Insecurity of Things IoT
Whenever security experts talk about the scheduled certification or attestation of accounts, they often miss a number of accounts, small in number but critical in consideration: service accounts. They forget about these things for a couple of reasons. First, they aren’t living, breathing people, they’re wind-up toys that run apps, databases, background processes, etc. Second, it’s difficult to expire the passwords on them, since that can bring those processes to a crashing halt. But REAL experts will tell you, these service accounts must have owners, secure credentials, and periodic review. Such accounts typically have extreme access (as in, they can execute code, query and update your database, and perform a host of other privileged tasks). For that matter, they must be subject to access policies, to ensure that humans don’t hijack these accounts and assume those super-powers.
With the world increasingly running on the Internet of Things (IoT), with all manner of devices connected to the backbone, the actual ACCOUNTS that these devices run on must also be subject to the policies and reviews that human accounts are. It’s a matter of time before everything in your house will be wired, for your convenience, and therefore subject to all the malware and evil intentions that your PC is already a target for.
You need to secure your IoT channels for two purposes: for the sake of the devices themselves, and also so they don’t get hijacked for downstream attacks. The very purpose of an IoT device can conceivably be corrupted. And ANYTHING that can run / host code can be used as a springboard for hitting something else entirely. Spam-bots, malware hosts, wormholes, man-in-the-middle in your own home, these are all possibilities. Actually, they’re already fact.
Upgraded cable TV packages? They might still eat off a coaxial cable that comes into your house, but they’re all internet-based. The pizza box that runs your main TV, the little adapters that hook to your extra TVs, the VOIP phone that comes off the back of the wireless gateway. Even if you don’t get your internet access from your cable company, the rest of your equipment is fed by HTTP. In the past, you only worried about your neighbor eating off your broadband, maybe downloading porn or something worse. But any IP-based components, not just your desktops, could be compromised for spam, DOS attacks, and other vectors. Your DVR can actually be used to launch digital assaults.
Blackmailers have long been grabbing control of users’ laptop cameras to harvest embarrassing video. But how about IP cameras guarding your house? They can tell when you’re home. And when you’re not. Blackmail might be the least of your worries.
In our lifetimes, we’ll have a large portion of our households online. Appliances that tell you when you’re short on orange juice. Kitchen islands that display the news while you’re making dinner. Furniture that knows when you’ve been sitting too long, or that senses enough people are in the living room to crank up the A/C. Home temperature controls, baby monitors, lights, even coffee makers. Hackers could literally take over your house. They could also (virtually) move into your house and use it as a base of operations to attack or spy on all your neighbors.
The “Hello Barbie” was found to have a vulnerable smartphone app that could allow virtual intruders to record audio from the doll.
Smart watches know where you’re at, and more and more they take the place of even smartphones. Much of their communication with providers is unencrypted.
A couple of years back, on a very popular TV show, a hacker showed the host how he could hack any room lock in a particular hotel.
A very popular line of self-driving cars provides a REST API for enterprising owners to start up the car, even have it open up the garage, pull it out of its spot, and unlock the door. On its own, it can change lanes or hit the brakes if it senses an incursion into its space. If that control were to be corrupted, clearly it could be fatal.
Utility companies have been talking about smart meters for years, and many of them have implemented such devices. Security gurus have long discussed the need to secure them so that a customer can’t get away with paying half-price for his juice, and also so pranksters can’t shut off the power to a whole neighborhood, just for giggles. But again, proximity and platform could allow smart meters to be vectors for attacks.
For years, implanted health devices such as pacemakers have been subject to modem-based checkup and analytics. In 2015, a white hat hacked a wireless pacemaker on a simulated patient and “killed” the patient. Their next attempt was against a wireless insulin pump. Dick Cheney’s cardiologist disabled the wi-fi on the former VP’s pacemaker during his years in DC. The notion of extortionists or murderers or even evil jokesters having life-and-death power is of course horrifying.
These are just some of the (potential and very real) horror stories. So what is the solution?
Outdated protocols such as Telnet provide no option for encrypting communication or authenticating access. At the very least, REST (increasingly used for wireless backend calls) provides for multiple layers of security, such as authentication and authorization. It can also be subject to API gateways, service bus policies, and other technology that validates not only the user/device, but also the type of traffic, specifically looking for SQL or DOS attacks. Even the devices themselves can be required to authenticate, while the human user is simply along for the ride as data.
Cognitive access policies, which profile and monitor device behavior, can also mitigate many types of anomalous activity. For example, if a single residential IP is launching large numbers of outbound actions that are out of character, such activity can be used for generating alerts or, in extreme cases, even temporarily shutting down the device in question until it can be investigated. Normal behavior could be learned, or a particular type of user, such as a residential or business, could register an expected behavioral profile in order to effect appropriate monitoring.
IoT devices that get plugged into home wireless should be re-configured to eliminate factory-default settings. But if you have wearable technology over which you have no control of how it talks, or to WHAT it talks, you may want a new wireless clothing line.
Just as baby boomers can’t remember a time without television, and their kids can’t remember a time without the Web, their grandchildren won’t remember a time when their lives weren’t governed by IoT from the time they wake until they go to sleep. Every doorknob, every bathroom mirror, toaster, microwave, vehicle, kitchen chair, bathroom tile will govern your daily existence, probably in concert with each other. But you don’t want them going after your neighbor, ratting on you, or killing you. It sounds extreme, but IoT devices need to be treated just like a laptop, if not like another human being who just might be looking at you funny.
Jeff Scheidel is a 32-year veteran of the software industry, with more than two decades in security. He is the author of the McGraw-Hill book entitled Designing an IAM Framework with Oracle Identity and Access Management Suite.