Facing up to the IoT security threat

The recent Mirai botnet DDoS attack in October 2016 orchestrated through Internet of Things (IoT) devices such as digital cameras and DVR players showed just how vulnerable the Internet and organisations are to attack via IoT applications.

Meeting not long before the attack, the Cambridge Wireless IoT Security SIG discussed the threat under the title of: Don’t panic about IoT security, new technology will sort it out? Tim Phipps of Solarflare, one of the CW IoT Security SIG champions, set the scene by pointing out the nature of the problem, which he summed up as:

- Larger scale of data collection than we have seen before

- New technology coming to market from an emergent supply chain, which is immature and small scale

- Hundreds of poorly secured consumer IoT products.

‘IoT will be integral to home life, transport, payments and health,’ Phipps observed. ‘It is essential to life and is therefore a large target.’ He outlined the top three security challenges as: data loss (eg. credit card details); hijacking (of cars, or Iran’s nuclear programme); and consumer IoT linked products that are not secure, because they are designed to be fun and easy to use.

Paul Tindall, of Sepura and a CW IoT Security SIG champion, added: ‘This is a Wild West industry; we have little control over these devices. There’s now a number of air interfaces for IoT and many standards, so it is deeply fragmented and that makes security harder to deploy.’ 

On top of that, he pointed out that there are other related issues that need addressing, such as: who owns the data; are the current legal frameworks relating to data fit for purpose for IoT; what is the role of regulators and where is the balance, as over-regulation stifles and under-regulation kills?

‘What could possibly go wrong?’

Adrian Winckles, Cyber Lead at Anglia Ruskin University and Open Web Application Security Project (OWASP) Cambridge Chapter Leader, outlined some of the key things organisations need to be aware of and deal with.

OWASP is a not-for-profit group whose mission is to build security into the software development process by explaining to developers, designers, architects and business owners the risks associated with the most dangerous Web application security flaws and recommending ways of dealing with them.

Winckles explained that it is important for enterprises and organisations to have security high on the agenda in the boardroom, and stressed that IoT security is not just device security, but end-to-end security, including: the connectivity solution; data storage areas; and the multiple interfaces relating to the application.

OWASP has identified 16 IoT attack surface areas. To defend these areas IoT users need to deploy: intrusion detection and intrusion prevention; end point protection; security incident event management; VPNs; anti-virus software; back end encryption; and SSL on everything (IPSec, etc).

But he pointed out that all of this is just for the infrastructure layers. According to Gartner, 75% of security breaches happen at the application layer, not the network layer. National Institute of Standards and Technology (NIST) in the US agrees – 92% of vulnerabilities are in the app layer, not the network. NIST also estimates that the cost of fixing a bug in the field averages at $30,000 vs. $5,000 during coding.

‘The trend is towards vulnerabilities in the software, which could be at the sensor level, mobile app, hub or cloud back end,’ said Winckles. He believes that security vulnerabilities too often get into IoT apps because developers do not have time to test their products adequately, as they are pressured by management to get products to market fast. 

In Winckles’ view, developers need to be taught secure coding practices and when it comes to testing an IoT application they need to test not just the functionality and user experience of the app, but its security too. ‘If they are using third-party products they need to sanitise them; use a white box, not just last-minute black box testing,’ he urged.

The business case for security

Laurence Kalman, a commercial & technology and data protection specialist lawyer at legal firm Olswang, which hosted the event, observed that data privacy and security is foremost in clients’ minds at the moment 

He noted that less than 1% of objects are currently connected to the internet. The EU had around 1.8 million IoT connections in 2013, but this is predicted to rise to nearly six million in 2020.

He identified some of the key legal issues around IoT, including: access to bandwidth and net neutrality; liability for damage caused by IoT products/services; automated contracts; interoperability of IoT devices/systems; privacy; security; personal data + other data (cars, etc.) 

He observed: ‘The success of IoT will come down to user level of confidence in the use of their data – trust in other words.’ Turning to the IoT regulatory environment with particular reference to the EU, Kalman explained that there are no tailor-made regulations yet, but the area is attracting significant focus from regulators.

The general thrust of that focus seems to be one of advocating a ‘human-centred’ approach to IoT to ensure that users trust that their data is being properly used. However, he noted that data ownership issues may lead to obstacles in accessing data. Public services may come to rely on access to data that is privately owned, so should access be guaranteed by law?

He added: ‘Not every piece of data will have obvious ownership rights attached to it immediately: so who has access? Who has rights to use that data in certain ways? What arrangements have stakeholders put in place? What privacy rights does the individual whose data is being collected have?’

For IoT to be successful there needs to be a strengthening of trust, in security and of end-to-end personal data protection, but Kalman said that we still have some way to go in sorting these things out.

Kalman summed up by saying that IoT is a question of trust, and offered some key recommendations including:

- Carrying out privacy impact assessments – before launching any new apps

- Delete raw data as soon as the required data has been extracted

- Apply principles of privacy by design and privacy by default

- Empowerment is key: users must be able to exercise their rights and be ‘in control’.

Can technology solve the IoT security problem?

Max Heinemeyer, senior cyber security analyst at Cambridge-based cyber security firm Darktrace, attempted to answer the core question of whether new technology can solve the IoT cyber security issue.

‘It is very hard to keep up to date with security, and now there are millions of devices,’ said Heinemeyer. In the view of Darktrace, traditional cyber defence solutions are no longer enough. The problem is that defences are always one step behind the hackers.

Darktrace advocates a different approach, which aims to move at the same speed as the threat, by automatically learning from an organisation’s on-going activity in real time to detect threat behaviours as they emerge.

The company’s core product, the Enterprise Immune System (EIS), is based on unsupervised machine learning and probabilistic mathematics, which detects subtle indicators of compromise and threatening behaviours that bypass traditional security tools, even when those behaviours are new, complex and constantly changing.

Using machine learning algorithms, the EIS passively forms an evolving understanding of an organisation’s ‘pattern of life’ or ‘self’ without disrupting business operations, spotting very subtle changes in behaviours, as they occur. It works by analysing raw network data, creating unique behavioural models for every user and device, and for the relationships between them. 

These behavioural changes are correlated and filtered, in order to detect emerging threats. ‘What it does is pick up anomalies,’ explained Heinemeyer. The system provides instant visibility into all network activity, notifying of in-progress attacks. 

For example, a CCTV camera should only connect to one place. Darktrace’s software can detect if the camera has been hacked by seeing it is connected to an IP address not normally associated with the organisation and as that is an anomaly, it sends an alert. 

‘The point is to let the machines do the heavy lifting,’ said Heinemeyer. ‘You need machine learning technology to narrow down the noise by leveraging AI in the shape of matching learning, reinforcement learning, deep learning and neural networks.’

Heinemeyer concluded: ‘Will the new era of technology solve all of our problems? No, but it helps.’

The role of government and regulation in IoT

Derek McAuley, Professor of Digital Economy in the School of Computer Science at the University of Nottingham and Director of Horizon, gave an overview of the current regulatory environment. 

McAuley’s key message was that many IoT applications will be covered by consumer protection regulations already. Anyone wanting to put an IoT product on the market needs to check if they meet the existing regulations that apply to their sector, business or service offering.

For example, if you want to operate in the healthcare sector and gain access to NHS funding, you have to comply with the existing NHS Information Governance regulations.

As a warning to the unwary, he cited the example of an automatic garage door opener using GPS linked to a smartphone. In the US, some 400 children have been killed by garage doors over 20 years. As a result there is a Safety Standard for Automatic Residential Garage Door Operators. So, even something as arcane as an automatic garage door opener can be covered by specialist regulation.

‘Don’t walk blindly down the path that thinks because this is new technology we get an open pass,’ said McAuley. ‘There will be regulations somewhere and that means possible litigation if you get something wrong.’

Image Credit: Wright Studio / Shutterstock

• What is IoT 2.0?