IoT – Walking on Egg Shells?
Be ready for the next wave of IoT breaches – if you are going cognitive, or not paying attention to hardware and software parts, you could be next in line for a guerrilla assault
When IoT started rising in adoption and investments, security attackers too started to breed termites. More so as the wall is sprawling bigger every year. The very charm and advantage of IoT is spackling it with imminent threats and attacks ahead. The Humpty has to be more careful. More ready.
Less bricks! More Louvre!!
Today, interconnected sensors and actuators have pervaded almost every sphere of our lives, with the dawn of the IoT era. It is not just our homes and appliances that are embracing smart things, embedded sensors and actuators. Look at connected medical appliances that allow for continuous remote monitoring of patients and timely administration of medicines. Or at the construction industry that is using smart cement with sensors (e.g., accelerometres) to monitor the load on bridges and perform preventive maintenance.
Even power grids are being instrumented with
THE SPATE OF RECENT ATTACKS THAT HAVE BEEN REALIZED ON THESE EMBEDDED SENSORS BEAR TESTIMONY TO THEIR UBIQUITY BUT ALSO RAISE SERIOUS CONCERNS ABOUT THEIR SECURITY. THESE DEVICES, BY VIRTUE OF THEIR DEPLOYMENT, CAN BE USED TO CRIPPLE CRITICAL INFRASTRUCTURE THAT WAS ONCE CONSIDERED INVULNERABLE
— Vaidyanathan R Iyer, Security Software Leader, IBM India/South Asia
sensors to detect possible disruptions and, accordingly, manage the generation and distribution of power. In manufacturing too, embedded sensors are being integrated into the heavy machinery for increased worker safety, optimization of processes via automation, and anomaly detection.
As Vaidyanathan R Iyer, Security Software Leader, IBM India/South Asia uncomfortably reminds, in spite of our increasing reliance on these embedded sensors and actuators, their security has unfortunately not attracted as much attention as it deserves. “The spate of recent attacks that have been realized on these embedded sensors bear testimony to their ubiquity but also raise serious concerns about their security. These devices, by virtue of their deployment, can be used to cripple critical infrastructure that was once considered invulnerable.”
We are talking of a space that is proliferating very fast - IoT connections worldwide can reach 5.3 billion in 2028, as per estimates by Analysys Mason. Any loophole – small or big - can have consequences deep and dangerous for users here. Turns out that these loopholes are not only huge in number but also below the radar even now. There is something new that is discovered every few days, and that ‘something’ happens to be an advantage for the security attackers.
Forget fragmentation, nascent hardware, invisibility of sensors and the scale-multiplier nature of IoT devices – there are more reasons inherent in the IoT nature that are mushrooming as rapidly and wildly as IoT devices are.
Main Driver
The main driver of this IoT boom is its ease of installation and use, Katkar points out when talking about the big security risk to its end users. “In an attempt to make IoT devices easy to use and install, many basic security best practices are sidelined.” He underlines the worry about the gaps that the current notion of IoT vendors seems to deepen all the more. “They think that if anything traditional can be connected to internet and can be controlled remotely (be it through voice or gesture or mobile apps, etc.), it’s called smart and it will find takers in the market.”
Then, there is the innate problem of entropy. It is relatively low in an IoT Infrastructure because of the stripped-down, bare-minimum nature of embedded devices systems. Many IoT devices rely on RSA keys and certificates. These are used to encrypt data before sending it to other devices. But how sturdy are these?
As researchers from Keyfactor demonstrated really, one can easily compromise 249,553 distinct keys corresponding to 435,694 RSA certificates by just using a single virtual machine. Even if one argues that the RSA algorithm is secure, the way enterprises use it can hint at the level of weakness of these certificates – more so as one cannot ignore the self-sign nature that works in IoT’s case. The consequences range from impersonation by an attacker, theft of data to manipulation for a denial-ofservice attack.
The total number of IoT connections worldwide will grow at a CAGR of 22 per cent between the end of 2018 and 2028. They will reach 5.3 billion in 2028: An Analysys Mason Report
Iyer adds the dimension of passive attacks to this list of inherent weaknesses of IoT. “The attacks on these systems can be broadly categorized into two types: active and passive. In the case of active attacks, an
adversary gains access to the device and uses it to control the device and run malicious code on it. In the case of passive attacks, signals emitted by these devices are used to infer sensitive information about the system or the usage and activity of the system.
Walking Wall
As IoT evolves, more and more systems will transition from ‘traditional’ IoT to Cognitive IoT. That’s exactly when a new range of security attacks becomes feasible. “Attackers can interfere with the process of cognition and force the system to learn incorrect behavioral models. By subverting vulnerable sensors and actuators, or feeding learning systems with false data, attackers can corrupt the learning process.” Iyer argues.
The increasing ‘smartness’ is a quality that can become a paradox of sorts with IoT. Iyer notes that the point between the data capture at the IoT device to ingesting it in the enterprise security framework is the most vulnerable period. This calls for a new approach to Digital Trust integrated with threat management supported by robust Incident Response schemes.”
Companies increasingly want to make use of cognitive technology to better understand and use their data. Enabling such analysis by generating, collecting, and storing additional data makes a company also more vulnerable to the loss and misuse of such data – he reasons. Katkar slices open the security posture of IoT devices on some inherent limitations - like limited hardware resources and not-so-easy ways to update software/firmware running on them. “That is further increasing the attack surface. The early entrants in the IoT market have learned these security risks by getting hacked and exposed by security researchers. But these days, there are lots of new entrants (vendors) in this market who completely ignore the lessons of others and still focus on ease of use and affordability over secure design and communication of these IoT devices.”
IoT – Strong or Weak?
“As companies deploy IoT solutions the networks are potentially bridged and so the attack surface widens. Attacks and threats to companies could be in the form of leakage of sensitive data or manipulation of the corporate network by rogue devices. These same attack surfaces could allow attacks, which take over devices and allow for manipulation of a company’s network infrastructure. Ultimately, as devices and sensors are connected in IoT applications, a comprehensive assessment of security, privacy, and safety should be performed.”
Katkar reflects at the initial wave of IoT attacks and how it was basically attacks for fun or breach of someone’s privacy, etc. “But over the years, we have seen a streak of more devastating IoT attacks like Mirai Botnet, ADB port related attacks, hijacking IP surveillance cameras, etc. We suspect this will continue and adversaries will slowly move from hacking IoT devices for fun to hacking these devices for gains.”
Every wall has that one brick, that one air-gap and wet paint spot that do not rhyme too well. IoT may be a unique, moving, expanding and intelligent wall – but it is still as strong as its weak areas.
THE ADOPTION OF IOT IS INCREASING DAY BY DAY. THE RACE OF MAKING EVERYTHING SMART IS SO CRAZY THAT THE BASICS OF SECURITY ARE COMPLETELY IGNORED WHILE BUILDING THESE SMART IOT DEVICES
— Sanjay Katkar, CTO, Quick Heal Technologies