Monday, August 3, 2015

Security of the Internet of Things (Part I)

This is the first of a contemplated three posts on the subject of the Internet of Things (IoT).  In this post we identify the space and the potential,security issues.  In subsequent parts we will make recommendations to address the issues.  Comment, feedback, explication, and even argument are invited.

As the cost of information technology falls and the wireless Internet becomes more and more ubiquitous, we are witnessing the emergence of smart appliances, "things," that are connected to the public networks.  An early example was the smart printer; we have been living with these for almost a decade.  Others include baby monitors, front door monitors, lighting controls, and home security devices.

Perhaps an even earlier example was the ATM  While early ATMs used proprietary operating systems, protocols, and network connections, at some point they began to use Windows, Internet protocol, and Ethernet connections because this was the cheapest way to build them. We now have wireless ATMs and wireless point of sale devices.  Other examples include the Nest thermostat, the smart TV, the Chromecast, and smart watches.

One particularly interestiing example is the Samsung Smart Refrigerator that "will allow you to browse the web, access apps and connect to other Samsung smart devices – opening up a world of interactive communication and entertainment."  Note that none of these functions has anything to do with keeping food fresh.  They certainly distinguish this refrigerator from others but it appears that they are included mostly because this is a cheap way to do so.

Perhaps the most ubiquitous thing to date is the mobile computer, popularly called the "smartphone." It is interesting in part because of its ubiquity, in part because of the number of different things that it implements.  Each of the hundreds of thousands of its application is a different thing, everything from toys to banking machines.  Because of its falling cost and increasing power, we use it for things that we could hardly contemplate as recently as a decade ago.

These are real world examples but the technology is now so cheap that we must expect to see an accelerating flood of smart connected "things."  There will be smart things that are not connected, but connection will be so cheap and add so much value that most will be part of the Internet of things (IoT). While we are going to speak of "things" in the abstract, keep the examples in mind because they have things to teach us about the impact that they will have on our lives and our security.

There are at least three security issues associated with the IoT.  The first is that malicious actors will take control the of the thing and misuse or abuse its application to do harm to the owner or user of the device.  The favorite example is that of an implanted medical device instructed to kill its user.  This example is supported by so-called "research" that concludes that many early connected medical devices have implementation-induced vulnerabilities that might be exploited for malicious purposes.  More about medical devices in a moment.

The second security issue is that the underlying computer functionality or capacity of the device might be taken over to participate in attacks against other entities in the Internet.  The things might be co-opted into "botnets" and be used in denial of service attacks or brute force attacks against passwords or encryption keys.

The final security issue is that instances of problems, no matter how sparse will be used to sow fear, uncertainty and doubt about things in general.  Take the example of smart printers, that is most of the printers that have been sold in the last decade.  Millions of them have been sold by a half a dozen or so manufacturers for prices ranging from as little as a hundred dollars to thousands.  They are used to scan, print, and store our most sensitive data along with the potential to leak it.  Collectively they present a huge attack surface.  However, the number of reported attacks is exceeded by the number of  attack scenarios and "proof of concepts" dreamed up by "researchers" and reported by the media.  At least so far, "things" and their applications dwarf the problems associated with their use.

While the conversion of "things" to malicious purposes makes for dramatic Hollywood scenarios,  most devices will not be vulnerable to either takeover or malicious use, much less both.  However, all those that are vulnerable to takeover can be exploited for their computer function or capacity. This function and capacity can be compromised and turned against the host network for a variety of attacks ranging from simple,spoofing through denial of service to brute attacks against passwords and cryptographic keys.  It is this that we will argue is the most serious risk.