The Dark Side of the Internet of Things

Get access to the new Intel® IoT Developer Kit, a complete hardware and software solution that allows developers to create exciting new solutions with the Intel® Galileo and Intel® Edison boards. Visit the Intel® Developer Zone for IoT.

Most of us are keenly aware of the potential and promise of the Internet of Things (IoT). It’s easy to visualize a bright future arising from the many advantages of linking cars, shipping containers, office buildings, factories, refrigerators, cooking devices, health monitors, thermostats, and other things to a vast repository in the cloud where intelligence extracted from Big Data can inform our actions and enhance our lives. In the enthusiasm to embrace IoT technology, however, ongoing privacy issues and security threats are sometimes going unnoticed. These issues are gaining more attention, highlighting concerns that should be factored into planning, development projects, and broader IoT implementations.

IoT as a Spy Tool

In recent testimony before the Senate Armed Service Committee. The Director of National Intelligence James Clapper raised the issue of threats to global security posed by governments using the IoT as a spy tool.

Clapper said, "Smart devices incorporated into the electric grid, vehicles—including autonomous vehicles—and household appliances are improving efficiency, energy conservation, and convenience. However, security industry analysts have demonstrated that many of these new systems can threaten data privacy, data integrity, or continuity of services. In the future, intelligence services might use the loT for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials."

So, as architects, developers, and builders of IoT devices and infrastructures, how do we best respond to this implied threat? Put security first may be the watchword in IoT development in the months to come.

The Magnitude of the Threat

By introducing IoT sensors and devices into a vast global network—integrated with healthcare equipment, the smart grid, aviation systems, industrial control systems, government institutions, and so on—hackers have a potential avenue to escalate their efforts beyond stealing money and shutting down websites to impacting vital infrastructures, causing large-scale system failures and massive destruction. We’ve not yet seen broad scale breaches only because the IoT has not yet reached a stage where hackers have the incentive to target it, according to Robin Duke-Woolley, CEO of Beecham Research.

Quoted in an IoT University article, Duke-Woolley said, "Security in the Internet of Things is significantly more complex than existing M2M applications or traditional enterprise networks. Data must be protected within the system, in transit or at rest and significant evolution is required in the identification, authentication and authorization of devices and people. We must also recognize that some devices in the field will certainly be compromised or simply fail; so there needs to be an efficient method of secure remote remediation – yet another challenge if the IoT is to live up to expectations."

An IoT Security Threat Map developed by Beecham Research details the pathways for intrusion, application hijacking, authentication vulnerabilities, and identity theft.

Getting Ahead on IoT Security

Each major advance in computer technology has stimulated a re-examination of fundamental security provisions, from mainframe to client/server, to mobile devices, to the cloud. And, typically, establishing effective IT security provisions lags a bit behind these advances. The scale and scope of IoT with the prospect of unprecedented numbers and types of devices suddenly exchanging data in real time with event-driven applications and a mix of protocols raises the vulnerability threat considerably. Rather than relying on layered security protections—device-by-device—as has been done with smartphones and many mobile devices, enterprises may increasingly turn to consolidating protection at the gateway level. With IoT, we have the opportunity to establish a framework of deployment practices and address security protections early in the development process, rather than after vulnerabilities begin causing havoc.

In an article for InformationWeek, technology reporter Jai Vijayan suggested these measures for confronting IoT security risks:

1. Bake security into IoT applications from the start: IoT amplifies security vulnerabilities because of its interconnected nature; plan up front to deal with these vulnerabilities.

2. Identify risks: Identify critical IoT vulnerabilities, including web interface authentication, insufficient security configurability, poor physical controls, and lack of transport encryption security.

3. Segment networks: Keep IT networks properly segmented to avoid one security issue leading to other network problems.

4. Implement a layered security system: Deploy multi-layered controls to mitigate threats. Move beyond traditional controls, such as firewalls, intrusion detection systems, and anti-virus tools.

What is your take on IoT security?

Login to leave a comment below. If you are not registered go to the Intel® Developer Zone to sign up.

To learn about Intel's IoT technology go to A Fast, Flexible, And Scalable Path To Commercial Iot Solutions.

Footnotes

1. Kravets, David. 2016. Internet of Things to be used as spy tool by governments: US intel chief. Arstechnica. http://arstechnica.com/tech-policy/2016/02/us-intelligence-chief-says-iot-climate-change-add-to-global-instability/.
2. Skeldon, Paul. 2016. ‘IoT Threat Map’ reveals extent of security challenges facing the Internet of Things. IoT University. https://www.iotuniversity.com/2016/02/iot-threat-map-reveals-extent-of-security-challenges-facing-the-internet-of-things/.
3. Vijayan, Jai. 2015. 5 Ways to Prepare for IoT Security Risks. InformationWeek. http://www.darkreading.com/endpoint/5-ways-to-prepare-for-iot-security-risks/d/d-id/1319215.