Until recently, IoT security concerns were in the realm of experts and doomsayers. The recent Mirai malware attacks, however, have everyone paying attention. The attack on Dyn, which manages much of the internet’s DNS infrastructure, demonstrated the power of IoT devices to be the ultimate attack platform. More than 80 major websites were affected by the combined distributed denial-of-service (DDoS) attack that was launched from botnet malware installed on IoT devices, such as CCTV cameras and DVRs. Dyn estimates the attack involved upwards of 100,000 infected devices. In an earlier attack of the same type, the KrebsOnSecurity website was bombarded with 620 Gbps (!) of traffic originating from the compromised devices, causing a complete shutdown.
DDoS attacks are only one possible threat from infected IoT devices. For example, at DEF-CON 2016, researchers demonstrated ransomware-infected smart thermostats, showing that IoT ransomware may be a very real threat in the future. Spy and espionage-based attacks are also possible via IoT devices: compromised remote cameras, baby monitors, TVs — the opportunities are endless.
Unlike cyberattacks on computers and mobile devices, IoT attacks have the potential to be life threatening. Imagine what compromised additive manufacturing devices can do. Recently, researchers demonstrated they could hack a 3D printer and insert malware that allows them to alter part designs, thereby creating hidden defects in cars and drones that cause them to crash.
Network-level vs. device-level defense
Interestingly, when we look at the landscape of IoT security, we mostly see the same faces: managing IoT security at the network level, detecting IoT attacks at the network level and blocking IoT attacks at the network level. Undoubtedly, network-level security for IoT is an emerging and promising market. But we already know that network-level defense has its limitations: at the network level you cannot inspect encrypted traffic, and attacks can evade traffic analysis by hiding within legitimate traffic. Like in endpoint cybersecurity, we know that real and deep security can be obtained from software installed on the device itself. In other words, network-based protection is good, but it is not enough.
Diversity, diversity, diversity
So why — unlike in the case of endpoint security — do almost no in-device security products for IoT devices exist? Three main issues pose a real challenge for security vendors in developing and maintaining products to run on modern IoT platforms.
- The diversity of IoT hardware. IoT is actually a mixture of systems, composed of various types of CPUs and chipsets from different vendors. ARM-based platforms dominate the market, but Intel continuously pushes its own IoT platforms. In addition, there are multiple manufacturers of IoT development boards — everybody uses their own hardware architecture with integrated circuits, processors, chipsets and so on.
- The diversity of IoT operating systems. The situation at the software level is even worse. There are about 10 leading operating systems for IoT, as well as many other substantial ones. Google is trying hard to push its platforms, such as Brillo and Fuchsia, while Samsung also is about to introduce its own IoT OS named IoTFuse. We also have the traditional Linux distributions adapted to IoT like Ubuntu. More recently, the Linux foundation announced the Zephyr™ Project — a collaborative effort to build a real-time operating system (RTOS) for IoT. And finally, giants like Microsoft are adopting their Windows-based operating system to support connected and IoT devices. Independently, there exist many smaller open source and close sourced embedded RTOS in this market.
- The diversity of software versions (or the “never patched” problem). Most of IoT devices were not built with patching and updating in mind. Cameras, routers, printers, sensors and the like have their internal firmware which usually works for years without an update. As a result, there are many IoT devices with different versions of kernels, frameworks, web servers and applications. The online-update, instant-patch paradigms which are in use in modern OSes haven’t fully arrived to the IoT world yet.
The problem for security vendors is clear: We have a jungle of IoT devices with different hardware, managed by various types of operating systems and running applications of different versions. In this state, developing and maintaining an IoT-wide security product is very challenging if not impossible. This is the reason that security vendors are going to the most convenient place to reside — the network — despite its limited surface. The lack of real in-device security paradigms and solutions for IoT means that we can expect to face many IoT security issues in the near future. To handle the upcoming waves of IoT attacks, malware and security threats, there is need for a real paradigm shift in the development of defense measures for IoT.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.