Following are some of my thoughts around the impact of the Internet Of Things on security and how it has changed the nature of what we consider to be an “endpoint”.
Will the Internet of Things enable your kettle to steal your car?
Barry Mattacott, marketing director at security specialist Wick Hill Group, looks at the security risks of linking more and more smart devices to our networks. Are we just creating ever more vulnerable endpoints in today’s world of the Internet of Things?
Back in the good old days, we nailed the front door up tight with a firewall and we knew, that with good security on our gateway, our network was safe from the nasties of the outside world. But those pesky kids in their bedrooms, (not to mention state sponsored cybercriminals, worked out that they could circumnavigate our state- of- the-art firewall by looking for a way in at the opposite end of our network – the endpoint.
So now we all agree that securing the endpoint is essential, but just where is it and what does it look like?
Some of us remember those halcyon days when the endpoint was a user’s PC workstation and fairly much the only way to introduce some nasty into it was via an infected floppy disc – look it up on Wiki if you don’t know what one is! Way back in 1982, a 15 year old student called Rich Skrenta created, as a prank, the first self-replicating computer virus called Elk Cloner. It propagated by infecting floppy discs on Apple machines – oh I’m sorry, did someone tell you that Apples don’t get malware? It was a bit of fun, mostly benign, forcing infected machines to perform tricks like printing out poetry on every fifth boot up.
Oh, those were the days. Since then it’s frankly gone crazy! You can’t go anywhere or do anything without risking an infection. A recent survey found that almost two thirds of USB sticks that were lost/found on public transport were infected with malware. I guess this raises several issues. Definitely, don’t plug any old USB stick you find into your computer – that’s how Stuxnet got its start in life after all. The survey also begs the question, of why so many of these USB sticks are infected. Could it be that people are deliberately infecting USBs and “losing” them?
Infected USBs can today be considered a fairly traditional attack vector, along with code attached to downloaded files and drive-bys leaping out of infected websites to get you. The security industry has made a pile of cash developing products to protect us and it’s all fairly much in hand.
But now we have a game changer because endpoints aren’t the same as they were. Firstly, we had the revolution that was the mobile endpoint. Mobile phones and tablets are now huge players on our networks. They have effectively put network endpoints in our pockets and allowed us to take them down the pub and lose them. The technology to protect them has been available for some time, but the adoption has been woefully slow. You would have thought US Federal Agencies would be right on top of it, but a 2015 survey found 61 percent of agencies do not apply their network security policies to mobile devices!
So what does the future hold for the endpoint? Without doubt, the Internet of Things (IoT) means they are going to be everywhere! Network attached security systems that give you video pictures of your front door and allow callers to leave recorded messages, are essentially connecting your door bell to your main processor (home PC). Your Hive controlled heating system is connecting you to the Internet.
Despite these being serious systems, many have arrived on our networks and in our homes with gaping holes in their security. British Gas took a thrashing in the national press when their control system was found to be a burglar’s dream, easily allowing access to the heating schedule, which could tell them if the owner was at home, or even if they were away for an extended period of time.
Even cars have become endpoints. Until recently they were fairly much self-contained. Yes they communicated with the Internet and manufacturers’ control networks and as such they were hackable. We saw hackers demonstrate that they could take control of a Jeep and run it off the road. This triggered a recall of 1.4 million cars by Chrysler in order to patch the operating system. But they were somebody else’s problem in that they didn’t communicate with your network, so were not one of your endpoints.
But car manufacturers, including Ford, are developing on-board systems to allow you to carry out vital activities like turning on your smart kettle whilst on the road. This requires them to connect via the Internet to your own network.
On the one hand, that kettle might be ever so smart in that it carries significantly more processing power than the 64 Kb memory operating at 0.043 MHz in the Apollo guidance system that put man on the moon. On the other hand, it’s not smart enough to be fully secured against man-in-the-middle attacks that will allow a hacker to penetrate your network.
And once they are in, will they be able to access your car sitting in the driveway and steal it? It doesn’t really matter how secure Ford makes your car, if your kettle is going to leave the door open.
Why? Why is it that the Internet of Things is so woefully behind the curve regarding security? To start with, your average kettle manufacturer doesn’t have a great pedigree in network security. They might make an awesomely efficient kettle but in the current climate they will find it difficult to find and employ a suitable security expert. They are also in a rush. They have just come up with the world saving idea of adding internet connectivity to your kettle, so obviously they are in a huge rush to get it to market before everyone else thinks of it and beats them to it. And of course, functionality will always beat security. No one wants to go through multi factor authentication every time they want a cup of tea.
So what can you do about it? Purchase (and attach to your network) with care. When it comes to the Internet of Things, you are putting your trust in the hands of others. There is little that you personally can do to ensure that your TV, kettle, car, fridge, etc., etc. is secure. One piece of advice is to look out for names that you feel you can trust with security.
Manufacturers are starting to come up with solutions for these gaping security holes. Gemalto, for example, is emerging as a front runner in the field of IoT security. They have hardware modules, platforms and service solutions that allow you to connect and protect any machine- to-machine or electronic consumer device. They are currently working with all sorts of OEMs, mobile network operators and industrial manufacturers in various markets. http://www.gemalto.com/iot
Barracuda Networks felt the need to release a brand new range of products designed to protect the Internet of Things and Machine to Machine connectivity. The S Series currently includes Barracuda NextGen Firewall Secure Connector 1 (SC1) and the Barracuda NextGen Secure Access Concentrator (SAC). These two appliances will make it a lot easier and infinitely more secure for enterprises to benefit from and roll-out largescale deployments of devices like Automated Teller Machines (ATMs), point-of-sale kiosks, wind power stations and networked industrial machines in remote locations. https://www.barracuda.com/products/nextgenfirewall-s
Another well-known name in security, Kaspersky Lab, is making a move in the automotive space and is currently in talks with most of the world’s car manufacturers, particularly around the area of securing self-driving cars. They are looking to secure not only the industrial controls of the production process but also the connected car.
Kaspersky Lab is coming at this from a great place as they are already involved in protecting Ferrari. Aside from the usual endpoint protection they also integrate with existing complex infrastructure, including industrial technologies and mobile devices. In future, if your car is protected by Kaspersky, then you can probably be pretty sure your kettle can’t steal it! http://www.techworld.com/news/startups/kaspersky-looks-secure-self-driving-cars-factories-theyre-made-in-3615206/
You can also do some research on good old Google. Thinking about stuffing a EZCast Streamer in your TV’s USB port? A quick check online will find a recent report from Check Point which revealed that the wi-fi network the EZCast sets up, can easily be breached, allowing the attacker access to your main network, where they can wreak havoc or steal confidential data. So don’t be in a rush to buy. And check it out before you do. http://blog.checkpoint.com/wp-content/uploads/2015/12/EZCast_Report_Check_Point.pdf
One important thing to check is whether the firmware on the product you are buying can be updated. Users of SimpliSafe wireless home alarm systems recently found out that the system is stupidly easy to hack with basic sniffing equipment, allowing its PIN to be grabbed from 30 metres away. But to really rub salt into the wounds, the hardware apparently cannot be patched or updated to overcome the vulnerability, which leaves owners with no choice but to junk their system. http://thehackernews.com/2016/02/hack-home-security-alarm.html
So what’s the best tactic if you don’t want to fall victim to security weaknesses in your clever consumer devices, intelligent cars and machine-to-machine equipment which makeup the Internet of Things? The best advice would be to try and resist the frivolous items like kettles and door bells and stick to things made by reputable manufacturers, preferably ones that have some sort of pedigree in networking.