Securing the IoT: It Takes the Global Village

You are here

Securing the IoT: It Takes the Global Village

Article
Posted July 26, 2016 in Data Analytics & Digital Technologies Cutter Business Technology Journal
In this issue:

 

CUTTER IT JOURNAL VOL. 29, NO. 7


The IoT Is Everywhere

The Internet of Things (IoT) today covers many areas of our lives. More and more household appliances are becoming smart, with small computing devices and ­connection to the Web. Smart TVs and refrigerators are already common in many households. There are also smart thermostats (which collect information about the behavioral patterns of the persons living in the home to ensure efficient heating and cooling), smart door locks (which allow their users to open and close their doors from a remote location), smart security systems (which enable remote control of the security sensors), and so on. In the field of healthcare, there are home diagnostic bedside units, which can quickly give measurements for cholesterol, blood glucose levels, and blood pressure, and systems that can remotely monitor patients’ vital signs. Other fields of IoT include autonomous and connected cars, wearable devices, office equipment, and so on.

According to Cisco, there will be about 50 billion ­networked devices by 2020. The IoT will soon be everywhere.

Vulnerabilities and Risks

Smart Homes and Enterprises

IoT devices have many advantages, but also vulnerabil­ities and risks. Many smart household appliances are poorly protected (if at all) against cyberattacks. This means that any script kiddie with minimal hacking skills can use them to break into the home network. If, a few years ago, someone had said that TVs and refrigerators could be compromised by hackers to send malicious emails, you would have laughed at them. But such an attack indeed happened on January 2014 — the first known cyberattack to use smart household appliances. This global attack campaign involved more than 750,000 malicious email communications coming from more than 100,000 everyday consumer gadgets such as home-networking routers, connected multimedia centers, TVs, and at least one refrigerator that had been compromised and used as a platform to launch attacks.

In October 2015, a security researcher demonstrated how to hack into a kettle and steal a home’s Wi-Fi password. This vulnerability can be exploited by hackers to break into the Wi-Fi network and from there into the other devices connected to that network. But the risks are even bigger. Researchers have found a way to attack the power grid, by remote manipulation of home and office air conditioners to create a surge. To achieve the hack, attackers target remote shutoff devices installed by utilities on air-conditioning units to preserve power during summer peaks. It seems that these devices are very vulnerable to manipulation by hackers.


Security in the Internet of Everything Era

Explore the existing and future risks in what we currently call the Internet of Things, gain examples of risks and attacks in different domains, and identify the corresponding technological and managerial challenges for confronting — even anticipating and warding against — security attacks. Order your copy of the complete Cutter IT Journal issue today using Coupon Code IOT20 and Save 20%!


To understand how easy it is to hack IoT devices, in March 2016 the MIT Media Lab hosted a hackathon in which it invited 153 hackers to try to find and exploit weaknesses in more than 20 smart home devices.

The hackers attempted to control the devices through software vulnerabilities, and they succeeded in taking control of 25% of the devices in less than three hours. Figure 1 depicts the vulnerabilities of the top 10 IoT devices. We can see, for instance, that 8 of 10 such devices use insufficient authentication.

Figure 1 — Security flaws of the top 10 IoT devices.
Figure 1 — Security flaws of the top 10 IoT devices.

 

Just as personal computers can be unknowingly compromised to form robot-like “botnets” that can launch large-scale cyberattacks, cybercriminals have begun to commandeer components of the IoT and transform them into “thingbots” to carry out the same type of malicious activity. Cybercriminals intent on stealing individual identities and infiltrating enterprise IT systems have found a target-rich environment in these poorly protected Internet-connected devices, which may be more attractive and easier to infect and control than PCs, laptops, or tablets.

Vehicles, Fuel

Recently, the US Federal Bureau of Investigation (FBI) released a public service announcement to warn drivers about the threat of over-the-Internet attacks on cars and trucks. The announcement mentions that modern motor vehicles often include new connected vehicle technologies that aim to provide benefits such as added safety features, improved fuel economy, and greater overall convenience. Aftermarket devices also offer ­consumers new features to monitor the status of their vehicles. However, with this increased connectivity, consumers and manufacturers should maintain awareness of potential cybersecurity threats.

Vulnerabilities may exist within a vehicle’s wireless communication functions, within a mobile device (e.g., a cellular phone or tablet connected to the vehicle via USB, Bluetooth, or Wi-Fi), or within a third-party device connected through a vehicle diagnostic port. In these cases, it may be possible for an attacker to remotely exploit these vulnerabilities and gain access to the vehicle’s control network or to data stored on the vehicle. During the “Car Hacking Village” at DEF CON 2015, researchers showed how to hack into a Jeep Cherokee and remotely shut off its brakes and engine.

Criminals can also attack business-critical devices connected to the Internet. For example, using the connec­tivity of monitoring systems on gas pumps, they could cause the pump to register incorrect levels, creating either a false indication of low fuel level or allowing a refueling vehicle to dangerously overfill the tanks, thus creating a fire hazard. Alternatively, they could hack the connection to the point of sale system, allowing fuel to be dispensed without registering a monetary transaction.

Healthcare

From GPS-enabled asthma inhalers to wearable devices that monitor vital functions, consumer-generated health data can hold value not just for the patients, but for a variety of other parties, such as healthcare providers, insurers, public health researchers, and policy makers. Yet the rise of the IoT coupled with the poor state of cybersecurity within healthcare today makes healthcare-related IoT devices a target for both data theft and extortion. A partial electronic health record (EHR) sells on the black market for roughly US $50, and health ­credentials can sell for $10 each, many more times the value of a credit card number. The reason is that an EHR can be used to file fraudulent insurance claims, obtain prescription medication, and facilitate identity theft.

In addition, one of the latest trends in ransomware attacks is the targeting of hospitals and other healthcare facilities. As a recent Wired article notes:

Hospitals are the perfect mark for this kind of extortion because they provide critical care and rely on up-to-date information from patient records. Without quick access to drug histories, surgery directives, and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.

In the case of extortion, just imagine what would happen if data for every patient in a hospital were held ­ransom.

IoT Exploit Strategies

IoT vulnerabilities can be exploited by cybercriminals in various ways. If an attacker succeeds in hacking a smart home device, they can control the device (think what could happen if the device were a pacemaker), hack into the home’s/organization’s Wi-Fi network, and subsequently hack into the connected computers in order to steal sensitive information, such as bank account passwords, credit card numbers, and private business information. They can also gather information on people’s habits (e.g., when they order pizza, which medicines they take, when they take breaks) and more.

The hacker can use the collected information for spear phishing, showing a fake login page to the user and stealing their credentials, sending an email (with relevant content according to the collected information) with an attachment or a link that will install malware on the user’s device when opened, and so forth.

A recent FBI alert about the IoT points to several ­additional risks:

  • Exploiting the Universal Plug and Play protocol (UPnP) to gain access to many IoT devices
  • Compromising an IoT device to cause physical harm
  • Overloading IoT devices to render them inoperable
  • Interfering with business transactions
     

What Should Be Done

The risks are clear, so why don’t vendors make an effort to provide more secured devices? The answer is simple: they don’t have to. Vendors naturally want to maximize their revenue. So they focus their efforts on improving the devices’ price, aesthetics, ease of use, fault resistance, and other characteristics that consumers want. Vendors either are not aware of cybersecurity risks or just ignore them, since it’s not cost-effective to handle the risks.

Overcoming this issue will require action from four groups:

  1. Consumers
  2. Vendors
  3. Regulators
  4. Researchers
     

Consumers

We should begin by raising awareness among smart appliances’ consumers about the cybersecurity risks. If consumers demand more secured appliances, vendors will have to supply them. In addition, consumers with strong information security awareness may be better protected against social engineering attacks.

Vendors

It is important for vendors to understand that it is only a matter of time until exploiting IoT vulnerabilities will become common, with consequent damage to the vendors’ reputation. Publications about cyberattacks on IoT devices raise awareness on cybersecurity among vendors and consumers. Some steps that vendors can take to improve IoT security include:

  • Using open source and open security. The open source community is totally focused on quality and usability. Thanks to the strength, dedication, and sheer size of the open source community, security flaws are routinely fixed within hours of discovery.
     
  • Signing the software in embedded devices. Developers should ensure that the system boots up only if the software to execute is signed by a trusted entity. By anchoring this “root of trust” into the hardware, it becomes extremely difficult to tamper with firmware.
     
  • Separating critical and noncritical systems. Manufacturers try to collapse as many functions as possible within one single piece of hardware, but there’s no real reason why these separate functional domains should be visible to each other. For example, it shouldn’t be possible to access an airplane flight control system via the plane’s onboard entertainment platform, or a car’s brakes and assisted steering wheel from the car stereo unit.
     

Regulators

We cannot rely on the efforts of consumers and vendors alone. There should be international standardization and regulation to define the standards of IoT security and enforce those standards among vendors. Most large organizations understand the importance of securing themselves against cyberattacks. Small and medium-sized companies, as well as household consumers, need the regulators to protect them. In some countries, riding a motorcycle without a helmet is against the law. Bikers know the danger of not using a helmet, but without laws to enforce it, many riders would not wear one. International regulations should enforce “helmets” for IoT devices.

One might question the viability of international regulation, considering that each country has its own interests. Yet if we extend the road rules analogy, we can observe that while every nation has its own driving rules, there are nevertheless many commonalities. There is no need for complete harmony in order for countries to issue and honor international driver’s licenses. A similar approach should be considered for IoT cybersecurity. Each nation is free to implement its own rules, but there are certain core defense concepts that will play out (with variations) just about everywhere.

In December 2015, the European Union (EU) agreed on the first EU-wide rules to improve cybersecurity. Under the new rules, companies in critical sectors such as transport, energy, banking, financial services, health, and water supply will have to ensure that the digital infrastructure they use to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand cyberattacks. This directive marks the beginning of platform regulation. We should expect such international regulations to apply to securing the IoT.

Researchers

From the academic side, researchers are trying to identify different building blocks for security improvement. Many IoT devices use Wi-Fi for communication, and researchers have found a way to detect tampering with this type of communication. Traditional cryptographic operations can be used to authenticate data transmitted from IoT devices. However, tampering with a device cannot be detected using cryptographic methods. Using analysis of transmitted data from devices would allow an additional layer of defense that can detect these ­tampering events.

The issue of IoT security is also the subject of inter­national conferences. The executive summary of Cyber Conference Okinawa 2015 argues that it is essential to determine an architecture for IoT. The biggest point, from a security standpoint, is to develop resilience in order to prepare for unknown threats, assuming that some threats are unstoppable. Rather than trying to defend against every unknown, we need systems that sustain compromise and keep on functioning with minimal inconvenience. It is vital to establish a shared-goal-driven, multi-stakeholder network to develop regulations and security standards for IoT; we need to find a workable balance between ease of use and security. This can only be achieved through the active cooperation of a body of diverse stakeholders, taking into account privacy, human rights, and legal and moral issues.

Taking Action Now

Until international standardization and regulation are realized, organizations should take the following defensive actions:1, 2

  • Identify data assets and access paths. Organizations should understand the types of data that wearables and IoT devices are collecting and for what purpose, to assess the data’s value — both to those who use it and those who may want to hold it ransom. They should identify access paths to vulnerable and sensitive data assets and minimize the impact of phishing attacks by using multifactor authentication.
     
  • Secure data collection as well as data analysis points. The IoT data chain starts with the device that collects data, continues through the location where data analysis occurs, and eventually manifests itself in the hands of professionals who can make decisions on the analyzed data. In addition to attacks on the data-collecting device, determined attackers will attempt to compromise the data analysis engine stored in the public or private cloud.
     
  • Reexamine existing security functions through an IoT lens. Companies should factor device context into identity and access management. They should look to cloud service providers to assist with incident response, threat management, and security operations in the cloud, where their data repositories are located. Finally, they need to create policies to address data privacy concerns about data ownership, consent, use, ethics, and liability.
     
  • Isolate IoT devices on their own protected ­networks. This will prevent compromising the business network when IoT devices are attacked.
     
  • Disable UPnP on routers. UPnP is designed to self-configure when attached to an IP address, making it vulnerable to exploitation. Hackers can change the configuration and run commands on the devices, potentially enabling the devices to harvest sensitive information, conduct attacks against homes and ­businesses, or engage in digital eavesdropping. Thus, disabling UPnP on routers is an essential means of stemming a cyberattack.
     
  • Use current best practices. Organizations should take extra caution when connecting IoT devices to wireless networks and when connecting remotely to an IoT device.
     
  • Ensure all default passwords are changed to strong passwords. Leaving the default passwords in place will enable a cybercriminal to easily exploit the devices to open doors, turn off security systems, record audio and video, gain access to sensitive data, and so on.
     

Summing Up

IoT is increasingly used for household appliances, business equipment, and critical services; therefore, securing IoT devices against cyberattacks has become a major concern. IoT implies a massive increase in data being collected and transmitted. The growth in the volume of data creates an inherent increase in vulnerabilities.

To reduce the success of cyberattacks on smart devices, consumers should demand secured appliances, vendors should understand the risks, and international regulators should enforce cybersecurity policies. For industrial IoT security, the security of a whole chain must be ensured.

As bikers are required by law to use helmets, international regulation should likewise enforce “helmets” for IoT devices. At the end of the day, each nation or multinational body must establish rules that represent its values and priorities but collaborate to find common solutions and mechanisms that will serve the interests of all.

Endnotes

Internet of Things Poses Opportunities for Cyber Crime.” Public service announcement, US Federal Bureau of Investigation (FBI), 10 September 2015.

2 Zetter, Kim. “Why Hospitals Are the Perfect Targets for Ransomware.” Wired, 30 March 2016.

Share This

About The Author

David Tayouri, Cyber Intelligence Department Manager

David Tayouri, MSc in computer science, has 25 years of experience insoftware architecture, development, and project management. He has been dealing with different aspects of the Internet since writing his thesis in 1997. Mr. Tayouri is one of the cyberactivity leaders in Israel Aerospace Industries (IAI) and has managed the cyber­intelligence department for the last three years. He can be reached at dtayouri@elta.co.il.

Leave a reply

Your email address will not be published. Required fields are marked*

Philip O'Reilly
Article

Beyond Fintech: New Frontiers — Opening Statement

by Philip OReilly

This issue focuses on key topics of interest for financial services organizations, namely equity crowdfunding, legacy systems migration, robo-advisors, test outsourcing, and refining the reconciliation process.


Bhardwaj Velamakanni
Advisor

Implementing Design Thinking in Agile

by Bhardwaj Velamakanni

This Advisor presents an overview of improving Agile techniques and practices by using design thinking within the Agile space and describes three techniques from design thinking methodologies that tend to yield benefits to Agile practitioners.


Gustav Toppenberg
Executive Update

Data’s Story: An Enterprise Asset in the Digital Backbone

by Gustav Toppenberg

The existence of a digital backbone in an organization means that anyone aspiring and planning to transform different parts of the enterprise can leverage the digital backbone in a consistent and sustainable way, ensuring that each transformation effort connects and leverages a common platform. Digital transformation leaders are starting to realize that a powerful digital services backbone to facilitate rapid innovation and responsiveness is key to successfully executing on a digital strategy.


Effort score and priority rank for requirements in our sample project.
Executive Summary

Can We Measure Agile Performance with an Evolving Scope? An EVM Framework (Executive Summary)

by Alexandre Rodrigues

Can a method like EVM, developed to control projects with well-defined objectives, be applied to control product development initiatives that evolve continuously toward a “moving target”? In an Agile environment, we are faced with the dynamic evolution of a finite boundary of integrated scope, cost, time, and resources; this finiteness — essential for business management and decisions — is the cradle for project management techniques, tools, methods, and frameworks. The EVM method was first developed to help with managing complex R&D projects mostly characterized by an unstable, volatile, and evolving scope. It is therefore no surprise that EVM applies to Agile projects.


Article

The Frontier of Fintech Innovation — Opening Statement

by Philip OReilly

It’s a pleasure for me to introduce the first of two special issues of Cutter Business Technology Journal (CBTJ) showcasing the thought leadership and cutting-edge research and development (R&D) being done in State Street Corporation’s Advanced Technology Centres in Europe, the Middle East, and Africa (EMEA) and Asia Pacific (APAC), in partnership with University College Cork (UCC) and Zhejiang University (ZJU), respectively. The articles in this issue represent a small sample of the output from the R&D undertaken in these centers, which combine academic excellence with real industry impact.


Executive Update

Business Architecture’s Role in Crisis, Risk, and Compliance Management

by William Ulrich

Every business must deal with crisis, risk, and compliance challenges. Teams chartered with addressing these challenges are often split across business units and regions, which fragments crisis, risk, and compliance management efforts. Business unit silos and related complexities obscure ecosystem transparency, which in turn constrain an organization’s ability to identify risks, assure compliance, and prevent and disarm crises. Business architecture delivers business ecosystem transparency as a basis for improving a business’s ability to collectively address challenges related to crisis, risk, and compliance. 


Curt Hall
Advisor

Building New Business Models with Blockchain

by Curt Hall

Organizations are using blockchain to create new business models — exploiting its capabilities for optimizing contract management, financial transaction management, and identity management.


Nine Policy Recommendations for Managing Technical Debt
Executive Update

Managing Technical Debt: Nine Policy Recommendations

by Rick Brenner

For technology-dependent products, companies, institutions, and even societies, sustainability depends on learning how to manage technical debt. Like most transformations, incorporating new practices into our organizations will likely be an iterative process. We already recognize the problem, and researchers are making progress, albeit mostly on technical issues. This Executive Update proposes a policy-centered approach to the problem. It begins with a principle that can serve as a guide for constructing technical debt management policy, and then shows how to apply that principle to develop nine recommendations that enable organizations to manage technical debt effectively.


Bhardwaj Velamakanni
Advisor

Emerging Agile Anti-Patterns

by Bhardwaj Velamakanni

Agile methodologies, however popular they are, bring their own sets of “smells” and anti-patterns to the table, sometimes causing irreparable damage to the team. While the sources of these smells are many, one of the primary culprits is the mindset that treats Agile as “yet another methodology,” totally ignoring the cultural aspect. This article throws light on some of the prominent smells that are emerging of late in the Agile world.


Jens Coldewey
Advisor

Middle Management in Flux

by Jens Coldewey

If you start changing an organization toward an Agile mindset, there’s no real end. Agile is about creating an organization of continuous learning and the transformation is done when there is nothing new to learn, which will probably be never. This puts an enormous challenge on middle management.


Article

Business Opportunities in the New Digital Age — Opening Statement

by San Murugesan

The articles in this issue present perspectives and ideas on business transformation in the digital age. We hope they will inspire and encourage you to visualize the likely future of business in your domain and to explore the opportunities it presents. Finally, we hope their insights will help you identify suitable transformation strategies and plans and, if needed, choose viable collaboration models for partnering with startups and other firms in your digital business efforts.


Advisor

Unlocking Value from Digital Initiatives

by Joe Peppard, by John Thorp

Beyond buzzwords, what we are seeing is a seismic shift in the role of technology in organizations. Technology is more and more embedded in everything we do as we move into an increasingly hyper-connected digital world, a world in which technology is driving significant social, organizational, and industry change.


Digital Data Steams impact bottom line
Webinar

Improve Customer Experience — Leverage Your Digital Data Streams

by Federico Pigni, by Gabriele Piccoli

In this on-demand webinar, you'll discover the strategic and tactical opportunities made possible by Digital Data Streams and the opportunities for improved customer experience made possible by DDS.


Lou Mazzucchelli
Advisor

Why Are They Twittering? A Modest Proposal

by Lou Mazzucchelli

At the Cutter Digital Transformation & Innovation Bootcamp, Cutter Fellow and Harvard Business School Professor Karim Lakhani talked about digitally-driven disruption of traditional business models for value creation and capture, discussing platform models like Facebook and Twitter. To date, Twitter has clearly done a good job “creating value.” But unlike Facebook, it continues to struggle with the capture part of the equation.


social collaboration
Executive Update

Seven Ways to Gamify Social Collaboration

by Phaedra Boinodiris

Social collaboration is not about technology. It’s about connecting people, and it’s changing the way business is being conducted. Similarly, gamification is not about games. It’s about motivating the per­sonal and professional behaviors that drive business value. Together, social collaboration and gamifi­cation help companies reap great benefits — among them, the ability to deepen customer relationships, drive operational efficiencies, and optimize their workforce. 


Figure 1 — Tracing a roadmap to projects.
Advisor

Using Roadmaps Strategically

by Roger Evernden

Roadmaps have two key functions in strategy planning. The first is to outline planned architectural changes that will deliver the required strategies; the second is to outline alternative ways to achieve the same results.


Article

Technology Trends, Predictions, and Reflections 2017: Opening Statement

by Cutter Team

Just as recent global events have given us reason to pause and reflect, the pace of technology emergence and disruption is proving to be a source of inspiration and uncertainty. Transitioning to a digital world is front-of-mind for many business executives, yet finding the right path is an ongoing challenge. So we asked Cutter’s team of experts for their insights on some of the technologies, trends, and strategies that will be relevant in 2017 and beyond. In typical Cutter Business Technology Journal fashion, our call produced a wide range of opinions and reflections worthy of consideration as you chart your business technology journey for the new year.


Article

AGI: A Threat, an Opportunity, or an Inevitable Unknown for 2017?

by Alexandre Rodrigues

Artificial general intelligence (AGI) is currently emerging as an area where recent developments are likely to have a major impact on the way organizations do business, societies organize themselves, and even on how we address values and ethics.

The fact is that AGI already exists in our daily life. A common example is the GPS systems present in many new cars manufactured today; and let’s not forget the drones being used to deliver pizzas and cars that drive themselves. While automatic pilots have been used in commercial planes for quite some time, what AGI is about to offer to general business and human activity is well beyond what most of us have seen so far.


Article

The Tech-Driven Tech Backlash

by Carl Pritchard

2017 is going to be a year of strange winners, and perhaps the strangest of all will be a giant leap away from technology and back to solutions that don’t rely on 24/7 connectivity. With the onslaught of major hacks and Facebook embarrassment, the antitech crowd may have its best year in decades. 


Article

Rapid Technology Innovation in Blockchain: Should You Be on the Front Lines?

by Nate OFarrell

One of the most prevalent blockchains in the world, Ethereum, is poised to switch from a proof-of-work (POW) algorithm to a proof-of-stake (POS) algorithm, likely in 2017, with the release of the Casper codebase. Why does this matter? Because blockchain technology is becoming increasingly relevant and prevalent in businesses across the globe. It holds great potential to disrupt how businesses perform basic transactions, from payments, to programmable, self-executing contracts, to identity verification.