 "Monster toaster: The risk of the phenomenon called Internet of Things")
The internet was literally designed to withstand nuclear weapons. But, as Jeff Jarmos of Salesforce once pointed out, it is vulnerable to toasters! Irony apart, this is literally true. The internet stayed functional through 9/11 and tsunamis but it can be taken down by malware delivered via smart toasters.
The potential danger of an attack targeting the Internet of Things (IoT), or devices that work unsupervised, is immense. Avinash Chugh, technology principal at ThoughtWorks, a software consultancy, says: “An IoT attack could bring down a city’s power supply, tamper with manufacturing, stop a car in the middle of a highway, overflow tanks on an oil rig, shut down ventilators in the ICU, or tamper with a pacemaker.”
In fact, these scenarios are culled from actual incidents. In early 2014, network managers noticed spam flooding out of a botnet, a network of compromised computers and phones. But one-fourth of the 100,000-odd “bots” in this net were IoT devices.
It was a first. Fridges, DVD recorders and web-TVs were being used to mail links to porn and malware. A few months later, “white-hat hackers” demonstrated they could remotely hack into a car and take it over — while it was being driven. They hacked into the navigation system and took over the engine and controls.
In December 2015, Ukraine’s power grid was shut down, leaving 230,000 people in the dark. It took over three months for full recovery because the attackers remotely wrote malware into the smart grid control devices. The grid was forced to revert to manual control until the infected devices were replaced.
In September, the blog of a cyber-security expert, Brian Krebs, was hit by a distributed denial of service (DDOS) attack. In DDOS attacks, the target is flooded with simultaneous requests from many nodes until the bandwidth is overwhelmed. Kreb’s blog was hit by over 1.5 million bots. The attacking devices were security cameras and DVD recorders.
More From This Section
In October, a similar botnet attacked internet service provider Dyn and knocked out services across the US east coast. This took down giants like Twitter, Spotify and PayPal. Again, cameras and DVD recorders were used. These devices were taken over by malware called Mirai that inputs combination of simple default passwords into IoT devices (typically, username: Admin; Password: Admin).
Despite such highly publicised instances, users often don’t bother to change IoT defaults. A search engine, Shodan, specialises in finding IoT devices. One of its popular features is that users can look at live feed from webcams that have open access. The feeds at any given instant will include ATMs, people’s bedrooms and check-out desks at malls.
Obviously, new security challenges will arise as IoT becomes ubiquitous. There are about six billion IoT devices now and, by 2020, Gartner estimates there will be over 20 billion. According to Sajan Paul, director (systems engineering), Juniper Networks, some IoT devices are in closed user groups such as virtual private networks that have some degree of perimetre security. All others are on open internet.
When HP investigated 10 popular IoT devices (thermostats, garage door openers, smart locks), it discovered that, on an average, each device had about 25 potential vulnerabilities. What is more, many IoT devices run on firmware (code embedded in chips), which means vulnerabilities cannot be easily rectified.
The push to connect everything means that every industry and modern home is grist to the IoT mill. New white goods and home appliances are “smart” and web-capable. Every modern car has a chip-controlled engine and navigational systems. Fridges, TVs, microwaves, air conditioners, lighting systems and cameras are all logged into the internet. Assembly lines use IoT, and so do climate scientists and farmers. Power grids and telecom networks are smart. Very large crude carriers are logged in, along with truck fleets. Defence equipment is smart.
Devices unsupervised by humans present different problems in authentication of identity. Deepak Visweswaraiah, vice-president & managing director, NetApp India, says: “Multi-factor authentication is used to layer security. But this requires human agency. IoT security must be built into products.”
According to Anand Ramamoorthy, managing director (south Asia), Intel Security, there are three distinct ways hackers can compromise IoT devices.
Data breaches
Connected devices collect data on consumers, ranging from spending habits to medical data, TV viewing history and eating habits.
Cross-device access
IoT devices connect to a smartphone, a computer or to a Wi-Fi network. This introduces an additional path to access sensitive devices.
Botnets
Quite a few IoT devices lack sufficient security and encryption, making them vulnerable to hackers seeking to grow botnet armies.
IoT security is in its infancy, Umesh Puranik, principal architect-CTO, Persistent Systems, points out. “There is no standardisation, as of now,” he says. “Given multiple domains within IoT, it is unlikely that there will ever be one solution to all scenarios.”
Prateek Pashine, president (enterprise business), Tata Teleservices, says what makes the security challenge more difficult is that IoT comprises multiple components, such as the device, the application, connectivity. “The fact that these components may come from multiple vendors adds to the complexity.”
“One issue is the lack of liability for equipment makers,” adds Pandurang Kamat, chief architect (Innovation and R&D), Persistent Systems. “For example, the camera maker was not held accountable for the DDOS attacks.”
Paul of Juniper Networks feels security standards must evolve. “It’s hard to know where an IoT device is manufactured, or to check firmware to see if, say, 10 lines of malicious code have been added. Most stuff is built on open source, so it is also relatively easy to hack.”
This will require cooperation across domains. Telecom service providers could play a big role here as network guardians. Companies like Ericsson and Juniper Networks work with telecom service providers.
Srinivasan CR, senior vice-president (global product management & data centre services), Tata Communications, says, “Scrubbing, as we call it, ensures the network layers act as the first line of defence. This means that legitimate traffic gets through, and malicious traffic is mitigated at source rather than near the target network.”
Yet scrubbing is only the first line of defence.
Chugh of ThoughtWorks fears that current techniques may not be enough. “Enterprises will need to start securing wearables, sensors, even securing technology we might not foresee today. This will need evolving security practices in a way that enables frictionless collaboration among devices.”
Some of the privacy implications of insecure IoT are terrible, especially in India that doesn’t even have an explicit data protection law. Visweswaraiah of NetApp takes the example of health care. “IoT has the ability to collect medical data in real time from wearables, to monitor health and assess say, high blood pressure. This data is sensitive.”
“General awareness of the need for user privacy in society has increased, leading to a greater focus on the protection of user metadata and communication,” says Ekow Nelson, head of business unit (IT & cloud), Ericsson India. “This issue has become even more central given developments in big data.”
Indeed, big data is one of the areas where IoT could bring about a transformation. IoT will enable better health care and life support, and more granular understanding of consumption. Usage of smart lighting systems and smart ACs indicate how often the user is at home. A fridge logs food consumption. The car logs trips. We can only guess at possible new applications as this data builds up.
Lucideus is a digital security consultancy that works at the intersection of IoT, cloud and artificial intelligence. “I will not be surprised if there is soon specialisation that only deals with IoT security. We do not need security products, what we need is secure products,” Saket Modi, CEO, Lucideus, says.
The security issues have meant that IoT has not been implemented as quickly as it could have been. In surveys, many say that they are hesitant about security and privacy issues.
Yet, despite the fears, adoption is a given. IoT is simply too useful. Estimates of economic value vary. Gartner estimates that the global IoT industry should be worth $1.4 trillion now and assumes that by 2020, IoT could be worth $3 trillion. (Global GDP was $78 trillion in 2015 and India’s economy is now about $2 trillion). Nasscom sees an IoT opportunity of about $15 billion by 2020 for Indian players. This is a small slice of a very large pie and it may be an underestimate.
IoT will clearly result in efficiency gains across multiple sectors. Continuous tracking of machines reduces repair costs and downtime. Supply chains tighten as inventory management improves. Disaster management may improve.
However, every IoT device is a potential security risk.
Gemalto makes smart meters and also caters to other M2M specific fields like home automation, routers, medical equipment and Point of Sale. It tries to ensure that security involves the device, the cloud, and the user interface for the entire life span of the devices.
In order to cash in on the promise of IoT, users must develop new security standards and a collaborative approach required to minimise the risks.
DIY guide to basic security
Your home network consists of a router, possibly a wired connection (LAN) and the devices connected to the network (computer, mobile, printer, fridge)
- Log into your router and change the password to something you remember that can’t be easily guessed (dog’s name + wedding anniversary date, for example).
- The default password will be something like username: Admin, Password: System. If you don’t know it, search the internet for default passwords for your router model. If your internet service provider has reset passwords, ask it for the username and password and change it.
- Download some network management tool like Fing. Install this on your phone/PC. Use it to check what devices are on your network. Kick out anything you can’t recognise.
- Set your own SSID (the network’s name) and password for your Wi-Fi network. Make sure that your Wi-Fi doesn’t broadcast its SSID. Your phone company will normally set your Wi-Fi password to your mobile number, only your mobile number is discoverable by random strangers.
- If you’ve bought something like a network attached storage drive, or a smart printer/ scanner, set a strong password for that device. Don’t keep it online except when you need it.
- If you have a smart fridge, or smart home theatre system, change the username/ password combos. Or else, don’t hook it to your Wi-Fi.
- Keep notes of all usernames and passwords written in hand in a notebook that other people in the house can access at need.