Back in April, tech news was rife with stories about the Heartbleed bug, a web certificate vulnerability that made it possible for bad guys to mimic legitimate web sites.
Fortunately, widespread publicity and fast reaction led to few, if any, major problems. The Heartbleed situation highlighted once again the vulnerability of our Internet-dependent economy. Manufacturers can learn from these high profile failures and make security a high priority as they implement IoT functionality and assure users’ that they have managed the risks and vulnerabilities.
The opportunities seem huge. All signs point to the IoT taking off for consumer and industrial devices, with some 26 billion items connected to the Internet by 2020, in addition to PCs, tablets, and smartphones, according to a study by Gartner.
Although the Heartbleed Bug didn’t lead to widespread breaches, it did point out the vulnerability in unpatchable hardware systems, says cryptographer and security expert Bruce Schneier.
Sure, vulnerability in a personal device is bad – in Australia, hackers took over control of users’ iPhones and iPads, and held them for ransom. Now imagine if your house or a life critical machine gets digitally hijacked.
With prices for embedding connectivity continually dropping, Internet connections will show up in all kinds of devices, leaving them potentially open to hijacking, malware, and simple vandalism.
“This opens up the possibility of connecting just about anything, from the very simple to the very complex, to offer remote control, monitoring and sensing,” says Peter Middleton, research director at Gartner. “The fact is, that today, many categories of connected things in 2020 don’t yet exist. As product designers dream up ways to exploit the inherent connectivity that will be offered in intelligent products, we expect the variety of devices offered to explode.”
To focus awareness on security gaps, Cisco launched the Internet of Things Security Grand Challenge and offered up to $300,000 in prize money for up to six recipients who develop proposals for IoT security. Winners will be unveiled later this year.
As it turns out, many devices that get connected to the Internet are dumb. They’re built with chips made by the lowest bidder, with open-source firmware, and then they sit connected and unprotected for years, according to the paper Security Challenges in the IP-based Internet of Things.
With these dumb devices, no one is really responsible for security upgrades or patches in the same way that major operating systems receive security updates. Older devices may go unpatched for years as manufacturers concentrate on new products.
While manufacturers could use upgradeability as a feature to ease users’ security fears, Dan Geer, chief security officer at the Central Intelligence Agency’s venture firm In-Q-Tel, is encouraging IoT device makers to build a “self-destruct” function into devices so that out-of-date softwares becomes inoperable after a certain period.
A fail-safe mechanism is one way to deal with newly smart devices, such as building automation systems, that now link via the Internet to outside parties for data reporting and maintenance. Other protections may prove more effective, or cost-efficient.
In any case, such devices that were once contained within the walls of a building now communicate with far-flung servers and vendors, so security can’t be an afterthought. Even if a hacker doesn’t care about controlling a building’s air conditioning, the devices may be connected to the enterprise network, leaving a hole for bad guys.
For instance, the Target credit card breach began by someone gaining access to the company’s network via a vendor’s remote maintenance system for the heating, ventilation, and air conditioning. The HVAC system was inexplicably connected to the same corporate network that housed customers’ credit card data. That highlights the fact that policies and systems design are as important as hardware and software security.
This and the Heartbleed software bug has brought attention to the need for data security in all manner of connected devices, from ventilation controls to medical equipment. Going forward, manufacturers will have to manage myriad security vulnerabilities to create trust in the IoT.