Bench Talk

IoT security research findings from Hewlett Packard Enterprise’s internet of things research study. (Courtesy: Hewlett Packard Enterprise)

It’s a familiar pattern; a new technology is introduced, everyone gets excited about its potential and then a seasoned engineer inquires if it can be exploited by the bad guys. Such security questions are now being asked about the Internet of Things (IoT); a network currently under development that makes today’s Internet look tiny in comparison.

The IoT will fuse the conventional Internet with the cellular network and add a third layer of billions of connected ‘things’. Instead of today’s dumb products, that currently operate in glorious isolation ––think machine tools, washing machines, fridges, and even humble devices like pens and spectacles––things will be connected and ‘smart’. According to analyst Gartner, by 2020 the IoT will already comprise 26 billion things.

Such ubiquitous connectivity will bring huge economic and social gains; for example, one analysis by U.S. conglomerate General Electric estimated the technical innovations of the industrial IoT could find direct application in sectors accounting for more than $32.3 trillion in economic activity.

But one glaring drawback of this powerful universal network is the backdoor access to everything it provides for the unscrupulous.

Today’s Internet is the battleground for a perpetual arms race between IT companies and malevolent hackers. For example, no sooner has a security patch been released by Apple, Microsoft or Google than an Internet security company identifies another weakness in their respective operating systems; typically, one that could be exploited by a determined baseball cap-wearing 19-year-old working out of a dingy Eastern European basement.

Why do hackers do it? Some break into computers to demonstrate their ‘talent,’ others do it to gain access to industrial or military secrets, but the majority of today’s hackers go after personal data because it has commercial value. Credit card details are an obvious example, but health information and purchasing-habit particulars are also valuable to many organizations (which often don’t ask where the data came from).

The Ponemon Institute, a U.S.-based research center dedicated to privacy, data protection and information security policy, publishes an annual Cost of Data Breach study which puts an estimate on the cost to companies of hacked information. It makes grim reading; according to the 2015 study of 350 companies spanning 11 countries, the average  cost of a data breach is $3.8 million - representing a 23 percent increase since 2013.

It’s a problem that’s only going to get worse as the IoT rolls out. A report published in late 2015 by Hewlett Packard Enterprise, for example, concluded 70 percent of the most commonly used IoT devices showed serious security deficiencies. The report also noted 90 percent of IoT devices collected at least one piece of personal information. (See figure.)

While the information stored on an Internet-connected washing machine, for example, may have a low intrinsic value, a designer of white goods is unlikely to have the expert knowledge of TCP/IP protocols required to protect his product, making it simple to hack. This lack of security, combined with the ease with which a hacker could attack thousands of washing machines simultaneously, would likely make his efforts valuable to a rival manufacturer.

Moreover, It’ll be impractical to regularly patch or update the billions of devices connected to the IoT over their lifetime that could reach a decade or more. And even if the software for a particular device could be regularly updated via the device’s Internet link such updates are likely to happen automatically with no one around to check that the new software has come from a trusted source.

In addition, the IoT introduces new avenues of attack. For example, a researcher has already highlighted a potential vulnerability in a leading brand of wireless fitness band. A scientist claimed that the device could be hacked via its Bluetooth radio and used to deliver malware to a computer when the wearable downloaded its data. (Although the claim was later disputed by the manufacturer.) In other reported cases, researchers managed to remotely control the steering and brakes of a standard production automobile and other scientists gained access to Internet-connected drug infusion pumps potentially allowing dosage tampering.

It doesn’t take much of a leap of imagination to go from a benign researcher hacking a wearable or drug pump in the interests of science to the nightmare scenario of cyber terrorists shutting down California’s electricity grid or reprogramming Chicago’s traffic control systems to instigate chaos. 

So what’s to be done? The IoT will gradually become pervasive, controlling automobiles, health devices, logistics, air traffic and virtually all the modern systems we take for granted. Engineers need to take steps today to counter the risks that are inherent with connected products.

Organizations such as the AllSeen Alliance and the Open Interconnect Forum, both recently set up to certify that IoT devices interoperate, could take the lead on IoT security. The former, which counts Microsoft, Panasonic and Philips among its members, has taken some positive steps by introducing major authentication and device authorization updates to its AllJoyn open source framework for the IoT.

The good news is that the expertise to address the huge security challenge that the IoT presents is available in the computer industry. After all, IoT devices have computers (albeit often tiny and resource-restricted units) at their centers. It’s a matter of accessing the engineers’ knowledge and encouraging IoT device makers to adapt the processes and techniques developed by the computer software industry to protect their products. For although the Internet security arms race is unlikely to ever be won, it’s important for all of us that the good guys always remain one step ahead.