The internet of holes
Payal Dhar explains how smart devices are changing the threat landscape
Acomplex digital web powered by the internet governs our lives today. Work or play, entertainment or communication, we depend on the internet to get by all the time. It is entirely possible that for the first time in the history of human civilisation we might have wholeheartedly embraced a technology for its untold conveniences without understanding much of it. Rarely before has a technology showered us with such conveniences that we have choreographed our entire lives around it. And now this virtual digital network has a foot in our physical space as well. We call it the Internet of Things (IoT).
Imagining a future where a runaway washing machine and an assembly-line AI (artificial intelligence) come together to overthrow the human race might be taking things a tad too far, but IoT has changed the threat landscape quite radically. Time was when we reeled at computer malware threatening our data, phishing and vishing attacks sniffing at our personal information, forgetting or losing our passwords, and so on. Now, with home appliances, cars, wearables, toys, medical equipment, industrial machinery and a bunch of other machines and devices imbued with “smartness”, we are looking at a whole new matrix of challenges.
The lay of the landscape
It is difficult to draw a line where the “regular” internet finishes and IoT begins. Some say IoT has existed since our mobile phones have been able to connect to the web. Others posit that “Internet of Everything” is a better term for smart networks that connect objects. Be that as it may, IoT connects our physical and digital worlds, making objects talk to digital services through the internet. It is vast and complex, and to attempt a comprehensive coverage of risks and vulnerabilities would be a fool’s errand. Therefore, here we focus on smart home appliances and personal devices — the sort of IoT that most of us are likely to cross paths with.
How do the eponymous “things” in IoT connect with each other over the internet? In many cases it could be a smartphone app; otherwise, say for home automation, it could be a hub of some sort. The problem, however, is that no single hub or standard of operation is available to control all IoT devices. So when we talk about security, there is no single point of vulnerability that can be guarded.
“If a smart home or a smart device is hacked,” say Bako Ali from the Luleå University of Technology, Sweden, and Ali Ismail Awad from Al Azhar University, Egypt, in a paper on vulnerability assessment for IoT-based smart homes, “the adversary has the potential to invade a user’s privacy, steal personal information, and monitor users inside a smart home environment”.
This isn’t a new threat. A few years back, the Federal Bureau of Investigation (FBI) issued a public service announcement in America warning of the potential risks of IoT objects. It had in its list smart lightbulbs, cars, home appliances including security systems, wearables, printers and fuel monitoring systems. “Cybercriminals can take advantage of system and human vulnerabilities by exploiting weaknesses [in IoT]… The lack of consumer awareness can open windows of opportunities for attackers to not only execute online attacks, but threaten the physical safety of consumers as well,” the FBI cautioned. These physical risks can range from turning off security cameras and door locks to hijacking smart cars and bionic prosthetics.
In other words, we are no longer just talking about abstract, virtual threats like viruses and online scams and cloud data breaches. This is “something tangible”, according to Kaushal Kafle, the lead author of a paper on security flaws in smart home platforms.
A study in vulnerability
Scientists from the College of William & Mary in Virginia, USA, attempted to see how home automation platforms can be potentially vulnerable to attacks, affecting smart devices connected to it. One of the vulnerabilities they demonstrated is called a “lateral privilege escalation attack”— where access to a low-integrity device (such as a light switch) can be used to gain access to a high-integrity one (like a door lock or security camera). In their test, the scientists hacked into a Google Nest smart home system by gaining access to a power outlet. They were then able to change the status of the home owner from “away” to “home”, thereby disabling the surveillance system.
If a hacked home is not fantastic (and scary) enough, how about compromised pacemakers and high-end prosthetics? A couple of years ago almost half a million St Jude’s “smart” pacemakers had to be recalled in the US after critical vulnerabilities surfaced. These radio frequency enabled implantable pacemakers can connect to mobile diagnostic and monitoring systems. Users need to visit their health care professional for firmware upgrades to plug security holes.
Just last month at the Mobile World Congress, Kaspersky Labs presented a report on the vulnerabilities of a high-tech bionic hand made by the Russian company Motorica. These prosthetics contain smart features like inbuilt display, NFC chip, GSM module, smartwatch functionality and others. These are enabled through an experimental cloud-based platform, one that could be extended for use with other bionic prosthetics and smart wheelchairs. Unfortunately, it also affords a gateway for malicious intent, including, says Kaspersky, “several previously unknown security risks that could enable a third party to access, manipulate, steal or delete the private data of device users”.
Plugging the holes
Research and advisory company Gartner predicts that by 2020 — less than a year from now — IoT will connect more than 20 billion “things”. The security landscape doesn’t look inspiring. “There are so many things that a hacker can target,” says Kafle.
“For example, you have multiple users, multiple devices from different vendors and of different letters, and then there is the fact that you have multiple apps connecting to those to those devices…. [This gives the attacker] a large attack surface to operate on.”
But why does this happen? Are developers short-sighted? Is the hardware faulty? The reality is more complex. “The issue here is not that these devices are faulty or buggy in production,” says Kafle. “[The issue is,] from the outset, we don’t know what the challenges are going to be… As a vendor, I do not know how my device is going to be used, what [other] devices are going to be connected to it, the platform the user is going to tie me into. And also, I don’t know which apps are going to control that device if I allow thirdparty developers.”
This constantly evolving ecosystem is the unknown variable, with an ever-changing and infinite number of permutations and combinations of how devices, apps and platforms interact with each other, keeping the security landscape in a state of flux.
Then there is the fragmentation of the market, resulting in different versions and user interfaces in play. “An app that has already been fixed could be susceptible to some of the bugs in the older version. So you have a hole right there,” Kafle says. “These things are not trivial to fix. The onus is going to be on the vendors and the manufacturers to come up with viable access control policies and security that they can fix from their own end, irrespective of the fragmentation.”
As always, information is power, and Kafle does not advocate pretending the problem doesn’t exist or “being alarmist about not buying this device or abandoning that platform. I think the better way forward would be to gain awareness and be proactive about the issues going forward, even as consumers.”
RESEARCH COMPANY GARTNER PREDICTS THAT BY 2020, IOT WILL CONNECT MORE THAN 20 BILLION ‘THINGS’