Friday, September 4, 2015

Security of the Internet of Things (IoT) Part II

This is the second in a planned series of three posts on the subject of the "Internet of things" (IoT).  This one will treat the security of the "thing" itself.  It is about how to ensure that the appliance can be used safely, how to protect it from outside interference, and how to use it to protect its data.

The problem of securing appliances is much more tractable than that of securing more open and general purpose systems like operating systems and browsers.  It should not be difficult to develop purpose-built appliances that do only what they are intended to do.  This idea is supported by the experience that we have with mobile computer (specifically iOS) "apps;" Most are orderly and well-behaved.  While there are millions that are connected to the Internet, only a handful have been turned against it.  While the attack surface of an iPhone might be quite large, that of an individual app is very small.  The value of a successful attack against an app is usually limited to that app.

While there have been reports of misuse of apps, they have been far more limited than our experience with PCs might have led us to expect.  While the number of mobile computers will soon exceed the number of more general purpose computers, the security problems have been much more limited. We have seen nothing approaching the kind of security problems that we have seen with Windows or Linux based personal computers.

The implication is that we can build safe things.  The fear is that we will not do so.  The fear is based in part upon the recent history with other kinds of computer systems.  It is amplified by reports of so-called "security researchers" who have found and reported on things that were not secure.  While we may have done okay with iOS, our experience with browsers has been frightening.  Even computers that are otherwise secure can be compromised by duping or baiting a user into simply pushing a button.

Let's look at the iOS experience to see what we might learn about how to build secure things.  First, things should run in a closed environment, either dedicated hardware, like a router, or in an environment isolated from other things like that provided by iOS.  Second, it should have a limited and easily understood application or use.

The app makes the device into an application only machine.  Unlike a personal computer, it does not present the function to make persistent changes to its own programming.  While it is a programmed device, it is not a programmable device.  The underlying computing functionality is hidden from the user.  The user should not be able to see or control the file system, write or execute an arbitrary program, or even make persistent changes to data by any means other than by operating the thing.

The program for the thing should be  written in an appropriate language and using an appropriate systems development kit (SDK).  One does not have to know the features of the iOS SDK to know that it makes it easier to do things right than otherwise.  If that were not so, we would not have well over a million apps with so few problems.

The thing should hide its computer from the network.  As with the user interface, the thing should hide its file and operating systems from the network interface.  Said another way, it should not answer on any standard "ports," but only those specific to the use or operation of the thing.

The thing's software should not present a multi-user interface.  As with the app, possession of the thing should be both necessary and sufficient for its use.  While many iOS apps do require "login" it is not for use of the app itself but to authenticate the user to a multi-user network application.

While the personal computer expects and supports late changes to its own programming, the app does not.  Late changes are made by replacing the app with a new version of itself rather than patching the existing one.  This is facilitated in part by the fact that the app is small and self-contained.  It is required because the limited function of the app does not contain the capability of making late and persistent changes to itself.

We should not conclude that building secure or "securable" things is easy but it is fair to conclude that it is possible and definitely easier than general purpose computers. However, while most "things" will work pretty much as intended, given the number of things and the number of sources, there will be broken things sold. Some of these will be in sensitive applications like healthcare, transportation, and banking.  These failures will not be seen as exceptions but as typical of the Internet of Things and maycause more fear, uncertainty, and doubt than diligence and care.