Keeping The Peace In The Internet Of Things

Internet of Things

When the Wright brothers made their famous pioneering flight in December 1903, did they have safety officer in attendance insisting on parachutes and shock absorbing landing gear? No, all the focus would have been on getting off the ground – and that was their triumph. Four years later safety became a concern, and it was not long after that safety and security became top priorities for the aviation industry.

That’s how it goes with technological innovation. The first burning issue will be “will it work?”, then comes the excitement about the opportunities technology innovations presents, and finally concern about misuse or exploitation. Internet of Things (IoT) devices are becoming more prevalent in our day to day lives, and with becoming mainstream focus is increasing on reducing security risks.

Specific IoT Challenges

For a start there is a straightforward risk of connecting any simple, low cost device into the Internet: whereas a PC is a relatively sophisticated endpoint with plenty of resources to host its own internal firewall and anti-malware systems, you cannot build expensive protection into a five dollar monitor. There is a lot of interest in a new generation of tiny low cost computers like Rasberry Pi to bridge that gap, but much of the security burden falls on the network itself that must be secured if we are going to get the full benefits of an IoT connecting millions of tiny sensors.

Next there is the challenge of complexity, when many different protocols share the same complex network. Choosing which type of wireless connection for an IoT device means balancing a number of factors such as data throughput, range of dispersion, endpoint battery life and latency, as well as the size and cost of the receiver. Each system has its own benefits and drawbacks. Cellular data is available almost everywhere, but uses a lot of battery power, relatively expensive hardware and on-going network charges.

WiFi is nearly everywhere in office buildings, uses relatively inexpensive hardware, but its password security provisioning would be unsuitable for, say, linking smart light bulbs. Bluetooth is even cheaper and offers long battery life, but operates over a very short range and would need a central access point to link back to the IoT network. Mesh networks are much more complex to set up, but do offer a highly resilient network solution. Inexpensive, low power wide area network (LPWAN) technologies such as Sigfox, LoRaWAN and Ingenu are ideal for low data traffic such as smart meters, but have little value for more sophisticated communications.

Companies developing IoT technologies and devices have core competency in these markets, but do not have the exposure or knowledge of the ever changing threat landscape. Testing the performance and security of mobile phones, for example, requires a deep understanding not only of the various mobile telephony technologies, but also of Bluetooth, Wi-Fi, GPS and the additional vulnerabilities of a handset operating simultaneously on all those different networks.

What Is At Risk

Criminal attacks come in two main flavours: theft and blackmail. The criminal can either steal money or data from a system, or can threaten to damage it unless paid a ransom. If the driver is terrorism or sabotage, instead of criminal gain, they can simply inflict that damage without any warning.

In the automotive industry connected cars embrace many facets of the IoT: from simply delivering Internet connectivity and GPS location to the vehicle, through monitoring the vehicle for optimum safe performance and anti-theft measures, to sophisticated accident avoidance or even driverless vehicle functions. Criminals have a choice of either hacking the system to steal the vehicle or its contents, or else to blackmail the manufacturer. GPS jammers are already being used to hide the location of stolen trucks, and remote locking systems have been hacked to enable car theft.

Such attacks are obvious, but represent just the tip of an iceberg. A connected car might allow the owner to restrict its speed to 100kph when his son is driving it, but the son could hack it and go racing, or his rival could set the speed threshold embarrassingly low. Then what about busy executives using the car’s Internet connection for a bank transfer – can they be sure that their transactions are every bit as secure as they would be on a home or office Internet?

Healthcare is especially vulnerable to the blackmail threat: one patient’s medical record might not have much value to the criminal, but the threat to upload all the medical records to the public Internet could demand a huge ransom from a private hospital. Or even simply to threaten to announce publicly that the trusted hospital system is far from secure. At least one large US hospital has already suffered such attacks.

Large industrial control systems are a very tempting target for blackmail. Tampering with such processes can not only lose money during the shutdown but also leave the whole system badly damaged – as when the Stuxnet worm destroyed a thousand centrifuges in Iran. And the sheer scale of utility networks makes them ideal for terrorist attacks that could disrupt electricity, water or communications across a vast area.

We have not included Finance in this hit list. Criminals have long been targeting financial systems as the most obvious way to steal money, While mobile banking apps and ATMs can be seen as forming an IoT, these end point apps and devices should be regularly tested for security issues . This is not the same as the more general IoT that will include millions of devices that were not historically designed to be connected, and have no inbuilt security against hacking.

Testing For Security

Testing an Internet or cloud is necessary because the system is too complex for anyone to analyse and predict every possible form of vulnerability or failure. Apart from the physical complexity of a large network, there are many different levels to analyse, beginning with the firmware and different operating systems on the network. Then there is a constantly evolving population of applications on the network, plus all the different protocol and security systems.

In a cellular network access security can be in the SIM card, where a passcode is needed for WiFi access, where Bluetooth can either use a password or pre-shared application key. Next there are specific security functions such as authentication of human or machine users, and determining what level of interaction they are authorised to have when accessing the network. Finally there are questions of physical security: are the endpoints and the actual network sufficiently rugged? Are they accessible to being tampered with?

A lot of thought will go into each of these aspects but, when it comes to determining the overall end-to-end security, there is only one way to know  and that is to test it. The network can be modelled accurately under laboratory conditions and tested exhaustively for functionality. Then it can be tested for performance to see if it works reliably under all normal operating conditions. It is also possible to monitor an operating network continuously for signs of trouble.

Then there is the question of how an IoT will perform under extreme or stress conditions. There are many obvious and less obvious ways these extremes can arise. Taking for example an IoT that connects intrusion alarm systems across a metropolitan district: typically these alarms use the local Wi-Fi to maintain connection with headquarters and only turn up a 3G connection if the Wi-Fi fails. So what impact will it have on the mobile network if there is a power cut across a whole district and thousands of alarm systems are simultaneously connecting to the mobile network? How might that briefly affect other systems on the network, let alone the actual alarm response?

It demands experience and in-depth understanding of the many factors involved to be able to anticipate such problems and recommend suitable tests, but we already have test solutions readily programmable to emulate every such situation. The tester does not have to build up realistic traffic scenarios parameter by parameter – though that is certainly possible. Instead the system can record real-life traffic data and then multiply it many times to emulate traffic storms – as when some emergency causes a surge in activity.

Independently, or at the same time as the performance is being tested, the network can be subjected to any number of known malware attacks – and if it is a cloud based test solution it will be kept up-to-date with the very latest malware. Some companies also have extensive experience of “fuzz testing”, where you are not just testing for known attacks but also borderline errors that can arise when wrong data is accidentally or deliberately injected into the system.

Conclusion

There are endless opportunities offered by connecting machines to machines via an Internet of Things, but we have a lot to learn about the risks that might arise from such a complex system – especially the risks posed by deliberate criminal intentions. Key areas that will need very careful and comprehensive security measures include the automotive industry, healthcare and industrial and utility control systems.

Although the IoT adds many new factors and combinations of risks, the basic techniques for testing complex, multi-protocol networks are already well established. Sophisticated test solutions are already available, and have long proven their ability to anticipate problems and ensure security under every normal and extreme operating condition. The learning curve may be steep, but with the help of penetration testing and security testing solutions there is considerable expertise available on the slope.

Sameer Dixit

Sameer Dixit is a leader in cyber security with over 15 years of experience in penetration testing and security research. At Spirent, Sameer is leading the ethical hacking and security research team called Spirent Security Labs. Prior to Spirent, Sameer has worked for leading security companies such as Trustwave-SpiderLabs and Cenzic. where he led the penetration testing, vulnerability scanning and managed security testing services team. Sameer has contributed research for OWASP, been quoted in various industry-leading security and business publications such as Security Week, Business Insider, ZDnet, SC Magazine, and more. Additionally, he has spoken at various Cyber Security Threat Summits, Universities, conducted webinars, and actively blogs on emerging Web & Mobile security trends.