We all know that hacking is on the rise. But the Internet of Things – the growth of connected devices – provides many more ways for hackers to enter data networks.
In 2013, attackers introduced malicious software into networked refrigerators to dispense spam messages. Medical devices such as pacemakers can be hacked from 30 feet away. Baby monitor sound and video have been hijacked.
New cars are now networks on wheels; hackers can access speedometers, acceleration, cruise control, braking and on-board navigation. Infotainment centers are an easy access point. In 2015, Chrysler had to recall 1.4 million vehicles for a bug fixes because their jeeps could be hacked over the Internet through a cell-phone connection, including brakes and acceleration.
In the famous Target data breach in 2014, where more than 110 million customers were affected, hackers attacked by way of the company’s HVAC (heating, ventilation, and air conditioning) system. The HVAC system was connected to the internet, and the passwords the vendor used to monitor the system were stolen. These same passwords gave hackers network access to the retailer’s point-of-sale machines. They then installed malicious software that captured credit card data as customers checked out.
Smart TVs are really just computers connected to your home network 24×7 (even in standby, they are running) and have been shown on many occasions to be an effective vector of attack into the home. Medical devices are increasingly software-driven and network-connected, providing yet another avenue for malicious behavior (several attacks on hospital networks have been shown to originate through external access to a low-level device; an electrocardiogram, for example).
The Internet of Things (IoT) consists of three basic components: Edge Nodes, Gateways, and the Cloud. We’ll also discuss mobile-specific considerations. When you are developing an IoT application, these are the issues you need to address with your developers.
IoT Edge Node Security
Edge nodes are typically sensors of some type, measuring things such as temperature, humidity, vibration and light. Edge nodes typically have some local processing functionality and a microcontroller. They are connected to a gateway or the cloud, via wireless or wired connectivity (usually wireless).
Questions you’ll want to ask your developers about security of the edge nodes:
- Are communications encrypted?
- Is storage encrypted?
- How is logging performed?
- Is there an updating mechanism? How secure is it?
- Are there default passwords (which could be easily guessed and hacked)?
- What are the offline / physical security features?
- Is transitive ownership addressed?
Edge nodes are classic “embedded devices.” Their nature as a software-driven device connected to a network may not be immediately obvious. It’s easy to forget that a simple sensor or other innocuous device can be used as a stepping-stone into the enterprise network. Even the smallest of windows on a bank has a lock on it.
IoT Gateway Security
Larger networks of devices may include gateways to integrate and aggregate the data flowing in from a number of Edge Nodes (perhaps hundreds). In such an architecture the devices themselves may not be exposed to the internet, but the gateway almost certainly is. The gateway then presents a double threat: it can he used as a vector into the larger network, and it can also be used to get at the connected sensors. If the goal of an attacker is to steal raw sensor data (it’s easy to conceive of applications where such data would be of value to an attacker), then the gateway is a tempting target.
Questions to ask your developers:
- Are there replay and denial of service defensive capabilities?
- Is there local storage? Is it encrypted?
- Is there anomaly detection capability?
- Is there logging and alerting?
IoT Cloud Security
Eventually, all of the data coming from edge nodes ends up at a server in the cloud, to be processed and analyzed.
Questions to ask your developers about the security of cloud connections and interactions:
- Is there a secure web interface?
- Is there data classification and segregation?
- Is there security event reporting?
- How are 3rd party components tracked and updated?
- Is there an audit capability?
- Is there interface segregation?
- Is there complex, multifactor authentication allowed?
IoT Mobile Security
It’s quite common for the edge node to be accessed via a mobile device. To take a simple example, imagine a homeowner checking or modifying the temperature of the house from another location via a smartphone. There are security issues here as well. More than 5 billion downloaded Android apps are vulnerable to remote attacks.
Most cellphone malware is “adnoyance,” but can be used to carry other payloads to gain access to an enterprise. Thumb drives can also be a problem; the 2008 attack on the US Department of Defense took 14 months to clean up. Infiltrated laptops can also be an issue, as Morgan Stanley discovered when an advisor downloaded information on 350,000 clients on to his unsecured laptop. [Source: http://www.cnbc.com/id/102462850]
Questions to ask your developers:
- What countermeasures are in place for theft or loss of the mobile device?
- Does the mobile authentication degrade other component security?
- Is local storage done securely?
- Is there an audit trail of mobile interactions?
- Can mobile be used to enhance authentication for other components?
Another aspect of security may have nothing to do with a hacker attempting to steal customer credit card numbers or other information. It might, in fact, be more of a competitive nature. What kind of information might you be transmitting that could hurt your company if it fell into a competitor’s hands? Information about how many units you’ve sold, where you’ve sold them, how much you charged, that kind of thing.
Security must be viewed in terms of its severity, a concept that security experts have focused on for years. A heater failing to work in a car is less critical than a malfunctioning air bag. A temperature sensor sending temperature data back to the cloud is less important than one that sends data about whether there is someone in your house or not.
For more information on application development, please download a guide for CEOs about creating great software from Applied Visions today.