There has been plenty of news around the Internet of Things, or IoT, as of late. Some good news and some not so good. In this blog I'll dig into what IoT really is all about and why people are so excited about it. I'll also touch on some of its less exciting parts; especially, as it related to security.
Most market research firms expect 20 billion connected devices to be in use and generating about 50 trillion GBs of data by 2020. Today around 12 billion devices are connected. So pretty substantial growth trajectory going forward! With this comes a big revenue opportunity and as a result a lot of companies are moving into participate.
There is no doubt IoT will have a big impact on our daily lives. Today a myriad of devices are connected to the internet supporting individual consumers through smart home devices (NEST, Racio, Samsung Refrigerators, door locks, etc.) to devices supporting traditional manufacturing, health care, farming, retail, auto, municipalities, utilities, etc.
Let's look at a couple of scenarios
Video surveillance system
- the ability to control my home security system and video cameras from my smartphone app is super convenient and gives me piece of mind. I can also be alerted should the camera pick up unexpected movements. All for a pretty affordable price and easy installation.
The connected car
- Data gathering - Real time engine health monitoring and diagnostics should an issue occur.
- Safety - lane tracking and self braking are all features powered by interconnected proximity sensors and cameras.
- Convenience - built in WiFi hotspots or the ability to automatically have the car pay for tolls. Informing the driver of upcoming points of interests, good deals based upon the driver profile are other potential features.
- Ability to easily track high cost medical devices from an inventory perspective as well as patient tracking for better (and more cost efficient) hospital visits.
- Connected infusion pumps with the ability to automatically order a refill from the hospital pharmacy.
Now to the not so good aspects of IoT.
The combined lack of security in all these devices can be harnessed by hackers. Recently (October 16th to be precise) a large scale DDOS (Distributed Denial of Service) attack targeted Dyn (one of the key Internet infrastructure companies) causing a number of high profile sites such as Netflix, Twitter, Amazon, Reddit, Spotify and Tumblr from being reachable. What was unique about this attack was how it was orchestrated. A typical DDOS attack involves hijacked servers where malicious code use up the servers computing power to send a high number of requests to one or many sites. Instead of using servers the October 16 attack leveraged millions of DVRs and CCTV video cameras.
In a less publized DDOS attack a slightly different version of the malware used in the October 16 attack was used to take down a well known security expert's site. To get a sense of the magnitude this DDOS attack generated 620 Gbps of traffic which was almost double the size of the largest DDOS previously recorded. Furthermore it almost took down Akamai who manages a lot of the Internet content distribution. Again DVRs, routers, and other devices was used to orchestrate the attack.
Using devices to take down sites is one thing. The bigger risk and why security is critical for the IoT fabric is the impact. Namely not being able to access your favorite Netflix show for a day is one thing. Having somebody hack your car while driving 70 Mph on the highway is now involving physical harm; if not, life threatening danger. Hacker hijacks your car, demands your bank information or else. Wired has a good article about this. Be aware Jeep owners: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
Another example would be a thief hacking your home surveillance system. Aside from the privacy aspects (which is a topic for later) the thief can now monitor when you are home. After watching you pack your suitcases and leave the house the thieves move in.
In our connected infusion pump example from above efficiency can turn into a nightmare should it be hacked as the wrong dose can be delivered into the patient with a potential life-threatening situation. Another Wired article https://www.wired.com/2015/04/drug-pumps-security-flaw-lets-hackers-raise-dose-limits/
Call it fear tactics but the lack of security is pretty bad. Hardcoded usernames, password stored in clear text, factory default passwords, unencrypted transmission of sensitive data, lack of patch or maintenance programs to support the devices. Just ask yourself the last time you updated your wireless router firmware? Or changed the admin account credentials for the router? Not the general access credentials but the admin account credentials.
Needless to say a common security framework is badly needed. Question is whether a large scale breach is needed for the industry to come together after public outcry or whether a common framework can be defined beforehand to prevent such an event.
Good thing is that many entities are looking at this problem today including some of the largest device manufacturers in the world. Europe is also driving a framework from a holistic point of view but of course it doesn't include agencies outside of Europe.
I'll address the privacy concerns related to data collected by all devices connects in my next blog.