For years hospitals have been using IP-enabled carts to track the location of expensive medical equipment. For years manufacturing facilities have deployed large numbers of IP-enabled handheld scanners. And for years utility companies have been converting water meters and electric meters to IP-based platforms. Most of these devices are part of some corporate network, but today the Internet of Things typically refers to the myriad of IP-enabled personal devices scattered throughout our homes and strapped to our bodies.
These devices are typically inexpensive, disposable, and seemingly innocent. But remember that the home typically isn’t a corporate network with professional security safeguards. Even the best network administrators and information security officers struggle with locking down their corporate networks, so how can the average non-technical person protect themselves, their personal information, and even their very safety in this world of ubiquitous and continual connectivity?
Security is the emerging concern for the Internet of Things, and we as technology professionals need to build an awareness of these issues with our non-technical friends.
The most common issues include:
1) transmission of unencrypted data over the public internet
2) access to device management interfaces that have minimal security mechanisms
3) nothing in place to update and patch software and firmware
Whether it’s a thermostat you control from an app, a baby video-monitor you can stream on your computer, a pacemaker you can monitor from a website, or a residential front door you can unlock with your smartphone, the latest and most popular IoT devices impact us in the very personal ways. These devices have very few, if any, control systems, and they typically use easy-to-use interfaces that aren’t necessarily secure.
Sure, the details vary device by device and manufacturer by manufacturer, but these seem to be the most common themes. I don’t think anyone is overtly against securing their home networks and individual devices, but there isn’t much awareness among the non-technical population of how vulnerable these types of devices truly are.
First, we in the technology industry know right away that opening port 80 inbound to your baby monitor stream is bad news, but that’s how many of these devices have been designed. Manufacturers of IoT devices haven’t put in the time and effort to secure their IP-enabled products to provide security out of the box. IoT devices often receive and send data over the public internet using unencrypted and therefore completely insecure channels.
In a corporate network, data can be easily segregated and encrypted so that devices using HTTP and not HTTPS, for example, are surrounded with security boundaries to protect the rest of the network, and teleworkers typically use an encrypted remote access VPN solution. In home networks, there is normally no overall network security strategy to accommodate for unencrypted traffic containing personal information going to the public internet. For the home network, an easy solution might be to use a trusted VPN proxy service.
Next, many of these devices have minimal authentication mechanisms to control access to a device. Perhaps this is an effort to remove burdensome security controls from the end-user experience, or maybe it’s in order to reduce the cost of the product. In any case, access to common IoT devices is often controlled by a simple password, and sometimes, in worst-case scenarios, there is no authentication at all.
This vulnerability should be top of mind for many of us following technology news considering the recent denial of service attack on DynDNS using millions (perhaps tens of millions) of infected IoT devices from around the world.
It’s true that increasing password length, changing them frequently, and using two-factor authentication are all added layers of work for an end-user of an IoT device, but this is likely the easiest way to add security to otherwise insecure devices.
Lastly, manufacturers should be providing the means to upgrade software and firmware from time to time in order to combat new security vulnerabilities. Ultimately, I believe this is something consumers have to demand, so we need to influence manufacturers to provide patches with their products along with step-by-step instructions for how to apply them. This is part of any decent corporate security program, and it should now be part of our personal security programs as well.
A huge diversity of IP-enabled devices on a corporate network isn’t anything new, but their proliferation in the home and strapped to our bodies is. As technology professionals, we need to build an awareness of these security issues with our non-technical friends. Some solutions are easy and relatively painless to implement, but I also believe that over time, this growing awareness will also influence manufacturers to change their designs.