News Stay informed about the latest enterprise technology news and product updates.

Internet of Things security may be a losing battle

Experts say the battle to mitigate Internet of Things security issues may be slipping away from the infosec industry before it even begins.

CAMBRIDGE, Mass. -- According to a number of security luminaries, the Internet of Things has the potential to disrupt and transform society in the same way the printing press did centuries ago. But much like the Internet's creators came to regret ignoring security in its early days, when it comes to securing the millions of emerging Internet-connected devices and machines, the information security industry may already be falling behind.

That was the overarching theme of Wednesday's inaugural Security of Things Forum, uniting security professionals to discuss the most pressing Internet of Things security issues. According to a recent report from Gartner Inc. -- which estimated 26 billion devices will be connected to the Internet by 2020 – Internet of Things (IoT) security problems will force enterprises to rethink their IT security strategies much in the same way bring your own device and cloud computing have shattered the idea of the traditional network perimeter.

"Every time we have a major infection point, we seem to make the same mistakes," said Earl Perkins, research vice president with Stamford, Conn.-based Gartner. "We allow it to get away from us and end up playing catch up for the next five to 10 years."

The Internet of Things… should raise hackles on every neck given our current posture.
Dan GeerCISO, In-Q-Tel

Josh Corman, chief technology officer for Fulton, Md.-based application security vendor Sonatype Inc., warned attendees that the battle to secure IoT may already be slipping away from the industry -- and that's before billions of home appliances, motor vehicles and medical devices join the fray.

IoT devices at risk

For example, last year researchers Charlie Miller and Chris Valasek showed how cars could be hacked remotely, said Corman, with the duo demonstrating the ability to disable a car's brakes, accelerate its speed and even take full control of the steering wheel. Corman admitted that even he had not understood the extent to which cars are controlled by software.

"We're driving a computer on wheels," Corman said. "For the next 24 hours, every time you see the word 'software,' replace it with the word 'vulnerable.'"

Corman also pointed to research by the late Barnaby Jack to hammer home just how insecure IoT devices are today. Starting in 2011, Jack demonstrated on multiple occasions how hackers could control the dosages delivered by insulin pumps to diabetics via a Bluetooth connection, potentially exposing victims to lethal amounts.

Ultimately, he said, the general public and the manufacturers of such devices are unlikely to take security concerns seriously until real-life, catastrophic events take place -- much in the same way environmental regulations in the U.S. weren't embraced until the Cuyahoga River in Ohio caught fire in the 1960s, sparking a wave of concern.

"Why the heck is there Bluetooth on an insulin pump?" said Corman, who questioned whether the benefits of Internet-connected devices actually outweigh the risks. "[It goes] back to that cost benefit. We're taking the benefits, but we're not assessing the risks."

Dan Geer, chief information security officer for Arlington, Va.-based In-Q-Tel, a government-funded investment firm that helps incubate technology for the CIA, said the benefits of IoT are driving society to be increasingly dependent on machines that communicate with each other. In terms of how IoT already affects the U.S. food supply, Geer said tractors on farms are connected to GPS, vegetables and fruits are sorted by robots, and even livestock are tagged with RFID chips; the efficiencies derived from that interconnectedness means there is never more than a week's supply of food in the chain.

Whereas those embedded systems have in the past remained unconnected from the Internet, Geer warned attendees that as manufacturers seek to control such systems remotely, the risk posed by that new connectivity may not be easily contained.

Considering that embedded systems manufacturers to date haven't often provided firmware updates, Geer questioned whether such "immortal" IoT devices -- always connected but lacking security support -- would be angelic or demonic.

"The longer-lived these devices [become], the surer it will be that they will be hijacked within their lifetime," Geer said. "Their manufacturers may die before they do; a kind of unwanted legacy much akin to superfund sites and space junk. The Internet of Things … should raise hackles on every neck given our current posture."

How to secure IoT devices

While the security industry is just beginning to come to grips with IoT, Geer said the industry also needs new technologies to secure IoT. Unfortunately, Geer indicated such investments are unlikely in the short term because nobody wants to fund them.

Hypothetically, he said, a company could offer technology that would lock down, say, a processor once it leaves a fabrication factory -- potentially preventing attackers from inserting backdoors at the hardware level -- but it's unclear to him which stakeholder in the supply chain would be willing to buy such a product.

For attendee Mark T., a long-time investor in sensor-related startups, the impetus for better IoT security measures needs to come from the businesses utilizing IoT devices. In a previous venture, Mark said his company had created sensors for the restaurant industry that measured waste runoff from grease traps and the like -- a product for which he did not implement any security controls because he assumed restaurants would not care. Surprisingly, he was forced to reassess that assumption when restaurants requested certain security features based on industry regulations.

"I put in a PIN and that made them happy enough," said Mark T., who noted that the fear of regulatory fines was the driving factor for his customers, not security concerns.

Corman said manufacturers of IoT devices are unlikely to consider implementing better security measures unless customers are willing to press for change. In the case of Jack's insulin pump hack, for example, Corman implored attendees to question their own personal doctors about the incident and the general security of other medical devices, with the hopes that doctors and hospitals, the largest purchasers of medical equipment, would take those concerns to the manufacturers.

Corman said -- given that defending IoT devices is much more difficult than attacking them -- consumer pressure is needed sooner rather than later.

"Are we too early or too late? In some ways, I think we're too late," Corman said. "Our best and brightest are spending billions of dollars on security controls -- and even in areas that don't matter that much [like securing easily replaceable credit cards] -- and we're still having breaches on a regular basis. This has pretty big implications for the Internet of Things."

Dig Deeper on Internet of Things (IoT) Security Strategy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What change should happen today to prevent future Internet of Things security issues?
They should be certified for safe use as medical devises (I hope ) are.
We can do various things along the IT device supply chain; from chip to casing and cables, but we also ought to look at some analogue of animal "imprinting" of the device with the end user. Then we could use this imprinted relationship as the basis for authenticating any change in the configuration or operation of the device and of the information exchanged between it and the outside world.
It would operate somewhat like a permanent digital bio-recognition and authentication record native to the device.
Most of the security breaches have occurred because of Phishing
Phishing advertisement for free Product & services with survey or for trail software download should be banned, SEC or consumer protection should police the internet advt. Any misleading advertisement should be punished by law. All Advt. should have identifications key displayed on advt. so they can be prosecuted for false or misleading the consumer. In short build a Iron curtain for Internet scammer of everything, this will automatically lead to code of business practice on Internet.
development of standard security and assurance tests - like a underwriting lab
In addition to the current security strategies in place, I believe that taking a more pro-active approach in security versus a reactive can greatly improve issues that we currently have.
Good write up that raises some very good points. Corman hit it on the head when he said that it goes back to cost benefit. The consumer hasn’t assessed the risk. I think a majority of consumers have fallen victim to the argument from authority, and have developed a perception that manufacturers have assessed the risks, which is near impossible for a manufacturer due to the sheer number of devices and the number of permutations and configurations in which those devices can conceivably interact.
Educating people about the risks is a critical strategy, but then the advocates will have to face the pressure from the manufacturers unwilling to raise the security standard at their expense. In my opinion, enforcement from the government and setting international standards is just as important. Enforcement should combine severe enough measures to do the job, though.

Related example. In Canada, it's with the introduction of digital Accessibility laws and fines like $100K DAILY the organizations started to make the necessary changes. And still, quite often it's just a minimalistic attempt to "meet by letter, not the spirit".

1's and 0's. It's a shame there isn't a way to fundamentally alter the basis of computing to be such that any entity wouldn't be able to engage with it less they were familiar with the underlying mathematical structure.

Afterall Interconnectivity doesn't need to happen across the board. Some applications need to remain local.
It is tough to plug a security leak when the cracks keep spider webbing out. New devices = new cracks... It's always playing catch up and not too many have the luxury or the time to stay on top of things.
I'm still wondering why it can't be an "internet of intranets"? A single device with powerful security measures that would manage access from the outside to the home / org network seems to me more viable solution than trying to implement (weak) security measures for each device individually.