There’s general agreement in the IT industry that Internet of Things security is terrible, where it exists at all. There are many reasons for this, but as Andrew Tannenbaum discussed in the Harvard Business Review, the biggest reason is likely what some are calling the IoT gold rush.
Smart devices that are connected to the internet, such as security cameras, DVRs, stereo speakers and even light bulbs have become a big business. These devices perform a number of useful tasks and they’re cheap to produce.
However, designing security measure into these devices, testing their effectiveness and updating devices’ software reduces potential profit, so many manufacturers just don’t bother with security.
Furthermore most consumers rarely ask about security measures when they shop for IoT devices. So the lack of security measure doesn’t hurt sales, further reducing the incentive to develop make secure IoT devices.
This is why the introduction of the Orbit IoT Security Service from Cloudflare is an important development. Orbit protects IoT devices using the same security approach that you might use to protect web servers. In effect, Orbit creates a Web Application Firewall to protect the IoT device, or in some cases an IoT network. Orbit protects devices against cyberattacks, and if a device is compromised, then it protects the network from that rogue device.
Because Cloudflare uses its own security network to defend devices, it reduces the risk that attacks will succeed in taking control of devices. Orbit also helps solve the problem of updating IoT device security. That’s because instead of updating individual devices (if that ever happen) Orbit updates the network instead.
Unfortunately, services such as Cloudflare Orbit won’t serve as a security panacea for the millions of IoT devices in use by businesses and consumers. This is because of the sheer number of smart devices in the hands of consumers who know nothing about security. Then there are IoT devices in the hands of companies that aren’t controlled or managed as part of the corporate IT infrastructure.
Good examples of this include the millions of video cameras infected by malware and then used in the largest DDoS attack of all time. Those cameras were in millions of private homes, small businesses and larger organizations. There is simply no way to secure all of them in the absence of good design and reliable updates. But because there are so many of them, they can take down nearly anything on the internet through focused Distributed Denial of Service attacks.
A related problem are connected devices that are outside of the control of the IT department such as a hotel in Austria that had its electronic key system taken over by hackers, who wouldn’t let anyone enter a room until the hotel paid a ransom.
According to Tannenbaum, this particular hotel reverted to physical keys, eliminating that problem, but this likely complicating the hotel’s room management system.
The problem goes far beyond hotel keys and consumer video cameras. Connected production and inventory equipment has been the norm in the enterprise for decades. Many of these devices perform simple functions, reporting stock withdrawals or receiving manufacturing instructions. But they’re all part of the IoT, even though they may have been in operation before they were connected to global internet, and certainly before rise of international cybercrime.
Many of these devices have little or no built-in protection, cannot be updated remotely, if at all, and in many cases they don’t even appear to be connected to the internet. But that doesn’t mean they’re safe from a malware attack.
An example that clearly points this out is the IoT attack perpetrated by the Stuxnet malware. This attack bridged the airgap between the internet and uranium centrifuges being used in the Iranian nuclear program. In this case the malware was spread by infected USB memory sticks. But it demonstrates the danger of assuming that a connected device can be protected by the lack of a network connection.
The fact is that any smart device can be compromised and it doesn’t have to be very smart. Those machine controllers running the Iranian centrifuges and those hotel door locks are actually pretty dimwitted in terms of their capability, but they could be taken over because the key code system was connected to the internet, which made them vulnerable enough.
Likewise, it’s easy to suggest that it’s up to the manufacturers to keep their devices updated with new security features, but that’s not always possible, especially with older devices where remote updates were never contemplated.
This is why services like Orbit can help a bad situation. While they’re not perfect, they do a lot to overcome the limitations of IoT devices as they’re usually sold and they have the potential to solve the update problem even for devices that can’t be updated.
But there’s also a way for business to take a longer term approach to IoT device security. If you establish an IT policy that all connected devices that are acquired by your organization must meet a specific level of security, then you will be more likely to have a secure network.
Eventually there may even be more IoT devices that are designed to be secure. But in the meantime, you have to work with what you’re got, so maybe it’s time to look at protective measures such as Cloudflare Orbit.