Several articles have been written on IoT security and the “Internet” in IoT leads to the unfortunate conclusion that cybersecurity is the answer. This blog addresses the key IoT security challenges and their ‘force multipliers’ to support this assertion. After all, acknowledging the problem is the key to finding the right solution. That said, let us start with the indisputable volumetric facts. According to a report by Statista, the number of connected devices comprising IoT across geographies currently stand at over 23 billion. By 2020, the number will be 30 billion, and by 2025, the world will see over 60 billion IoT-connected devices.
However, this makes enterprises and consumers even more susceptible to cyber threats. Designing and managing robust and scalable IoT security solutions is daunting as it requires deep security expertise in an impossible broad set of domains like hardware, software, networking, protocols, storage, analytics, mobility, etc. across disciplines like design, manufacturing and operations practices. The black hats are aware of these deficiencies and leverage it to find the weakest chink in the armor to infiltrate.
Fortunately, the folks at Open Web Application Security Project (OWASP) have taken the initiative to build a comprehensive list of IoT vulnerabilities along with threat assessments. It correctly indicates that most of the threats are relatively easy to exploit. The reason behind this is that a botnet of weaponized IoT devices can have a disproportionately high impact on both consumers and enterprises. Dissecting IoT security for root causes results in some key challenges that need to be addressed.
The various facets that make IoT security particularly challenging are:
Portable devices are typically battery-powered but energy-consuming with very limited computational strength. The compute workload of certificate-based encryption and decryption is usually impractical. This restricts cybersecurity to a subset of IoT devices like manufacturing robots, vehicles, and medical machines (e.g. X-ray and MRI). Thus, portable devices provide enough toeholds for black-hats in a world of ever-increasing smart portable devices.
Typical IoT solutions include a full stack of components like sensors, hardware, firmware, networking, communication protocols, infrastructure, databases, analytics, applications, business processes, and integration with enterprise systems that need to work cohesively together for robust, scalable end-to-end security. Since these components are owned by different divisions within multiple organizational silos (led by various CXOs), inadequate collaboration and processes leave gaps for exploitation.
The CISOs are in a particularly interesting dilemma. The charter for CISOs of IoT device manufacturers is to protect themselves and not the enterprise purchasing their IoT devices. And a weaponized IoT device results in an open question for which the CISOs are accountable.
Standards typically address parts of an end-to-end IoT solution and allow for the flexibility required in its domain. Else, all products complying with a standard would be identical but, in reality, they are not designed to interoperate seamlessly with other standards. Thus, a comprehensive standard or interoperability of various standards is an unchartered territory, the lack of which can result in exploitable weaknesses. Fortunately, many standards organizations, including the World Economic Forum, are working diligently on this issue. They are encouraging inclusion and collaboration of governments to contribute, adopt, and incentivize adoption.
Public Key Infrastructure (PKI) and security components are crucial for cybersecurity. The invalidity of some key tenets leads to the assertion that cybersecurity is overextended for IoT:
- Perimeter-based Defense: Devices (servers, laptops, and web applications) residing in a data center have to be protected from the black hats on the internet. Hence, the key tenet of layered “Defense in Depth (DiD)” uses perimeters protected by firewalls and other resources.
IoT devices inherently reside outside the data center and can be accessed at length for weaponization, including reverse engineering. The perimeter-less nature of IoT devices renders moot the perimeter-based tenet.
- Computational Horsepower: The devices (laptops, desktops, and servers) have plenty of computational horsepower for PKI to be effective.
As articulated above, resource-constrained devices that were an esoteric corner case at best in cybersecurity are now mainstream in IoT. For example, cryptography-based security on a mobile phone is just impractical on a Fitbit.
- Complete Control: Secured portable IT devices (laptops and phones) are designed to be always under enterprise control and managed by IT personnel. They are purchased in thousands and secured before being allocated to employees.
IoT devices number in an order of magnitude more, are handled by multiple entities from offshore mass manufacturing vendors, shipping agencies, and distributors, including transportation after procurement by the enterprise and deployed in the field. Essentially, the device can be tampered at the weakest link in the chain, including tampering at the factory itself to dumpster diving for discarded devices to reverse engineer, harvest certificates, etc.
Bring Your Own IoT
People are enamored by smart/connected gadgets, and IoT devices are right up there amongst the top for their convenience. When installed in an enterprise, the risk profile is increased as most users are unaware of the risks. This is further exacerbated by the fact that these IoT devices are often invisible to IT nor does IT have the tools to accurately detect them. Furthermore, assessing risks associated with IoT security issues is an almost impossible task.
It is quite apparent that these key facets extend beyond technology and, hence, need a comprehensive solution framework that must be extremely easy to use by novices but also cost-effective to be implemented at scale.
The Force Multipliers
Insofar, we have identified the root causes that make IoT security particularly challenging. However, the situation is further aggravated by ‘force multiplier’ factors. So, let us examine them and their impact on IoT device security.
- Revenue Gold Rush: Never underestimate the intense pressure for new revenue and IoT offers an avenue. The revenue pressure and cost of security result in highly porous security measures. The CloudPets connected teddy bear breach, which exposed 2.2 million voice recordings between parents and their children in 2017, is one such example of weak security.
- Architectural Complexity: An IoT device is typically accompanied by services that include hardware and software components. These elements and their integrations are designed to meet the requirements. The typical components are:
- Device firmware, local applets, lightweight database and analytics engines, web servers, connectivity, and protocols
- Layers of backend services like ingestion, storage, storage, analytics, applications, and management
- Integration with enterprises and partner systems
The complexity of these components through the device and services life cycles significantly increases the attack surface and, thereby, the cost of securing it. The IoTroop/Reaper malware is an example of the known vulnerabilities in various software components, internet-capable cameras, and gateways leveraged to weaponize millions of devices into one of the largest DDoS (Distributed Denial of Service) attacks to date.
- Complacency: “My IoT device transmits only sensor data, why would anyone bother to attack me/it” is a common refrain used by most enterprises. This incorrect threat assessment is one of the key reasons that IoT devices can be weaponized in millions for a multitude of nefarious actions. In 2016, the Mirai botnet exploited well-known and hard-coded administrative credentials embedded in IoT devices to weaponize those devices into a massive internet-crippling DDoS attack.
- Attack Sophistication: As cybersecurity tools have inoculated enterprises, so have the black hats evolved the sophistication of their exploitation tools and techniques. For example, in 2017 an innocuous IoT device in the tropical fish tank of a large casino lobby was used to infiltrate their datacenter and extract 10GB (their high roller database) out from the compromised IoT device! The CIOs/CISOs of both the IoT manufacturer and the casino underestimated the security risk.
- Creative Monetization Methods: The traditional monetization model aimed at stealing high-value marketable data and selling it to others. Thereafter, it has become much more creative and disruptive:
- Ransomware: Data is locked away until sold back to the owner.
- DDoS: The IoT device denies revenue.
- Crypto-mining: The compute horsepower is used to steal cryptocurrency.
- Botnets: The infiltrated IoT device is used to find and infiltrate other IoT devices.
Essentially, the hackers have found creative ways to monetize whatever they can infiltrate and will continue to do so.
- End-user Habits: The ability of the average user to keep up is pretty much exhausted as technology more complex. For example, a number of consumers never change credentials, avoid certificates, have a simple username/password, and use default credentials. When the threat is not apparent, security is an inconvenience. As a result, most users take any shortcut they can even when they are aware of the best practices. The infamous Mirai attack is the result of no/weak passwords (it had a list of about 60 typically used weak credentials) and took a scant 10 minutes or less to breakthrough. Hence, Mirai was able to spread rapidly as each infiltrated device was immediately turned into an attack bot to infiltrate other devices and mount an attack.
The main reason to enumerate these ‘force multipliers’ is that they are human behaviors that are much more difficult to influence and the technology or solution needs to consider negating them.
Overcoming the Headwinds
While IoT challenges and ‘force multipliers’ may appear insurmountable, the journey begins by acknowledging them and stepping back a bit for a fresh look at the situation to identify a bold, creative, and comprehensive solution. A robust solution with the right paradigm not only spans the entire life cycle but is also adaptive to existing and emerging threats in an extremely easy-to-use and trustworthy manner. In future articles, we will systematically explore the paradigm shifts required to create a solution framework that can address these IoT challenges.
About IoT WoRKSTM
IoT WoRKSTM is a dedicated Internet of Things (IoT) business unit of HCL Technologies. Our award-winning, best-in-class, customer- and industry-specific, and deployment-ready solutions co-created with customers enable them to maximize effectiveness and returns on their asset investments. Rated as a global leader in IoT consulting and services by top analysts, our solutions which are co-created with customers, enable IoT-led business transformation through the creation of more efficient business processes, new revenue streams, and business models that deliver measurable business outcomes. The transformative impact of IoT is realized by IoTizing the ‘things’, connecting the assets to a data platform, and then using the data to derive business insights and take business decisions which ultimately lead to change in enterprise’s processes and people practices.