The Internet of Things (IoT) or the Internet of Everything (IoE) is coming. Ok, so it's already here. A snowball rolling down a slope gaining momentum and size, IoT is dominating trade show floors and executive agendas. As the world smiles while dreaming of high availability cloud based "smart devices" we as security professionals shudder at the thought of privilege escalation and man in the middle attacks. It's our job to ensure digital user identity, to secure the internet of things.
The term "things" is so subjective. Applications, home security systems, heating and cooling systems, robots, medical, automobiles, and anything else that today’s tech engineers can WiFi enable are added to the swelling list of "things." It’s big business. It's a lot of money to be made. Today’s generation welcomes it, more like demands it. I say again how are we to: secure it? Protect users, maintain trust while increasing user experience and convenience allowing consumer based IoT markets to surge.
Securing the IoT is not an easy proposition. How do you limit access? Who can set, start or stop the IoT enabled devices? These are serious questions. Most people today don’t secure the devices they have. Let’s face it, most people have no clue that their devices are internet enabled. They just take it for granted that their TVs can stream. They can control the thermostat from anywhere. Monitor the house (including unlocking the doors) from around the world. An interloper would love to get in the middle of this "secure" transaction, and could easily do so.
People today post their everyday lives on Instagram, Facebook, Twitter, and other social media sites. This lets strangers know when and where you are. If your home is connected to the internet, you might as well leave the doors and windows open and hang a welcome sign out front.
Businesses today spend a great deal of money to secure their enterprise. Firewalls, monitors, cryptology, and a lot of manpower. However, the everyday person has no clue what to do and will be open to scams.
So what can we do to secure the IoT? Unfortunately, but expectedly, a ready answer does not exist...yet.
Anytime that a wireless network is setup, it needs to be protected with some type of password. Not a password like “123456” or “password." It needs to be truly random and at least 16 characters, 32 would be better. That is just the entry point into the system.
BUT, you ask, what about the devices I attach to my network? How to I keep a hacker from altering my thermostat, or opening my front door? The easy answer is, do not connect them to the internet.
Of course, that is not going to happen. A few "answers" include securing these consumer devices with passwords that need to be entered when connecting to them, limiting the devices that can connect to them by having a whitelist, or using digital certificates.
None of these are the end all. The simplest is a password. But then again it has to be a secure, complex password that is changed in a timely manner. A whitelist is good, but keeping it up to date is a forgettable task. Digital certificates are even better, but who issues them and keeping them up to date could cause access issues. More on this later.
In 2009, an animated movie called called G-Force was released. It was a story about a company that put IoE enablement (at that time IoE was not even born) into home appliances. It was funny. Four Guinea pigs and a mole (yes a mole who turned out to be the hacker from within the organization) saved the world from the monster created by the IoE enabled devices. Can this actually happen? The answer is yes it can, *insert evil mole laugh.*
There is no easy answer. Working in networking for 40 years since the beginning of the internet, and PKI for 20 years, the idea of using digital certificates is my top recommendation. How this will be implemented, that would be for a later blog. But we have to start thinking of this now. It’s already too late, but better late than never.
I don’t want a monster in my house. I’m tech savvy enough to implement at least enough security to slow down the hackers. I did not say stop the hackers. There is no current way to stop them. I take that back, the only way to stop them is to not connect devices to the internet. I don’t want people opening my doors, taking over my car, or taking over my life (extreme but possible).
Stay tuned. This is just the beginning. I will continue this topic in the next blog on securing the IoE with certificates.