By Jeffrey T. Fowler, Ph.D.
Assistant Professor, School of Security and Global Studies at American Military University
The Internet of Things (IoT) refers to “smart” electronic sensors and chips that are embedded in devices, apps and in the physical things and spaces around us. They are designed to “talk” to one another via data transfer.
In 2015, there were approximately 10 billion IoT devices in use worldwide. That number is predicted to rise to 24 billion by 2020. Like the personal computer and the smartphone before them, IoT is changing the way business and life are conducted.
IoT devices generate a common language that is transmitted to an IoT platform. The platform applies analytical principles to disseminate the data to their appropriate locations. For example, a vehicle could link to parking lots in a city and help the vehicle owner determine where is the best place to park. A thermostat in our homes could determine the optimal temperature/cost ratio based on our historical preferences and adjust the temperature accordingly.
How Secure Is Data Transmission from One IoT Product to Another?
Ideally, data transmitted through IoT devices will be secure from query to response. But has our ability to collect data outpaced our ability to protect it? Will an IoT system actually be secure and, if so, to what degree?
The October 2016 distributed denial-of-service (DDoS) attack on Dyn servers that brought down many popular U.S. websites was powered in part by about a half million IoT devices infected by Mirai (Japanese for “the future”) malware. In effect, the hack created a massive botnet.
Unfortunately, in its current state of development, IoT devices provide hackers with endless opportunities. Recently, Amazon’s popular Echo smart loudspeaker came in for public criticism because hackers could potentially use it as an “always on” listening device.
What Are the IoT Threats that Currently Exist?
Known IoT threats include data collection, data authentication, side-channel attacks and hardware concerns. These potential threats are the result of unpredictable attack vectors, lack of IoT security expertise, complex connections and multiple physical access points that increase vulnerability.
A major issue is that most IoT-enabled devices were not designed with security in mind. Hackers carefully consider the IoT device itself, how it communicates and the “master of devices” that controls them.
The Data Collection Threat
Why is an IoT device of interest to a hacker? The simple answer is that the device provides a gateway into your computer system.
For example, consider an IoT-enabled security camera in your home. If a hacker could access your camera, he or she could assess your home, identify your movements and determine the likely avenues of entry into your home.
I recently attended a cloud security summit hosted by Alert-Logic. One of the analysts described an experiment in which he found a security camera in a zoo in China and easily hacked into it. He did this hack to demonstrate how easily it could be done.
A solution to this problem is to use the Secure Socket Layer (SSL) protocol. SSL means that when you’re connected to the Web via wireless technology, your data is encrypted.
The Data Authentication Threat
Even with encryption, an IoT device is subject to hacking because the data cannot be authenticated. For example, an IoT-enabled closed circuit television (CCTV) security camera in your home could still be hacked and told to stop scanning a specific area, allowing an unseen intruder to have unauthorized entry and egress.
The telecommunication industry has achieved a measure of data authentication security across many devices using mutual authentication and “secret” credentials. This solution should be extended to the IoT. Using a Virtual Private Network (VPN) designed for IoT devices is also an option.
The Side-Channel Attack Threats
IoT devices emit power usage, electromagnetic and acoustic emissions known as “side-channel” effects. A savvy hacker can monitor these emissions and identify an encryption key when the owner uses the device.
“In a side channel attack, the intruder eavesdrops on the device’s side channel emissions and takes note when an encryption key is used to access the device. This tiny amount of information can then be used to, in effect, duplicate the key,” security commentator and journalist Byron Acohido explains in the online magazine Third Certainty.
Moreover, the hacker does not have to engage in mathematical calculations to discern the encryption key. An inexpensive device can extract the encryption key within minutes. The device extracts a series of random numbers from a shared wireless connection between the two legitimate parties.
Also, the side-channel attack includes the hacker’s distance from the device. For a Wi-Fi connection, the hacker would have to be within 6.25 centimeters of the IoT-enabled device to identify and extract an encryption key when attempting to hack the device.
Hardware security requires a line of trust from the manufacturer to the end user. The internal board on which the device is running must be authentic and the supply chain back to the manufacturer must also be secure. For example, a typical line of trust is one where the encryption keys and other essential and highly sensitive data are stored, reaching from the manufacturer to the individual devices.
The main security problem with IoT devices is that third-party subcontractors build so many of our electronic products. Often, these devices are built in foreign countries.
One solution would be an IoT device that has the capability of key storage. The manufacturer could use the bitstream of firmware to ensure only a particular key is validated. This is a simplified explanation because the device would also have to contain internal licensed differential power analysis (DPA) countermeasures for this solution to work effectively.
Legislation Regarding IoT Security Is Pending
Bipartisan legislation on IoT security reflects congressional acceptance of what cybersecurity experts have said for a long time – that IoT is not adequately secured and its growth is phenomenal.
The regulatory framework for IoT is not well-defined. Agencies responsible for pieces of the IoT infrastructure include the Federal Communication Commission (FCC) and the Federal Trade Commission (FTC). Both of these agencies have urged manufacturers to voluntarily add enhanced security features to their products due to liability concerns.
The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 is an attempt to address this security challenge. If it becomes law, the bill will establish minimum security standards for Internet-connected devices purchased by the federal government. It will also provide liability protection for researchers who identify security vulnerabilities in those purchased devices.
IoT Is Here and It Is Growing
What we know at this point is that IoT is here and is growing rapidly. It is an immense market opportunity that totals approximately $19 trillion. We also know that our ability to connect devices and collect data has outstripped our ability to secure the data.
These factors suggest an immense market opportunity for security services providers because IoT poses immense personal risk to our electronic data. Until we solve this massive security problem, our data will continue to be exposed and at risk.
About the Author
Jeffrey T. Fowler, Ph.D., is an Assistant Professor in the School of Security and Global Studies at American Military University. He holds a B.A. in law enforcement from Marshall University, an M.A. in military history from Vermont College of Norwich University and a Ph.D. in business administration with a concentration in criminal justice from Northcentral University. Jeffrey is also a published author, a former New York deputy sheriff and a retired Army Captain, having served over 20 years in the U.S. Army.