There’s no point being an Internet of Things denier, it’s too late for that. It’s not too late, however, to start accepting that security could be a lot better. Which is where the launch of the Internet of Things Security Foundation comes in.
There’s no ignoring the Internet of Things (IoT), you only have to look at the numbers to understand why: Intel reckons 200 billion objects (or 26 smart objects for every human being on Earth) will be part of the IoT by 2020, and Siemens reports that this will equate economically to earnings of up to US $8.9 trillion by the same year. It should come as no surprise, then, that everyone is talking about the IoT; including IT Security Thing Managing Director, Ian Robson, with his ‘Internet of Good Things’ organisation that is creating a community of like-minded IoT thinkers and do’ers.
While I wouldn’t go as far as flipping Ian’s naming protocol a complete 360 and referring to it as an ‘Internet of Evil Things’ there are certainly things to worry about as well as celebrate. Not least the fact that many IoT devices have already proven themselves to be vulnerable to attack by those who would exploit them: from hacking into baby monitors through to hijacking smart toilets and router backdoors to name but a few.
You also have to take into account that the vast majority of the ‘things’ in the IoT won’t be devices as such, but rather sensors that feed data back to help manage whatever system it is they are managing. There are already plenty of conversations happening surrounding the use of such sensors in the smart city technology roadmap for example. The point being, IoT represents an emerging and very real threat vector and understanding the issues is paramount in being able to address security from the ground up as this burgeoning industry moves forward.
Discussion and collaboration are the first steps towards creating some kind of collectively developed standard framework within which IoT security, be that at the device level or from the perspective of information exchange, can be better implemented. Which is why I welcome the launch this week of the Internet of Things Security Foundation (IoTSF) that has a clearly stated mission to make the Internet of Things secure whilst aiding its adoption and maximising its benefits.
In order to facilitate this, the IoTSF will “promote knowledge and clear best practice in excellent, appropriate security to those who specify, make and use IoT products and systems.” All of which sounds very good on paper, but in practise will depend upon who is involved and how they can work with each other.
That it is non-profit, vendor-neutral, international in scope and has an interesting executive steering board helps to reassure that it, at least, stands a chance of making a difference. I was particularly pleased to see Professor Ben Azvine (global head of security research and innovation at BT), Ken Munro (from Pen Test Partners) and Kenny Paterson (Professor of Information Security at Royal Holloway, University of London) on board. The involvement of these people suggests that this will be more than just a talking shop, it will also be a doing shop. All it needs to do now is build on the 30 or so organisations, from global brands to academic institutions including BT, Intel and Vodafone, that have signed up already.
IoTSF spokesperson, John Moor, said of the launch that the “opportunity for IoT is staggering. There are a great many possibilities for businesses in all sectors including manufacturing, transport, health, home, consumer and public services. However, there are ever-real security challenges that accompany those opportunities. It is vital to the adoption of existing and new systems that security is addressed from the start, that it is fit for purpose and it can be managed over the lifecycle of the system. Our intention is simple – drive excellence in IoT security. By creating a dedicated focus on security, IoTSF aims to be the home for providers, adopters and beneficiaries of IoT products and services.”
French Caldwell, formerly a fellow at Gartner specialising in emerging risks, and currently chief evangelist of Governance, risk management, and compliance at MetricStream, says “it’s often the case that laws and regulations come after major failures, so it’s a welcome change to have these leading companies coming together proactively. After all, the security challenges are mammoth.
It’s not just the volume of data, but the rate of creation of data, and the number of end points that create greater security challenges.
“Information is being collected from your social and online activity, data from your smartphone on your health, data from your car, your shopping history from your credit cards, and data from your smart TV to create an extraordinarily complete digital profile. The predictive nature of these profiles could be used to discriminate or even to target individuals. Consumers will also be jailbreaking these devices for one reason or another. This could create security problems, but also creates safety issues.
“Perhaps someone wants their self-driving car to go faster than the speed limit – they may jailbreak it, and modify the programming to enable it to go well over the speed limit. Additionally, the industry needs to think about compatibility. Some IoT services may require integration of devices that may be operated by different vendors, with different operating systems, and written in different programming languages. ‘Glitches’ will abound.
“Also, what about when one vendor pushes out an update or patch, and that creates an incompatibility with other devices in the network. There’s a large potential for inadvertent failures – not so bad for your smart TV, but pretty awful for a failure of your smart fridge when you’re out of town, and perhaps deadly for the medical devices that are monitoring and assisting your elderly parent.”
Oliver Eckel, CEO of international security and pen testing company, Cognosec, which recently identified a critical vulnerability impacting one of the protocols underpinning certain IoT devices, warns that “in getting carried away by the opportunity the technology brings, we are charging ahead without considering the risks, and without securing the technology.
“Many IoT devices manufactured today use outdated standards or do not follow best practice recommendations, only mandatory requirements. As a result, each device added to a home increases the vulnerability of the network.
“As we connect everything to the internet, not just cars and fridges, but at some point even milk cartons and beer cans, the embedded processors get smaller and smaller, and work on minimal power consumption. As a result, securing and regulating the next generation of IoT devices will prove even more difficult.
“The greatest risk with the IoT is that a lack of decent security measures in the initial phase of the technology will result in the networked future being built upon a poor foundation. As the technology becomes more widely distributed, the vulnerabilities are sure to be exploited – a big enough issue for home networks, but considerably worse if “smart city” networks are broken. It is integral that the industry remembers the lessons of the past, and secures the IoT before it’s too late.”