The Security of Things, or Avoiding the Internet of Stings

In the rush to capture the public’s imagination and steal a march on their competitors, companies are keen to unveil their latest shiny contribution to the Internet of Things (IoT). Are consumers in danger of being stung as cybersecurity is neglected at a time when it is most needed?

“Security by Design” has long been a byword for good practice in cybersecurity. When building solutions, often consisting of integrated IT systems, the principle of creating a security architecture to support business objectives, based on the security requirements derived from the rigorous assessment of threats and vulnerabilities, will ensure you bake in a proportionate level of security from the very early stages. This in turn delivers solutions that are intrinsically more robust against attack. Experts recognise it as vital for Critical National Infrastructure, but what of emerging technologies?

The Internet of Things (IoT) is all around us, and growing daily. Technology that connects everyday devices to the wider world; from rail signalling to bus tracking, monitoring the health of aircraft engines to monitoring your health and wellbeing, not to mention the increasing number of devices in your home - your TV, your air-conditioning, your baby monitor, to name but a few. In his paper, Graham Patterson points to it being the next big thing after Big Data, and should be an essential part of any organisation’s Technology Strategy. However, it is not always clear that solid cybersecurity goes hand in hand with this strategy, and whether the IoT is in danger of becoming the Internet of Stings, with consumers at risk from cyber-attacks across a number of fronts.

To illustrate this, we can consider three constituents of the IoT, and how the early evidence of their security controls are being reported.

The first are the Smart Meters that will find their way into all UK homes over the coming years, allowing energy suppliers to take meter readings remotely and consumers to gain valuable insight into their energy usage. ASE has a lot of experience with smart metering technology in the UK, and with its security model in particular. Some consumers will already have early Smart Meters (SMETS1) installed, enabling energy suppliers to understand and get a foothold in the market. The mass Government-led Smart Meter programme (SMETS2), due to come online later in 2016, has Security by Design as a core principle, has the benefit of being able to learn from SMETS1 rollouts, and uses robust open standards for cryptography, the details of which are published. The result will be a solution underpinned by a design which makes the theft of personal data, fraud and other malicious activity much harder to achieve.

It makes you wonder if the same will be said of our second example; wearables. The most notable of these - the smartwatch - is busy trying to carve its place in the market, and demonstrates that the ability to get to market quickly is a major factor for the manufacturers of these devices. They provide a convenient way to access some of your smartphone functions, and can give you daily health statistics, but does a Security by Design ethos sit at the heart of the smartwatch? Early evidence, such as HP's research paper, demonstrate that concerns exist. Drawing on the OWASP IoT Top Ten Project, the paper reports that of the ten smartwatches tested, all possess vulnerabilities leaving them open to cyber-attack. It is not clear which smartwatches were included in the test, and whether HP’s own offering was one of them, but some of the weaknesses uncovered (including poor user authentication and transport encryption) suggest that an end-to-end view of their security may be limited at present. The attack space has been broadened by the need to pair the smartwatch with the smartphone in order to maximise functionality, and if this is at the expense of even basic security controls such as robust transport encryption, then it is only a matter of time before reports of malicious attacks, and the loss of personal data from smartwatches, materialise.

Connected cars are our third example, and long before they become driverless, are already subject to reports concerning their security flaws. The ability to hack them and remotely control essential systems like steering and brakes were widely reported, but good cybersecurity practice seems to be equally missing from rectifying the vulnerability, with USB sticks containing the patch being issued to affected users through the postal service! Even established automotive security systems such as the immobiliser, which one might assume by their nature to be robust, are shown to be vulnerable. None of this seems to point to a rigorous treatment of security risks into a robust security architecture.

Each vulnerability in the IoT is an attack vector to be exploited, and each successful exploitation will sting consumers. Some may be little more than an irritation, but some will have a damaging impact on that most fickle of things; consumer confidence. For example, few will willingly climb into a car that could at any time be controlled by someone remotely.

Obviously, this can and should be avoided. I have focussed on Security by Design as a benchmark, but there are other protections that fall out of this, such as Defence in Depth and the use of strong recognised crypto-algorithms to name but two. The adoption of any of these need not adversely impact usability, and need not push delivery dates to the right. Good security and speed to market are not mutually exclusive. Security by Design works when it is intrinsic to the overall design, with security architects engaged at all stages of the process. It leads to a much better solution compared to when the controls are added as an after-thought, as a bolt-on. Without good security practices, we run the risk of being repeatedly stung by the IoT. With them, we can savour the sweetness of its honey.

(and with that, I think I’ve stretched the metaphor too far - so I’ll stop!)