Locking down the Internet of Things

Features
By
published

Much has been made of the economic benefits of the Internet of Things, but at what cost to our security and privacy?

Keeping securely connected

The security problems IoT could cause is another area that needs to be more openly discussed, states Curran, because it could pave the way for remote attacks against individuals and businesses.

The problem stems from the fact not all connected devices were built with security in mind from the get go, according to the European Commission.

There is still no agreed protocol for access to public data when it comes to law enforcement agencies or other intelligence agencies, and there is a debate waiting to happen here.

"Information security, privacy and data protection should systematically be addressed at the design stage. Unfortunately, in many cases, they are added on later once the intended functionality is in place," the document states.

"This not only limits the effectiveness of the added-on information security and privacy measures, but is also less efficient in terms of the cost to implement them."

It is an area manufacturers are becoming more mindful off, claims Curran, but the devices they are trying to lock down sometimes lack the compute power needed to do this effectively.

"There is an international ISO/IEC 29192 standard which was devised to implement lightweight cryptography on constrained devices," he offered.

"There was a need for this as many IoT devices have a limited memory size, limited battery life along with restricted processor...and traditional heavy cryptography is difficult to deploy on a typical sensor hence the deployment of many insecure IoT devices."

Back door bad guys

Connected devices are often fitted with 'back doors' so manufacturers can easily monitor their activity and stop them carrying out particular functions. But these could easily be easily taken advantage of by hackers.

"Every server, router, switch, laptop, tablet and mobile has a back door in it," says former BT CTO Peter Cochrane, who now runs his own IT consultancy business.

"That is the reality of the threat. China has declared that all of the power meters they are manufacturing have got back doors in...so they can [remotely] monitor them and check they are working okay."

In some instances it might be in the manufacturer's best interests to maintain this access point into the product, depending on who it is being sold to.

"If you were a military manufacturer making missiles, for example, you always put a back door in so it can be remotely disabled just in case the friend or ally you sold it to become your enemy tomorrow," he explains.

Remote attacks

Security experts often cite medical devices as examples of connected devices with back doors that could be remotely exploited with devastating consequences.

"There is a pacemaker on the market today, with a wireless interface, that is being fitted to people and somebody has hacked that wireless interface and it has a back door. If I had the knowledge, I could sit in Starbucks killing people as they walk past. It's that severe," says Ciseco's Hodkinson.

"The risk to life of having proprietary security systems is that people don't have the resource to test them in the real world against three billion people."

The 12.1 million smart utility meter deployment project, which will see 53 million connected devices installed in homes and businesses across the UK between 2015 and 2020, could also put households at greater risk of attack in several ways.

Firstly, there is the fact the meters will be monitoring people's electricity consumption, which as in Hodkinson's fridge example from earlier is information that could be of interest to burglars.

"On a larger scale, however, there is a threat whereby smart meters that are connected to smart grids could be attacked leading to complete failure of the system," explains Curran.

"It is an ideal attack vector for rogue nations or terrorist organisations as once the electricity is cut-off, then pretty much every aspect of life in that region is affected."

While it might sound almost fanciful, smart meter attacks are a very real and credible threat, stresses Curran.

"We do know the Chinese authorities have done extensive reconnaissance of Western energy networks, so it is very possible that a nation state might launch such an attack during a time of international tension," he claims.

"If an attacker were to compromise such a critical infrastructure and send commands to multiple meters to stop or modify charging, then the public backlash would be significant. Because when people are left without power, people die."

Caroline Donnelly
Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.