Ho, Ho…Hey, Get Out of My Network!
The holidays are upon us and the internet of things (IoT) market is expected to be a great source of gifts. As such, we are bound to see an influx of ‘smart’ gadgets and appliances coming into our homes. The promised convenience of these smart devices range from the (almost) satirical real-time messaging your refrigerator sends when your milk needs to be replenished, to the security-conscious ability to turn your house lights on when you approach your house, to the advertised energy savings provided by adjusting the temperature of your house based on whether or not you are there. Whatever your reason for owning any number of smart devices, there are plenty of ‘things’ to buy.
There are many markets for IoT devices: consumer, healthcare, industrial, and municipal, and they all share one important trait. They are connected to the internet somehow. For consumer devices, they are connected to the internet through our home networks, often using WiFi or Bluetooth. Some devices use cellular technology to connect to the internet. This provides the convenience of viewing the data collected by these devices from anywhere. Literally. Do you want to see who just rang the doorbell at your home in California while you’re in that board meeting in New York? Connect to your smart doorbell. Are you worried that your dog sitter is just eating your snacks and watching your TV while Fido gives her a longing stare with his favorite toy tucked between his paws? Dial up your web-enabled camera to check it out. Are your in-laws coming over for the holidays but you’re stuck in traffic and can’t let them in? Fire up your smartphone app and open the garage door for them and even turn off your home alarm. Super easy, super convenient and the possibilities are growing daily.
If you’ve been around the IT industry long enough, you know that convenience comes at a price. This price is sometimes paid via a monetary premium for being the ‘cool kid on the block’. Other times, it’s in the security of the systems and ultimately of our lives. The former is a willing endeavor – some people happily part with their money for these conveniences. The latter isn’t always. Most consumers aren’t thinking about security and the risks associated with IoT devices. The IoT/smart device market is still in its infancy. This means consumer demand is outpacing the creation and implementation of industry standards and best practices as companies race to get their devices into the hands of consumers. Often times this leads to some very basic security issues. For example, devices are programmed using standard usernames and passwords (think “admin“/”password“) as login credentials in order to make it easier for consumers to smoothly connect to it from anywhere in the world. While not necessarily an issue in and of itself, the added concern comes when there is no option or enforcement mechanism to change default passwords. This leaves the virtual (and maybe the actual) door wide open for nefarious actors to access your new smart device. Or worse, the network they are connected to. Great, you can see when I need more milk, what’s the harm in that? Maybe you wouldn’t mind picking some up on your way home. Then, because you’re in my network, you can just let yourself in through the garage door and turn the alarm off too. Be a pal and reset the alarm and close the garage door on your way out, please.
No unintended access is good, no matter how benign it may seem. While slightly tongue-in-cheek, the above example takes a leap from accessing a smart-fridge to illegal entry into my home. But is it that far-fetched? I don’t think so. And neither do cybersecurity companies. Take GRIMM, for example. They have developed “Howdy Neighbor”, a capture-the-flag type challenge designed to highlight the vulnerabilities of a connected house.
“Howdy Neighbor” travels to cybersecurity conventions (along with a snarky tweeting connected toaster) around the world showcasing how the bad guys can take over your home and educating conference-goers. GRIMM shows that these entry points described above allow criminals access to every other system connected to the same network. By taking advantage of known vulnerabilities that are readily available on the internet, criminals can create situations favorable to them.
Is it even worth strengthening the security around IoT devices? Absolutely. Earlier this year, Forbes predicted that the IoT market is expected to reach $267B by 2020(1) indicating a sizeable market with a combined annual growth rate (CAGR) of over 20%. Consumers recognize the convenience and value associated with these devices, so they are going to help make that growth a reality. And as consumers grow more security savvy, they will flock to more secure devices.
How do we strengthen these devices to make them more secure and to better protect consumers? There are steps both consumers and producers can take to increase security and ultimately build and maintain users’ trust. Consumers can take a vested interest in their personal digital security. Companies can make better security decisions when designing and developing IoT products. Both sides need to “buy-in” to the fact that the security of these systems and the networks they connect to should be, are, and remain secure.
Consumers need to become more educated about IoT devices, the devices’ potential security risks, and how those risks affect their lives. While it is impractical for consumers to hire cybersecurity firms to ensure their smart devices are properly connected to their home networks and protected from known vulnerabilities, consumers should at least understand basic cybersecurity principles to include password requirements and best practices. The key for consumers is to understand and balance risks with any benefits, perceived or actual. This way, they can make informed decisions on which devices to buy and implement. Education is one thing, but putting that education to use is another. Cue IoT device makers to make it easier for users to install and use these devices more securely.
How you ask? There are a few easy wins here. Most importantly, more emphasis needs to be placed on incorporating security into products earlier and more easily. By including security considerations into the development lifecycle early in the process (preferably from day one), the ability to protect the device and the user is ‘baked in’ and carries equal weight in the design process. This means the other design elements (e.g., form factor, communications standards, accessibility, etc.) all take security into account. Too often, security is an afterthought and applied as a patchwork solution post-design, or worse, post-production. With security involved early, testing includes security items, such as finding known vulnerabilities and allows companies to fix them as part of the overall development process instead of waiting until the end where it gets more time consuming and expensive.
Aside from including security early in the design process, companies should stop using default passwords the entire world knows (e.g., “admin” and ”password”) and stop providing only root access. By doing so, companies are presumably trying to make it easier to manage the device, and/or are trying to get the device to market quickly. Without proper protections in place, the devices are vulnerable. If that device and account are compromised, there are no other layers of security protection in place to protect consumers. It is easier for the bad guys to potentially gain access to that device, compromise it, and then have access to the rest of your network. Companies should take the opportunity to build trust with consumers through their products, take the time to build more secure products, test them properly, and allow users to easily change passwords. They should educate users on how to properly set up devices and make it easier for them to do so. While it is impractical for consumers to hire security companies to protect their devices and networks, that is not the case for producers. Every decision in a business comes down to return on investment, and while taking the time to bake in security increases the cost of the product, consumers will pay the additional premium to know their devices are secure. That trust goes a long way.
We’ve only lightly discussed household IoT/smart devices. Think about healthcare devices (including smartwatches) or IoT (both commercial and industrial) devices connected to a business network. That sounds like a topic for another post.
1 Columbus, L. (2017, January 30). Internet Of Things Market To Reach $267B By 2020. Retrieved from https://www.forbes.com/sites/louiscolumbus/2017/01/29/internet-of-things-market-to-reach-267b-by-2020/#5c81b164609b