Protecting the Security of Internet of Things Devices
By Edward J. Hawkins, II
In the last few years, the information technology (IT) industry has seen an explosion of devices using wireless technologies, some of which have challenged the security industry like never before. The lack of inherent security in the development of these devices has resulted in some big-name companies and banks being subject to massive distributed denial of service (DDoS) attacks because of the “always-on” connectivity of these products.
The use of these devices is not a bad thing, however. I currently wear a smartwatch and use a tablet and smartphone, all of which are considered a part of the Internet of Things (IoT).
Get started on your cybersecurity degree at American Military University.
What Is the Internet of Things, Exactly?
The Internet of Things is a simplified term for all the new electronic devices that utilize sensors and wireless protocols to collect and transmit usable data to an end-user. These include (but not are limited to) products such as:
- Cellular devices (not just phones these days)
- Smart home appliances
- Wearable technology
The Arduino and Raspberry Pi are two of many prototyping platforms that allow everyday users to create their own IoT devices. As great as these devices are, there is a critical feature that is being left out in favor of function: security.
Protecting Trusted Networks from Harm Caused by Use of IoT Devices
In February 2016, Steve Gibson of Gibson Research proposed a three-router configuration to isolate IoT devices from accessing the trusted network on the Security Now podcast. In August of that same year, Nicolae Crisan expanded on this idea in his own blog post that is dedicated to expanding on segmenting IoT devices away from a trusted network.
While this type of security solution is great and much needed, it only addresses IoT devices that are stationary, such as smart home devices and security systems. Unfortunately, this solution does not necessarily address devices that move between networks or utilize a personal area network (PAN).
These IoT devices need to be checked for a few things, such as default or hard-coded passwords. A hard-coded password may provide a backdoor to a computer system.
Ideally speaking, any IoT device, should have its documentation reviewed and every network communication analyzed prior to implementation. Default passwords also need to be changed to something that the implementer knows.
In addition, Media Access Control (MAC) addresses of the network card should be recorded and white-listed. White-listing involves only allowing authorized devices on a given network, making it easier to identify unauthorized IoT devices on a network.
Security Service Layers for IoT Devices Need to be Strengthened
Because security and functionality are diametrically opposed, it should be no surprise that in order to secure IoT devices so that they do not participate in global DDoS attacks, we need to build up the layers of security services in front of them. That would prevent attacks like those seen in recent history.
Security experts Brian Russell and Drew Van Duren noted in their 2016 book that “IoT security…is not the application of a single, static set of meta-security rules as they apply to networked devices and hosts.” For instance, it is hard to place a firewall in front of a pacemaker that remotely connects to a monitoring system via the Internet. It is due to these types of devices, referred to as cyber-physical systems (CPS), that cryptographic technologies need to be strong and configurable.
But security must be put into the forefront of those developing these systems. Every good security professional will tell you that it is cheaper to build in security than it is to bolt it on later.
The ultimate problem is that there is no long-term solution to the IoT security challenge. As Russell and Van Duren point out, “There will always be overt and concealed criminal activity; there will always be otherwise decent citizens who find themselves entangled in plots, financial messes, blackmail; there will always be accidents; there will always be profiteers and scammers willing to hurt and benefit from the misery of others.”
It is with this potential criminal activity in mind that implementers of these IoT devices and networks need to be very conscious of the security problems that these devices have on their intended environments. End users typically do not think of these problems until they are discussed in media outlets due to some breach or on social media networks due to some ethical revolt. As a result, security controls (cryptography or others) must be strong enough to protect all data in transit and must be easy enough for end users to implement.
Security Recommendations for IoT Devices
If you are an end-user of an IoT device, take time to learn about your creation or purchase and how to secure its communications. If you buy an IoT device, such as an activity tracker or smart home device, be sure you understand how to secure the stored data from public viewing. Often, the company that created the device will have a web guide you can consult.
Ideally, you do not want to give away your current location online. In January 2018, for instance, the media announced that Strava’s heatmap (displaying where fitness trackers were in use) showed military personnel in remote locations, which jeopardized their physical security. This type of threat is not limited to the military, but to anyone using these types of devices.
If you’re going on vacation or away on business, you do not want to tell the world that you are not going to be home. Instead, adjust your device’s settings.
While IoT devices may improve the efficiency of certain aspects of our lives, we still need to balance that efficiency with an appropriate level of security and risk management. But through greater end-user education, it will be easier to achieve these goals.