McAfee’s involvement in the formation of the Open Interconnect Consortium—a group that aims to unravel the specification, certification, and branding around everything IoT—suggests that major industry players like Intel, Dell, and Samsung are ready to take a serious look at the need for better security.
Given the rapid market expansion of our smart world, a lack of universally agreed upon standards and protocols, and hackers’ uncanny ability to discover points of least resistance, it’s clear a conversation around “smart security” has become necessary.
Last winter, cybersecurity company Proofpoint confirmed the existence of “Thingbot,” a malicious cyber attack harnessing over 100,000 home appliances. As early as 2011, a compromised thermostat in the Chamber of Commerce was discovered, revealing an IP trail that led back to hackers in China, and recently experts at Context, another cybersecurity business based in the United Kingdom, posted the results of its successful attempts to hack into an interconnected lightbulb grid.
These types of attacks are concerning, not just due to the obvious threat, but because they can represent a chilling effect on innovation. Fortunately, the cybersecurity industry and others are taking notice, and the smart-device community can use these incidents as teachable moments.
So what are some key takeaways as we consider the threats and appropriate response?
Factor security into choosing protocols. There isn’t yet full agreement on connectivity protocol standards – and that may be a good thing. Device range, physical dispersion and density, and the role of the protocol (device to server, device to device, device to user) all factor into evaluating standards for transmitting data. Relative security should be considered as well, with the understanding that the more homogenous network protocols are, the more porous they can become.
Self-monitoring as a core design principle. This should become second-nature to manufacturers of devices and operating systems. Smart, connected products will need better self-diagnostics to detect data breaches, with the ability to update these functions and respond in the event of compromise.
Recognize the dual risks posed by compromised devices. Thingbot demonstrates that anything smart can relinquish system data or follow commands. The physical purpose of devices can also be subverted; light grids can be turned off, webcams can record us, traffic grids can be snarled, monitors can broadcast bogus messages, and even medical device implants can be controlled. Security design should apply to the brain and the body of smart devices.
Safeguarding the consumer. With the plethora of smart wearables already on the market, and the push for home appliance and DIY IoT projects, users are embracing the benefits of a smart world. Unlike work environments, we have less visibility and control over user practices. From leaving an unlocked smartphone at a bar to exposing a home grid through an unsecured wi-fi network, manufacturers need to find ways to close security gaps created by consumers.
Educate manufacturers. As blogger Brian Donahue points out, the designer of a smart device that monitors and regulates swimming pool chemicals isn’t weighing security threats as heavily as the team working on the next version of Windows. Attacks like Thingbot prove that mindsets need to change. IoT market leaders must respond with effective communication, education and toolkits to help downstream manufacturers.
Don’t just focus on prevention. Despite the best efforts of security experts, we’re all one successful attack away from a serious breach. Incident response is a growing industry and can play a much-needed role in mitigating damage. Effective strategies will combine IT response plans with automated response actions, such as compromised devices bricking themselves.
Prevent malicious data aggregation. The more smart devices and sensors that are established, the more data is being collected. While this means individual packets are smaller and compartmentalized, a much more complete “data picture” is capable of being assembled. Malicious data aggregation could enable unwanted identification and expose sensitive information. Like a smart investment portfolio, data should be diversified; safeguards should be put in place to resist attempts to reassemble or aggregate stolen data.
The Internet of Things is prone to the same perils as any rapidly growing technology – much like the internet itself was. A cursory search on the internet shows that there are more questions than answers when it comes to IoT security.
This year seems to represent a turning point, with security firms like McAfee, Kapersky, and Symantec moving to extend device security plans beyond smartphones. Like everything else about the fast-moving market, security providers who can deliver peace of mind will stand to benefit significantly.