Does the phrase “internet of things” cause people to forget everything they ever knew about security? It sometimes seems so. Best practices like defense-in-depth and role-based access controls? Out the window once IoT enters the picture. That said, there are systematic differences that should make us view security differently in an IoT world.
Here are seven factors that set IoT security apart from physical security and even many aspects of conventional IT security.
1. Lifecycle mismatch
Many types of physical objects — buildings, automobiles, refrigerators, light switches — last a long time, decades even. They typically require maintenance, but they’re often not replaced until the repair bills get too high or they just don’t work. We certainly don’t expect to replace them because a manufacturer decided not to support them after five years.
Yet much of the software involved in IoT is intended to be disposable. There may be no provisions for upgrading client devices at all. Software support for even relatively expensive consumer devices is usually just on the order of a few years.
From a security perspective, this means otherwise functional devices are likely to be exposed to unpatched vulnerabilities as they get older.
2. General-purpose extensible devices
If these network-connected systems used specialized hardware and software to operate and communicate, outdated software wouldn’t necessarily be a major issue. It would likely be hard to force such devices to take actions they weren’t originally designed to do.
However, in practice, it’s very common for IoT devices to effectively be general-purpose computers running open source operating systems and network stacks. There are good reasons for this; among other things, it’s easier (at least in principle) to update them and add new capabilities over time. However, it also means that an attacker who gains control of a device has more options to wreak havoc.
3. Bad economic incentives
None of the above is unfixable. We keep industrial equipment running for decades. Software vendors, including my employer, offer a variety of extended life support options for subscription products. These models work because customers are willing to pay for ongoing maintenance and support at levels where it’s profitable for vendors to supply them.
Those same incentives aren’t in place when you buy a light switch, or perhaps even a vehicle. No consumer is likely to pay for an ongoing light switch contract. Some may do so for cars, but it’s not common after the initial warranty period. As a result, there are no incentives for most device makers to continue supporting what they’ve sold beyond a fairly short window.
4. Connected by default
Vulnerability to attackers who connect to an IoT device or gateway wouldn’t matter so much if making that connection were difficult or impossible. But increasingly it is not. The norm is to connect to networks, usually wireless networks, and often public networks. Even when there’s no compelling reason to do so.
It’s long been recognized that protecting computer systems against intruders who have gained physical access can be extremely challenging. (Witness breaches at the NSA and elsewhere.) However, pervasive and routine network access introduces many of the same threat vectors. Certainly it creates a far greater attack surface than physically isolated systems.
5. Ecosystem effects
When general-purpose, network-connected computers are breached, it doesn’t just affect the target of the attack.
Data breaches can affect millions of customers when sensitive information is stolen; this applies whether we’re talking IoT or more conventional IT systems. IoT multiplies the issue by collecting more and more ambient data that people may not even be aware is being collected.
Ecosystem damage can go beyond data. The Mirai botnet’s DDoS attack caused significant disruption to the internet as a whole. It resulted from outdated versions of Linux on webcams being turned into remote-controlled bots for large-scale network attacks.
6. Common widespread failure modes
Speaking at the Open Source Leadership Summit earlier this year, security expert Bruce Schneier noted that computers and networks fail in a different way than non-computerized systems. “You worry about crashing all the cars. You’re concerned about the five sigma guy, not the average guy. It doesn’t happen in lock picking in the same way,” he said, because no matter how skilled, one person can only break into one physical building at a time.
I mentioned the Mirai botnet earlier. But it’s the nature of IoT and connected systems more broadly that vulnerabilities and attacks usually affect many systems. Of course, individual attacks can still lead to data breaches or the shutdown of a critical system. But even breaches that would be relatively innocuous in isolation can cause serious failures in systems like the power grid if multiplied by a thousand or a million. Scale matters.
7. Actuators can affect our environment
We’ve seen how IoT can differ in scale, connectedness and vendor support from more conventional IT systems. But if I had to pick one aspect of IoT that’s fundamentally different, it’s this one: IoT is not read-only.
Schneier calls it “an internet that affects the world.”
Software already controls many critical systems or directly tells humans what to do. But the degree to which IoT is replacing manual and disconnected controls pervasively and by default is striking.
That IoT can take physical actions may not really change its security model, but it certainly raises the stakes.
We prioritize features. We prioritize low prices. We prioritize today. We do not prioritize security over a product lifecycle that may span decades. In devices that have the power to affect the physical world.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.