Is your webcam leading a life of its own?
The darker side of IoT security
Last month, security investigator Brian Krebs was the victim of the first large-scale DDoS (Distributed Denial of Service) attack by a ‘botnet of things’, when hundreds of thousands of IoT (Internet of Things) devices simultaneously tried to connect to his website. As a result, the site became overloaded and crashed.
Jeroen Slobbe & Beer Sijpesteijn - 27 october 2016
The ‘bot network’ that took down Krebs’ site was Mirai, with the devices in the network consisting, for example, of video cameras connected to the internet. This attack illustrated the importance of an aspect of IoT security that has so far tended to be overshadowed. That is the risk that poorly secured devices represent for the network they are connected to – in this case, the internet. And this risk can result in your webcam and your smart TV, fridge or kettle being used at night for very different things than you had in mind.
Factors driving IoT security
Our embracing of the IoT means that all sorts of products are now linked to the internet, including consumer electronics, medical devices and connected cars. Luckily, and thanks to various compelling factors, most manufacturers understand the importance of IoT security:
Firstly, increasing attention is being paid to privacy. As well as for reasons of customer friendliness, manufacturers are now focusing on this as a result of the new European privacy legislation and the high fines they will have to pay under the forthcoming General Data Protection Regulation (GDPR) if they fail to protect users’ privacy. Data leaks and failure to report data leaks can also trigger substantial penalties.
2. Personal safety
A second factor is end-user safety, given that many smart devices have a physical function in the ‘real’ world. No-one, for example, wants to see cars or medical devices causing more accidents than they prevent. That’s why regulations for manufacturers of these devices in the US market are becoming increasingly stringent. And why Europe, too, is working hard to incorporate security into legislation for connected cars and the manufacturing of medical devices.
3. Payment system security
Finally, there is the need to ensure that payment systems are secure. Smart devices can be equipped to make payments. Just think of a fridge that automatically orders milk when stocks are low. The device owner – and so also the manufacturer wanting to sell it – clearly has an interest in ensuring these payments are made correctly and on time.
Consumer privacy and safety, as well as secure payment systems, are in users’ direct interest and so force manufacturers to focus on device security. But what about the need to protect the internet itself and, therefore, society?
Responsibility for the ecosystem
In the case of Mirai we saw how poor device security allowed hackers to create a massive and dangerous botnet. And as shown by the earlier attack on the TV channel TV5 Monde, where not only office automation but also directing and camera systems were hacked and taken down, the impact on a business can be huge. The difference between these two hacks is that in the case of TV5 Monde, the hackers specifically set out to attack the devices, whereas in Mirai the devices were a means to an end, and that end was for them to become part of the botnet.
In this latter case, where hackers misused devices to attack another target, the above three factors are not so readily applicable. Even if the hack is detected, it is experienced differently because the effect on and harm to customers are less direct. Nevertheless such an attack also represents a major security risk.
Manufacturers and users primarily apply security measures to target directly evident hacks, while the ecosystem itself – the internet – receives less attention and so is less than optimally protected. Extending the focus to include security measures that protect the ecosystem (even if none of the above factors is directly at stake here) will reduce the chances of a successful attack, such as that experienced by Brian Krebs.
Despite the IoT relying on physical devices being digitally connected, software is often the Achilles heel of IoT security. Developing secure software is not easy. It demands expertise and takes time. But given the general importance for society of ensuring that the internet operates smoothly and effectively, manufacturers and users also need to give proper consideration to ecosystem security. This way, the IoT – with all the great products for users and the gigantic market for manufacturers that it promises – will be able to succeed.
I am employed by Deloitte as a Security & Privacy consultant. I joined Deloitte after completing my Master’s in Information Security Technology at Eindhoven University of Technology, including a thesis on the hacking of implantable medical devices. My focus at Deloitte is on medical device security, technical privacy issues and ethical hacking.
More information on Internet of Things Security?
Do you want to know more on Internet of Things Security? Please contact Jeroen Slobbe via +31882882753