“Their sights are now shifting to target the IoT, as seen in recent events with hackers taking control of smart cars, injecting bots into IoT devices to hack ATM machines, and the most recent Distributed Denial of Service (DDoS) attacks on major US servers.”
3 Threats, 4 Challenges, and Unlimited Opportunities
As the Internet of Things continues to bridge the gap between the digital and physical worlds, it brings with it the threat of a new set of remote attacks with potentially far-reaching ramifications. Contrary to our experience with computers and mobile phones, in which attacks were focused on digital assets and devices and the risk was about stealing data, the IoT includes the additional risk of high-impact attacks on our physical world.
The advent of smartphones saw cyber criminals move in increasing numbers from hacking laptops and PCs to attacking the mobile world. Their sights are now shifting to target the IoT, as seen in recent events with hackers taking control of smart cars, injecting bots into IoT devices to hack ATM machines, and the most recent Distributed Denial of Service (DDoS) attacks on major US servers. Such attacks are only expected to increase as the IoT world continues to grow rapidly, with a diverse and complicated ecosystem that provides ever-increasing opportunities to the hacker community.
The Nature of the Threat
The security challenges in the era of IoT are larger than ever as attacks can now be performed on a far greater scale and across multiple vectors, not just against digital assets. While it is impossible to identify every potential form of attack, there are 3 key areas to be addressed:
Key Area #1
Attacks on the Physical World
• Remote attacks on the physical world include the hacking of smart cars, with criminals taking control of the wheel or cutting the breaks of a vehicle in-motion.
• Medical and automated drug-dispensing devices could be targeted for the purposes of terrorism or industrial sabotage.
• The wide-scale forging of smart meter readings could defraud utility companies out of millions.
• Smart locks and security systems can be hacked to gain illegal entry, or even to lock people in their own homes in exchange for ransoms, while security cameras and child monitors can ascertain when buildings are empty, or take compromising footage for blackmail purposes.
• Individual devices may be sabotaged through remotely draining batteries or configuration to the wrong parameters.
Key Area #2
Attacks on the IoT Service
Theft of service is a principal risk as, in the case of smart metering, attacking the service itself has economic value, resulting in the permanent denial of service through killing a meter and forcing the utility company to send replacements.
Illegally obtaining vendor intellectual property also poses a major threat, such as smart car algorithms being reverse-engineered to reproduce their own vehicles at a fraction of the price.
‘With sensors collecting vast amounts of data and transmitting it to a server, business espionage, including data harvesting and the elimination of privacy, is a particularly significant threat with potential for dishonest organizations to gain unprecedented insight into their competitors’ customers, services and situations.
Key Area #3
Attacks on the Network Utilizing IoT Endpoints
Network attacks may involve sending bots to attack a server, as seen with the recent DDoS attacks in the US, where multiple devices accessed the same service to bring it down.
Another threat is utility overload, such as simultaneously switching on and off millions of devices to crash the grid.
Further economic damage may be achieved through remotely bricking hundreds of thousands (or even millions) of devices, resulting in tremendous costs to the operating company.
In the cellular and computer world, device security is often reliant on the user realizing their cellphone is stalling, and immediately calling to stop the service. However, when it comes to the IoT, a forged meter or altered device may go for extended periods with no one to call in the threat.
When it comes to implementing an IoT security solution, there are a number of technological, business, ecosystem, and regulatory, challenges to be addressed:
A Diverse Ecosystem
This stems from the numerous vertical markets of the IoT, including automotive, healthcare, utilities, smart cities and homes, and wearables. With such a diverse and decentralized ecosystem, there cannot be a “one size fits all” solution, as each implementation requires different end-to-end architectures for both operational and security purposes. Although the IoT demands a high level of security, applications can be owned and designed by practically anyone.
However, most of these new developers are not security experts, and they have little to no understanding of the need for security. While IoT security needs an interoperable end-to-end solution that can work coherently, the challenge is how to ensure security in such a diverse world where devices are so easily made, bought, and installed.
While security in the IoT is as critical as power and cost, it is much less tangible, and therefore harder to explain to customers. In addition, it’s tricky to define the mechanisms and to differentiate on security for vendors. However, it is clear that security can be differentiated, and also drives sales, as attacks increase and companies seek to protect their reputations. The challenge here is to make security more tangible, as customers may be willing to pay for it only once they understand exactly what they are getting and why they need it.
A further challenge arises from the fact that IoT devices are expected to be cheap, with ultra-low power and extended battery lives. However, these requirements are contradictory to current methods of security and encryption which require high power and performance — as does communicating large amounts of data. Therefore, attempts to utilize the known legacy methods of security for the IoT is going to be a challenge.
Absence of Trust
The connected world involves a number of different business entities co-located on the same IoT device, without inherent trust relationships. The service provider, communications provider (whether a cellular MNO or alternative), and IoT managing entity, need to find a resolution for sharing devices without trust relationships. However, this is not necessarily scalable, with so many business entities vying to provide these services across the globe.
Despite the numerous companies currently competing to provide security solutions, the customers (in this case, IoT service providers) seldom possess the tools or understanding necessary to select a comprehensive solution. Adding the high cost of creating a real working end-to-end solution, including costs for development, deployment, service, and maintenance, there is still no clear business model with regards to cost obligations and liabilities.
Solutions and Opportunities
The IoT should not be regarded as the evolution of computing and communication, but rather as a revolution, and one that requires a paradigm change with new technologies and business models.
Security as a Foundation
Devices and end systems need to be designed specifically with security in mind. Devices are currently designed for power and performance, with security relegated to an afterthought or later addition. However, in the case of the IoT, security cannot simply be tacked onto an existing device; it needs to form part of the foundation, the same way that power and performance do.
While the ecosystem is in its infancy and so diverse, and with devices expected to be deployed for extended periods (up to 10 years, rather than 1 or 2), attacks will increase. Therefore, energy and investment need to focus also on remote detection and recovery.
IoT Is not IT
New methodologies for security need to be developed in the industry, as the standards that most security solutions are built around in the IT-centric world and are not relevant in IoT. As IT-centric solutions require a lot of performance and power, a revolutionary approach is required to find a solution that can work with low power and performance, and still be secure enough in the new world of risks. This necessitates a revolution of regulatory compliance and certification of security as, in at least some verticals, the regulator needs to enforce some mechanisms on the different players to ensure a base level of security while maintaining cost efficiency.
Cooperation Is Key
In the absence of a “one size fits all” solution, competing companies have to start working together to create an end-to-end security solution that is technologically superior, requires minimal security expertise from the customer, and is interoperable with the ecosystem. These companies have to cooperate to provide a product that works out-of-the-box, and provides a complete solution which addresses all the customer’s security needs throughout the entire service life cycle: from initial deployment, to maintenance, and the changing of a provider. There should be a full solution that comes from a single point of contact, even if there are a number of companies involved.
Ultimately, those vendors willing to design devices and invest in solutions to address future threats and attacks will find themselves in a stronger market position. This requires no shortage of courage from management, who will have to devote considerable resources toward often hard-to-explain functionality for a potential future ROI. Regardless, all companies involved require the vision to invest in the future of IoT Security, rather than focusing on just immediate returns.