To “learn” anything, you must have the ability to “unlearn” & “relearn”. This is very much applicable for the IoT Security discussions in the IoT ecosystem. In this interconnected era, we have to revisit the security paradigm from different perspective as IoT is not only bringing the growth in terms of devices & data, it is also increasing the magnitude of the security impact.
“Internet of Things (IoT)” devices are everywhere, and it is just starting to explode in every industry. Experts at Cisco speculate that in 2020 there will be more than 50 billion connected devices, including consumer wearable’s, connected vehicles, health devices and smart grids. Home security systems, such as video cameras and motion detectors, have gained popularity as they have joined the booming Internet of Things (IoT) market and have grown in convenience. Gartner forecasts that 4.9 billion connected things will be in use in 2015, up 30 percent from 2014, and will reach 25 billion by 2020.And the paradigm set by the ever-present gadgets has significantly changed society’s perception of technology, with almost every sector adopting IoT devices to improve user experience and deliver high-quality service.
But what about IoT security? These systems are able to gather and share huge quantities of sensitive data, which raises serious concerns. And most of the time, IoT devices are designed with flexibility in mind. The software they run could be easily hacked, and associated data traffic could be compromised – causing unexpected alteration of the systems’ behavior.
Now visualize all this data flowing through un-safe and un-reliable public Internet. It doubles the overall risk to consumers as well as to the providers.
“It is like posting your personal information on Internet …you know the impact…Don’t you?”
Below is a very nice visualization of how the attacks would look like in the IoT Ecosystem.
The “Internet of Things” is supposed to make our lives easier, although it’s starting to look like hackers are just as eager for it as consumers are. Broad-reaching attacks and wide-spread vulnerabilities on connected devices, their mobile apps and cloud services are already being revealed.
A new HP study found that 100 percent of the studied devices used in home security contain significant vulnerabilities, including password security, encryption and authentication issues
In 2014, a Russian website discovered streaming live footage from nearly 10,000 private webcams, CCTV systems and even baby monitors from over 250 countries. In 2012, a security researcher demonstrated how to take control of building power systems, pressurized water heaters, a car wash, city traffic lights and wind farms.
Even the Federal Trade Commission has warned that cyber attackers could potentially hijack and misuse sensitive information recorded by the technology or that the technology could even create physical safety risks for consumers.
Common security challenges faced in the IoT Ecosystem
Lack of Authorization: Most of the systems that included their cloud-based web interfaces and mobile interfaces failed to require passwords of sufficient complexity and length with most only requiring a six character alphanumeric password. All systems also lacked the ability to lock out accounts after a certain number of failed attempts.
Insecure interfaces: Most of the cloud-based web interfaces tested exhibited security concerns enabling a potential attacker to gain account access through account harvesting which uses three application flaws; account enumeration, weak password policy and lack of account lockout. Similarly five of the ten systems tested exhibited account harvesting concerns with their mobile application interface exposing consumers to similar risks.
Privacy concerns: All systems collected some form of personal information such as name, address, date of birth, phone number and even credit card numbers. Exposure of this personal information is of concern given the account harvesting issues across all systems. It is also worth noting that the use of video is a key feature of many home security systems with viewing available via mobile applications and cloud-based web interfaces. The privacy of video images from inside the home becomes an added concern.
Lack of transport encryption: While all systems implemented transport encryption such as SSL/TLS, many of the cloud connections remain vulnerable to attacks (e.g. POODLE attack). The importance of properly configured transport encryption is especially important since security is a primary function of these systems.
Preparing for IoT Security:
As per Cisco, 28% of enterprise organizations claim that network security is much more difficult today than it was two years ago. Based on their and other industries perspectives, there are few core aspects for which we should be prepared and ready before the Tsunami hits the shores.
Device Identification: As IoT propagates, InfoSec teams will have to provide network access to an army of unmanaged heterogeneous devices. IoT devices will come in all shapes and sizes, reside outside the network, and readily exchange data with corporate applications. Given the magnitude of devices & Interactions with the corporate network, there is a need for strong & robust device identification. In other words, each device will have to announce itself to the network with some type of authentication that can be verified by some type of authority to establish trust.
Network Access Policies: Fine-grained network access control policies will determine what devices are allowed to do on the network. Once again, the diversity in IoT device types, locations, and business functions demands more policy variety and granular enforcement rules than standard IT assets seeking network access. Device identity and behavior will determine how these network access policies are enforced.
Dynamic traffic shaping and network segmentation: In the IoT world, device type, transport protocols, or data/application sensitivity will trigger network segmentation policies. As IoT grows, we should expect to see thousands of dynamically configured network segments at all times. Fortunately, this will not require VLAN tag configurations be applied to all network switches. It’s likely that software-defined networking (SDN) technologies will combine with network identity and access policies to apply dynamic network segments on the fly for different traffic types.
We strongly believe that Industry leaders in software security needs to come together to address these challenges and provide robust security services for Interconnected IoT Ecosystem.
How Equinix can play a vital role in connecting all the enterprises and security providers in this Interconnected Era, please check http://www.equinix.com/ioa/ . We’re home to an array of emerging (and established) financial, Interconnection & cloud ecosystems and drive digital companies to reach a new level of interconnection by helping them become interconnected enterprises.