September 04, 2017
The Internet of Things, the umbrella term for any connected device, represents one of the largest potential business opportunities for established companies and upstart entrepreneurs alike. In the next 5-10 years, we will see 50 billion new devices connect to the internet. However, we will also see an exponential growth in costs related to cyber-crimes, if devices continue to be as insecure as they are today. So before we put smart devices in every home, let us first rethink the fundamentals of IoT security.
The recent attack on the DNS system leveraging the Mirai Botnet showed that attacks using insecure devices are becoming a serious threat for the services and systems connected to the internet. And Mirai evolves - it’s like an openly available weapon that can be used and adapted to new needs. What makes Mirai and the attack on the DNS system special is, that the owners of infected devices that carry out an attack don’t even notice that their devices are involved in an attack. And this leads to the major problem. Neither manufacturing providers, nor suppliers or owners of those devices have a significant incentive to invest in securing these devices, because their financial benefit remains unharmed and damages are externalised.
Executives and entrepreneurs need to implement measures that safeguard others from potentially harmful actions of their devices - and they have to be rewarded if they do so. This is why the IoT requires a paradigm shift from focussing on device security to preserving the safety of others.
During our previous academic research in cryptography and our current professional work in running WATTx, a company builder focused on the Internet of Things, we have been confronted frequently with the challenges of security in hardware, specifically connected devices (hardware with the ability to send data to the internet). But these issues are not predominantly linked to the startup world. Our parent company Viessmann, a 100-year-old industrial family business, is wrestling with similar challenges in their core business. They are building smart climate devices (think smart thermostats, connected boilers or supermarket cooling cabinets). And they are not alone. Almost all larger industrial companies are either building or planning to build their own “smart” devices.
It’s easy to understand why the rapid adoption together with the sheer number of connected devices make them an attractive target for hackers. Combine that with the fact that a lot of these devices run on a uniform software stack, which enables adversaries to repeat a successful attack on multiple devices without needing to change their approach. Combined with the fact that more and more IoT devices are used in critical applications or provide an entry-point to networks that comprise crucial systems, it becomes obvious why we will be increasingly confronted with cyber attacks in our physical world. Just ask this Austrian hotel that was threatened by hackers to pay a ransom in bitcoins or see its guests locked out of their rooms.
Attractiveness aside: what makes IoT devices an easy target?
Most IoT devices possess their own storage, processing power, and a software stack that often resembles a full-blown operating system. An increased amount of software as well as capabilities in a system yield a much greater attack surface. An additional dilemma in the case of retrofitted devices is the fact that software inherent in those devices is now connected to the internet, but was never meant to be in the first place. This is especially true for interconnected, heterogeneous environments where vulnerabilities in one device can lead to attacks against other devices. The rising complexity of interconnections, the hallmark of IoT, as well as access possibilities make it even harder to monitor, secure, and control the environment.
Market dynamics pressure providers of IoT devices from two angles often causing them to compromise security. First of all, margins on the required chipsets to equip a hardware device with “intelligence” are low. These low margins in conjunction with rapid technological evolution, especially around wireless communication standards, incentivizes manufacturers to invest in new chipsets to support new features and communication standards rather than updating older devices, leaving them connected to the internet with outdated technology and little attention from the provider’s side.
Secondly, consumers favor features and pricing over security when buying a connected device. This drives the vendor as well as contracted hardware and software development providers towards using outdated software, firmware, and hardware, all often known to have security flaws, to operate the devices as the effort to fix bugs or to adapt own software to fixed third party software libraries significantly outweighs the benefit with respect to perceived added value for consumers.
Neither hard- nor software development typically is among the core competencies of many of the providers of IoT devices. Historically hardware focused manufactures and industrial companies are suddenly building IT products. Given the aforementioned pace of the technological evolution, neither existing internal teams nor recruiting of external talent can provide sufficient expertise to build secure devices and services.
The consequences of these three shortcomings are obvious. When unauthorized people are able to control critical devices and entire networks, the risks are not only economic, they can also be life-threatening. Just think of someone disabling your car brakes or manipulating airplane software.
Yet, there’s an even bigger threat: these devices are door openers to actively attack other systems connected to the same network, using the very device that was infiltrated. Just imagine your company’s mail server being hacked because of an insecure IP camera in its network. Look no further than companies such as Netflix, Twitter, Spotify, or Yahoo, who fell victim to manipulated IoT devices last year, causing their services to be unavailable to their users. These examples illustrate the fundamental change needed. It is insufficient to protect yourself from being infiltrated, which is the traditional one-way street approach security takes. Instead, connected devices need protection against infiltration as well as prevention from causing further damage by spreading the attack like a virus to other networks and devices. This inbound and outbound approach to security is what we call the two-way street of safety.
Given the severe externalities weak security in IoT devices can cause, governments may be forced to step in and create a regulatory environment that outlines basic safety requirements providers need to comply with in their devices. A helpful analogy exists around air pollution, where regulators stepped in and created regulation around the filtration of exhaust gases to control externalities stemming from high air pollution. Similarly, there are a few regulations that affect some IoT devices, like mandatory FCC or CE certifications that focus on electromagnetic interference, but the behavior of devices in interconnected environments remains entirely unaddressed. We believe security veteran Bruce Schneier is right when he calls for policy makers to help fix IoT:
“We need to rebuild confidence in our collective governance institutions. Law and policy may not seem as cool as digital tech, but they’re also places of critical innovation.”
Safety needs to be high on the agenda for all parties involved along the lifecycle of an IoT device. When working together with third party providers of hardware or software, companies need to ensure that they can hold these players accountable for any future damage incurred due to the lack of safety of the connected device. Since it’s neither possible nor economically desirable to build totally safe devices, proper insurance should be made mandatory. This way insurance premiums can then be used as additional flexible possibility to incentivize proper engineering or installation. Managers should strive for continuous testing of their software and working with new players like the Cyber Independent Testing Laboratory (CITL) can be a great start. The CITL provides an automated assessment of the software based on algorithms that analyze binaries and score their safety between 1 and 100. This allows insurers to adapt their premiums seemingly in real-time, penalizing poorly engineered software and the respective companies immediately.
Yet, it is not the sole responsibility of policy makers to provide safety. Leaders and managers of large and small companies alike can adjust their engineering process, technology stack, and product features today in order to improve the safety of their connected devices.
Apart from aiming to build safe devices from the start, software-driven products have to have the capability to be updated frequently as it is both technically and economically impossible to predict all possible threats an IoT device may face during its lifetime. Managers need to ensure that update functionality is built into the devices so that updates can be rolled out efficiently in order to react to an attack or ideally to maintain a high level of safety.
To compensate for missing experts and to avoid costs of reinventing the wheel you can leverage central hubs that provide security hardware, developer tools, frameworks as well as support, helping smaller players with implementing secure devices.
Managers should carefully assess the use cases of their connected devices and opt out from realizing trivial use cases that seem appealing simply for the sake of connectivity. The straightforward solution: don’t connect the devices. With mandatory insurance the costs for reaching a proper security level will maybe be prohibitive anyway.
There are also various technological solutions to reduce complexity, and one in particular that we at WATTx are working on: the ability to handcuff devices. Technically speaking, handcuffing devices means placing them in secured sub-networks requiring different trust levels whose border-devices enforce different security policies and ensure that their network participants cannot affect third parties outside of those borders. An example for such a border device would be a security-hardened version of an otherwise common Wifi router. If the router detects suspicious behavior of the connected devices in its network, it has the ability to constain that particular device, preventing it from infecting additional devices.
If we fail to shift from the traditional model of security to a model of safety, we are headed for serious trouble in an increasingly interconnected environment. Typically, companies and governments act reactively, i.e after the damage has been done and public pressure forces their hand. However, given the pace at which we interconnect an ever growing number of devices in our world and the obvious shortcomings of security, companies and governments alike should proactively push for a “two-way street of safety” and prevent harmful actions in a connected world.
A venture builder’s take on the “Why” and “How” to fail quickly for traditional companies...
It’s time we stop comparing ourselves to Silicon Valley and start offering something different
Each month, we, WATTx, organize a two-day internal hackathon.