How would it feel if the car you are driving in the middle of a busy road suddenly developed a mind of its own, refusing to obey your commands or even shutting down?
Independent security researchers in a controlled experiment did just that recently, remotely taking control of brakes, steering control, air conditioning, transmission, radio and even the windscreen wipers. This hack, done over the Internet, exploits vulnerabilities in computerized control systems that are built into modern vehicles.
After the hack was publicized the manufacturer had to recall about 1.4 million vehicles.
But it’s not only cars from a particular manufacturer that are at risk.
As the Internet of Things stops being a fad, with Gartner estimating that there will be around 26 billion connected devices by 2020 security worries are increasingly taking center stage.
And while we may not all be driving computer enhanced cars anytime soon we will increasingly start to buy smart televisions, health monitors, smart watches, smart refrigerators, home sensors, activity trackers etc, all of which can collect and exchange data.
For companies, not having an internet enabled product can put them at a competitive disadvantage. However, it’s not only big manufacturers that are building such products- small businesses and startups are also in the game of embedded and connected devices.
The implications of unsecured IoT
Traditional cyber security worked on a moat around the castle principle. Critical data was stored in a centralized location that can be secured against malicious attackers. While it was not foolproof, with enough precautions the job of attackers could be made harder and more painstaking.
With IoT this model has flipped. Data is no longer in once place- instead it’s distributed. Because customers value usability manufacturers might be tempted to cut corners with security measures like encryptions, allowing hackers easy access to sensitive data.
One of the biggest problems with IoT security is that the data that resides on consumer devices is actually critical data. Many devices focus on usability over security, and it makes them vulnerable to malicious attacks. These stats tell a sobering tale:
- A study by HP Research has found that 70% of IoT devices have at least one security flaw.
- According to IDC 90% of networks will have an IoT related security breach within two years, and with the average consolidated total cost of a data breach at $3.8 million according to IBM backed research there are real financial consequences to lax IoT security.
Building secure IoT devices
Whether you are a startup designing a crowd funded wearable device or an auto manufacturer putting computers in cars some basic principles for IoT security never change.
- Building security from the ground up
In case of software you could retroactively write security code for a finished product and make it so that functionalities do not break. This is near impossible for physical devices where security has to feature hardware aspects as well.
Besides, as security considerations influence all major design decisions (like the choice of chips) and the features of a product (which third party devices can be accessed) designers and manufacturers need to spend time on security during the specifications stage itself.
- Understanding the flow of information
For IoT to work connectivity has to be paramount. However as complex systems exchange data through multiple connections there is always the risk of unmonitored backdoors which can let malicious attackers in. Designers need to perform repeated security audits so that they can understand the information pathways thoroughly in order to secure them.
- Focusing on multilayer security
Plaintext is the enemy of security. If your connected device has to be secure, you need to design it such that all sensitive data residing on the device is encrypted. This is called Application Layer Security. But the story does not end here. Designers must also ensure that data transfers from device to device are also secured using Transport Layer Security protocols.
In the near future IoT will be less visible and more personal, with researchers working on prototypes for smart fabrics and drug dispensing implants.
These devices will solve a host of problems but unless they are secured a malicious hack won’t mean that you are locked out of your email or Netflix account. In an IoT world a malicious attack could literally kill you.