home hub, that lets you control various appliances and home automation systems with a central app. Already in 2014, sales were terminated after the vendor bought Nest, which is part of the conglomerate of google companies Alphabet. Sold devices were supported by the vendor, but on May 15th this year by decision of Nest literally turned into a pumpkin.
The owners of Revolv Smart Home Solution were furious, and this is still mildly said. The media attention was attracted both by flowery curses towards the fashionable vendor of smart solutions and by the common problems of any smart devices. It’s not even that the device owners lost support from the vendor and all the updates. The devices just stopped working. At all. Absolutely, as they switched off the obligatory connection with the infrastructure. In return, the vendor offered to refund all the money spent on the device ($ 300) but compared to the real price of the entire smart house system, where the main control device suddenly ceased to work, it’s a penny.
Attempts to determine the terms
This whole story has a direct bearing on security: the low security of the “Internet of things” devices is caused, firstly, by their permanent inclusion in the network, and secondly by the complexities of vendors with software updates and infrastructure support for a growing fleet of devices. Examples of the latter mass, such as discussion of how the updated Google API breaks the work of a smart refrigerator. So let’s try to formulate what is the Internet of things, in the context of security.
This is a collection of digital devices that:
– Communicate over the local wireless network and/or via the Internet.
– They work autonomously, often around the clock, without regular interaction with the person (or even without it at all).
It seems that further refinements are redundant and unnecessary. A photo frame, for some reason permanently connected to the network via WiFi, is the Internet of Things. A clever thermostat and a kettle are just the same. TV with Skype — yes. Pair of scales with Twitter? Add them as friends. Wireless water meters. Controllers of solar batteries.
Evaluation of the safety of IoT (like any other class of devices or technologies) is divided into two parts: theoretical (research of theoretical vulnerability) and practical (analysis of real attacks). An example of the theory is given above.
With practice, everything is more interesting. Tesla and kettles haven’t been broken yet because of their small number: until a critical mass of devices is opened, which opens up an imminent interest on the part of cybercriminals. Tracking and analyzing point attacks, even if they occur, is extremely difficult for ordinary computers. Nevertheless, there are examples, but they relate to devices that don’t want to be classified as IoT — these are routers, IP web cameras, and smart set-top boxes. So once again, in the proposed model of the device counting to IoT from the security point of view, these devices, which have been available for many years, legally occupy a place of honor.
So, these familiar and understandable devices clearly demonstrate the security situation in IoT in general. Default passwords, accessible from outside management interfaces with typical Web vulnerabilities, not to mention some examples of holes that allow executing arbitrary code. The result is understandable: tens or even hundreds of thousands of devices permanently connected to the network and not controlled by the owners are united into a botnet used for DDoS attacks and other criminal activities, not to mention the theft of private information. At the end of last week, there was one of the largest DDoS attacks (the goal was the blog of expert Brian Krebs) — 665 gigabits per second. If the preliminary assessment of Akamai (which was never able to repel the attack) is confirmed, it will also be the largest botnet attack from IoT devices.
The Inevitable Future
The attack on ½ bits is already serious, but in the context of “Internet of things” development, it is nothing. The development of IoT assumes that network devices that work autonomously will be estimated not by hundreds of thousands, but by tens of billions. If by this time new methods of their protection are not introduced (obviously better than in the examples of the present time) and methods of closing vulnerabilities (accordingly, the issue of updating the software will be resolved), we will have problems. And, unlike the present time, when we can buy an Internet refrigerator, and we can not buy, there will be no choice.
Here definitely should be a summing up
The vulnerability and, worse still, the inability to update billions of devices will lead to a multitude of problems that can affect both unsuspecting users and affect the performance of critical infrastructure. The argument is that in industrial systems, another IoT doesn’t seem reliable: firstly, the increase in production will lead to consumerization, and secondly, the criteria for autonomous operation and network connection remain in this case.
What kind of approaches can be used for protection? An example of the Revolv device hints at the fact that sooner or later the market will come to two or three major platforms on which all IoT-systems will be built, and chaos will become less. Most likely it will be, as it has already happened with the number of platforms for smartphones at the end of the 2000s or PC operating systems in the 90s of the last century. And if not? The concept of security is unlikely to be built on the basis of market laws.
Perhaps the solution to this problem will be at the junction of the most modern technologies. The right IoT can not be programmed like traditional computers right now. Perhaps we should look for different approaches, without trying to drag into the 21st century the technogenic heritage of the 20th century. In general, that will still be a problem.
We will continue to share our own and world’s best practices and are wide open to learn something new, so if you have any questions or ideas — feel free to write to us. Let’s develop the world together!