The first week in May was a big one for the Internet of things in Massachusetts.
Actually, it was officially “Internet of Things Week” in the state, as proclaimed by Gov. Deval Patrick and wrapped around a number of events in Boston and Cambridge meant to celebrate the coming boom of highly connected devices and systems that promise to transform the way we live and conduct business.
The events included a developer competition—the IoT Olympiad—and the 5th Annual Auto-ID & Sensing Solutions Expo, as well as the NFC Bootcamp for learning all things near-field communication.
However, among all the hoopla, security experts gathered in a hotel conference room in Cambridge May 7 to talk about the security and privacy challenges the IoT presents. The mood at the Security of Things Forum was decidedly darker than elsewhere around Boston that week. While noting the promised benefits of the IoT, the talk was more about technological hurdles to securing the devices and data, the reluctance of some businesses to spend money on security and the complacency of many people about protecting their personal information.
The sheer numbers are daunting, some of the experts said. At a time when the world is struggling with protecting the systems—and the data they hold—that already are connected, how will people be able to secure the tens of billions of connected devices expected by the end of the decade?
“The IoT … should raise the hackles on every neck, given our current” security situation, said Dan Geer, chief information security officer for venture capital firm In-Q-Tel.
The numbers are staggering. Gartner analysts expect that by 2020, there will be 26 billion connected devices; Cisco Systems officials say that number will be more like 50 billion. These will include everything from smartphones and tablets to home appliances, industrial systems, cars, wearable devices, thermostats, light bulbs, surveillance cameras and airplanes, all of them communicating with each other and swapping data.
And it will be big business. IDC analysts expect IoT revenues to hit $7.1 trillion by the end of the decade. Cisco CEO John Chambers earlier this year said the global financial impact of what he calls the Internet of everything will be $19 trillion by 2020. At the 2014 Consumer Electronics Show Jan. 7, Chambers said the Internet of everything “will be bigger than anything that’s ever been done in high tech,” and added that “this is not about technology at all. It’s about how it changes people’s lives forever.”
Those huge numbers are part of what have security experts concerned. When talking about the Internet of things, there are three key security challenges, according to Don Ferguson, senior fellow, vice president and CTO of Dell’s Software Group: the number of connected devices, their diversity and their connectedness.
“The Internet of things scares me,” Ferguson said during a recent roundtable discussion in Boston hosted by Dell. “My first reaction is to sleep with the lights on. But now a kid in China can turn the lights off.”
Securing Billions of IoT Devices Poses Mind-Boggling Challenges
Hewlett-Packard on July 29 released the results of a study in which engineers scanned 10 popular IoT devices, ranging from thermostats and TVs to webcams and home alarms, and found that, on average, there were 25 vulnerabilities per device. The vulnerabilities included insufficient authorization—most allowed passwords like “1234”—insecure Web interfaces, a lack of transport encryption and inadequate software protection, according to the tech vendor.
The growing demand is driving device makers to bring systems to the market quickly, often at the expense of proper security. In addition, Daniel Miessler, practice principal for Fortify on Demand at HP Fortify, told eWEEK that a key issue is that the IoT is bringing together a range of components in new ways that combine vulnerabilities and include network traffic and cloud connectivity.
“Each one of those touch points has vulnerabilities that you can write books about, but IoT is special in that it combines all those vulnerabilities together into one ecosystem,” Miessler said. “You’re taking all the vulnerabilities from already insecure spaces and rolling them into one.”
The concerns of security experts are many. The IoT and its tens of billions of connected devices will open up the attack surface for cyber-criminals who are becoming increasingly sophisticated. At the same time, the kinds of devices and systems that will make up the IoT will vary greatly, ranging from toys to industrial systems to airplanes. Do they need the same levels of security? Should they have the same levels of security? There also are the large number of manufacturers who are building devices for the IoT that may not have the same ideas about the need for security.
In addition, there are issues of the backseat role security tends to play in the development of hardware and software in the rush to stake a position in such burgeoning trends as the IoT, and the lack of attention it gets from end users until something goes horribly wrong. In a situation like the Internet of things, security should be a proactive concern, rather than a reactive one.
However, the reality may be otherwise.
“If past performance is any indication of future results, it’s going to take a catastrophe,” Dell’s Ferguson told eWEEK. “But it should be proactive.”
“It’s a challenge,” Wolfgang Kandek, CTO at security specialist Qualys, told eWEEK. “The Internet of things is coming, or is here already. Security—just like Internet security—is really just an afterthought. … Security is really not included in the design [of many products]. The challenge is the same [as] when we really got going with the Internet.”
Part of that is because when software or hardware is in development, product managers have a difficult choice to make: Do they put more features into the offering, which will make it more attractive to potential customers, or do they reduce the number of features to make room and money for security capabilities, which can make the end product more expensive and complex?
“If they have the resources to do one thing, and they have two choices, they’ll push toward features until they get pushed to security,” Kevin Gilchrist, vice president of product management for security technology vendor Comodo, told eWEEK. “To make it really secure is synonymous with making it less easy to use for device users.”
Securing Billions of IoT Devices Poses Mind-Boggling Challenges
There’s also the question of what needs to be secured. During the IoT security conference in May, Emil Sturniolo, managing partner with the InStep Group, a product development consulting firm, said vendors and end users “need a paradigm shift in how we think about this. It’s not, ‘What is secure?’ It’s, ‘How secure does it need to be?'”
Gilchrist pointed to Bluetooth as an example of how many view security. When the technology first came out, there was scant security in it. It wasn’t until Bluetooth-enabled devices became popular that improved security was built into it.
For many people, “there’s no point in securing something until you know if it has value,” he said. “Once there is value there … yeah, it is worth securing. It goes a while before it’s secured.”
Geir Ramleth, co-founder and CEO of startup IoT platform maker Octoblu, said businesses and device users need to look at security on a sliding scale and decide where on that scale they’re most comfortable. He also noted that it’s the data inside the device that is most important.
“Securing systems … is the old game,” Ramleth told eWEEK. “It’s securing the information that’s the new game. … If you can decide where you want to be on that sliding scale, the benefits will outweigh the risks.”
The fact that many of these new connected devices will be in homes and cars where there are few, if any, tech experts makes the IoT even more precarious and adds fuel to the argument that devices and data need to be even more secure. Dell’s Ferguson noted that in an environment where everything from the television to the refrigerator to the thermostat is connected, “in the IoT, the system administrator in the home is my mom.”
A key reason security is such a problem in the IoT is that people don’t understand how dangerous networks can be, and how resilient the devices must be to cope in that environment, according to Billy Rios, director of threat intelligence at Qualys.
“Networks are really evil,” Rios told eWEEK. “People just assume it’s a nice place to be, but it’s really a harsh place to be if you’re a device or system. … They don’t expect networks to be really hostile, but they are really hostile.”
Despite the rush to put out IoT devices and products, efforts are under way in the industry to address myriad security issues. For example, Cisco officials in March kicked off the company’s IoT Security Grand Challenge, offering $300,000 in prize money to people who come up with the best security-related solutions and approaches for the IoT by June 17. The competition drew more submissions than expected, forcing Cisco to extend the deadline to July 1.
In addition, at the Black Hat 2014 security conference in Las Vegas starting Aug. 2, a number of workshops and panels will touch on such issues as security around embedded devices, home automation and security—including one session titled “Smart Nest Thermostat: A Smart Spy In Your Home”—and mobile security.
The growing number of vendor-led IoT industry groups aimed at creating standards around device communications also is looking at security. Liat Ben-Zur, senior director of product management at Qualcomm Connected Experiences and chairman of the AllSeen Alliance, told eWEEK in June that the group’s AllJoyn framework will help users reduce the attack surface by giving them control over which intelligent systems they want to connect to the Internet.
Securing Billions of IoT Devices Poses Mind-Boggling Challenges
The Thread Group, which is developing an open protocol for creating a wireless mesh network for the home that will support more than 250 devices, said the Thread standard will include encryption for traffic traveling over the network layer. However, officials also noted that they expect any systems using Thread will also have their own security capabilities.
AllSeen’s Ben-Zur told eWEEK that it’s important to focus on security now rather than later.
“Fundamentally, the issue of security—and also privacy—[has moved] to the forefront of the conversation” regarding IoT, she said. “That’s one thing that we really haven’t seen being talked about enough.”
Security experts were mixed about how important a role consortiums will play in securing the Internet of things. Some argued that the focus of these groups is more on communication than security.
“If we think the problem can be solved by consortiums, we’re grossly underestimating the problem,” Qualys’ Rios said, noting he has yet to hear about an IoT protocol for security.
Comodo’s Gilchrist said a protocol that would work in the IoT in a similar way that Secure Sockets Layer (SSL) did for the Web would be useful. However, he said that given the wide diversity of devices that will make up the IoT, there won’t be a single paradigm that will cover everything. In addition, multiple consortiums tend to result in multiple standards, but as they did with WiFi, the standards could merge into a single standard.
“If you’re lucky, one [standard] will be clearly superior, and everyone gets behind it,” Gilchrist said.
Dell’s Ferguson said standards will be key moving forward.
“Once something becomes a standard, you can build in management,” he said.
That said, there are security measures and other steps that can be taken now. Ferguson is a proponent of putting sensitive data that is on devices into a secure virtual container, separating it from the rest of the device and making it difficult for a hacker to reach.
“You can’t contain the person, but you can contain the data,” he said.
The security experts also pointed to other steps that can be taken, from simply building more security into software and hardware, using managed services—Ferguson likened it to using a safety deposit box at a bank for valuable documents—using tokens or other means to improve authentication, and having the capability of not only keeping hackers out of the systems but being able to detect them when they get in. IoT device manufacturers should adopt security aliases and should report security issues, and managing applications needs to be easier.
For example, enabling more software to be automatically updated would take the responsibility out of the hands of users who might not be experts in such things. Qualys’ Rios—who said he loves the IoT despite the security problems—pointed to the case of a couple in Houston who was using an Internet-connected baby monitor. Someone hacked into the monitor and yelled at the couple’s daughter. The company that made the baby monitor had developed firmware to address the vulnerabilities that had opened the device to hackers, but the couple—who had bought it through resellers—never learned of the firmware.
He contrasted that with smartphones, which are automatically updated and increasingly resilient.
“I think the Internet of things will eventually get to that model,” Rios said, noting that the focus of device and software developers is not on security—yet. “If you still see incidents like the baby monitor hack or smart building hacks, they’ll start looking at it more closely.”
Of increasing importance will be these manufacturers getting context—learning what has been done in the past regarding security so that they don’t make the same errors as those made a decade ago. Rios said he continues to see embedded devices that contain simple, embedded passwords. It used to take hackers a long time crack these passwords, he said. Now it takes minutes.
“There’s no need for that,” Rios said. “That’s a lesson learned 20 years ago. There’s no need to do that again. … Hackers do have that context. We can’t let people off the hook. … If we don’t get context very quickly in the IoT world, these devices will get crushed.”
Education also is important, the security experts said. Teaching software programmers while they’re still in school the importance of security in what they develop will help ensure that security is built into products down the road. Ferguson noted that engineers who build bridges need to be certified. Maybe those who make software need certification, as well.
“People are becoming program literate,” he said. “They need to become security literate.”
Despite all the security issues that are coming as the Internet of things grows, most of those interviewed were optimistic about the future. Octoblu’s Ramleth stressed the need for IT professionals to take the steps needed to be as secure as possible but not to fret over it.
Otherwise, “how do I go on with life, because you can’t just shut down,” he said, adding that if a security problem arises, “don’t panic.” The benefits of the IoT will outweigh the risks, Ramleth said.
Rios and Ferguson both pointed to smartphones and tablets as examples of devices that offer high levels of connectivity and security. Ferguson said he wouldn’t go into a Starbucks and plug most IoT devices into the coffee shop’s WiFi network, but he wouldn’t hesitate to do so with a smartphone.
Rios agreed. “We have a long way to go, a really long way to go,” he said. “But if you look at the iPhone and Android devices, they’re good examples. They’re not perfect, but they’re very good. We have a long way to go, but I think we’ll get there.”
Ferguson said the tech industry has solved some big problems in the past. Security around the Internet of things can be solved, as well.
“Don’t underestimate what software developers can do,” he said. “We went to the moon in eight years, so I think if we have the will, we can do it.”