We at The State of Security have explored all the ways people can strengthen their security online in acknowledgement of National Cyber Security Awareness Month (NCSAM) 2016. We kicked off the public awareness campaign by providing tips on how users can protect their passwords, as well as defend against ransomware and other common IT security threats.
Next, our focus shifted to the workplace, where we discussed how organizations can encourage their employees to contribute to a dynamic security culture. We then plunged into the dark web to explain what steps users can take to protect themselves against computer crime.
The theme for Week Four of NCSAM 2016 is “Our Continuously Connected Lives: What’s Your ‘App’-titude?” Nothing captures how much our lives are connected like the Internet of Things (IoT), the security risks for which a surprising number of organizations are unprepared.
That’s why I sat down for a chat with Travis Smith, senior security research engineer at Tripwire, and Bob Loihl, software engineer at Tripwire, to get a better sense of how IoT affects each and every one of us.
Here’s how our conversation went.
Chris Conacher: Let’s start off with something simple. What’s IoT?
Travis Smith: IoT stands for the Internet of Things, which is a catchall phrase for any device on which you can put a network connection. It’s been around for a while but recently, it’s expanded to include a lot of household appliances like smart televisions, refrigerators and washing machines. The idea is that the information those devices provide can make our lives easier.
Bob Loihl: The Internet of Things isn’t just about what we find in our house, either. It’s permeated our cars, our workplaces and every moment of our waking lives. Heck, IoT could even extend to cover the “smart” house, where everything is connected under one interface.
CC: Clearly, the Internet of Things is everywhere. But do you guys think it benefits us? Is connectivity a core benefit of IoT?
TS: Well, that’s the idea, at least. The Internet of Things represents things that are “better” and “newer” than our current appliances. They’re a benefit for manufacturers because they can sell an Internet-connected refrigerator to someone who didn’t have it before. I’m not sure if connectivity’s a core benefit in of itself, however.
BL: I agree with Travis. IoT might be a benefit to the manufacturer and a novelty to the user, but when you look at the actual construction of a smart fridge, it all feels sort of pointless. That’s not to say increased connectivity doesn’t make sense across some scenarios. I could see the connected house providing some benefit when it comes to maintaining our homes, for instance, or Industrial Internet of Things (IIoT) streamlining power grid management. But disparate smart products still seem to be insignificant for most consumers.
CC: Manufacturers and users alike see connected things as an obvious next step but we’re still working on appropriate use-cases for those types of smart devices. After all, not every situation warrants connectivity. There could actually be a negative effect in some cases. Let’s talk about that. What are the risks of IoT?
TS: Well, think about some of those IIoT devices that are connected to the power grid. An attacker could theoretically exploit a vulnerability to turn all those devices down to low-power mode or to produce a denial-of-service (DoS) condition. In either case, they could then wreak havoc on the power grid.
CC: It’s an interesting thought that an actor could harness that kind of influence. Then again, I suppose there are different threats between, say, a $90,000 Tesla and a smart children’s toy. That’s two different levels of risk, right?
BL: Not necessarily. Both the smart Barbie doll and Model S constitute eavesdropping-potential devices. Regardless of what it actually is, each IoT device opens up a whole lot of privacy concerns from government agencies and criminal organizations that might want to listen to what we’re doing.
TS: True, but the Tesla does carry more risk simply because it’s a car. Just a few years ago, you would need to have physical control of a vehicle to tamper with its functionality and systems. Manufacturers have begun placing most of the wiring inside the car to prevent those kinds of attacks. It’s comforting… or at least it was. Now that we have driverless cars, you no longer need to have physical control of the car. It opens up a new level of risk in that you’re forfeiting access to the crown jewels.
CC: Scary stuff for sure. Are there are any security models that can help protect users from the smart Barbie doll and Tesla?
BL: The best option is to create layers of defense. Part of this process should involve building a framework where IoT devices all speak the same language and where we, as users, gain intelligence from how those products communicate with one another. It’s our best hope if we’re going to protect against the growing number of IoT-based attacks.
TS: That’s for sure. Just look at how all of those infected DVRs, cameras and other devices that make up the Mirai botnet took down Brian Krebs’ website a few weeks back. And let’s not forget about how Mirai took down Twitter, Spotify and a number of other popular sites after it launched attack traffic against the Dyn’s DNS infrastructure.
BL: How could we forget? It’s the sheer proliferation of IoT devices that make attacks like those possible. Those products just aren’t managed like they would be in an IT environment. Most home users don’t have the skills, for example, to move an IoT device to a dead-end network.
CC: Do you think the attacks like those perpetrated by Mirai are gaining enough visibility for people to ask questions about standards?
TS: Well, a Chinese company whose products Mirai scanned for vulnerabilities issued a recall, though that could just be a publicity stunt.
CC: I guess that’s a potential differentiator. If these attacks gain enough visibility, and if they involve devices that are hacked and located in your home, users will likely start to feel weird. That could help companies and users alike build brand awareness.
TS: In the meantime, I have to ask: who’s at fault for Mirai compromising an IoT device? Is it the manufacturer for implementing a set of weak login credentials? Or is it the user for not changing their device’s username and password?
CC: Good question. It strikes me as odd that there’s no auto-update feature on more of these products. It wouldn’t matter to users.
TS: There are some devices that do that. For example, Google controls all updates issued by the NEST thermostat. A user can’t do anything to stop them. That’s the right way to go with IoT.
BL: I agree. Manufacturers can make their devices more secure by embodying a “secure by default” philosophy, by pushing patches as often as they can and by implementing auto-updates, so that updates aren’t a user’s responsibility.
CC: Should there be stronger regulations to dictate IoT security standards among manufacturers?
BL: I feel there is a benefit to regulation with things that are so complex where the user will never get it. For me, it relates back to things like tobacco. In that case, regulation and awareness drove us to make better decisions than we ever could through the free market alone.
TS: Perhaps. Then again, the market needs to dictate what’s important for itself. If IoT devices start to negatively affect or “attack” their owners, users will probably begin to vote with their purse for more secure products.
CC: Good point. If commodity pieces are blowing up or catching fire or crashing, people will think twice about it. The market will begin to regulate itself. So, what about users? Are there choices they should make?
BL: In my opinion, we should avoid connected devices. We should do so partly out of environmental reasons. We’re buying all of these products without an understanding of why we need to buy them. In the meantime, the footprint of creating those products is creating lots of problems for the environment and for our limited resources.
CC: Interesting. Do you think users can do a risk assessment?
TS: No. But it’s even harder than that. The televisions with the best specifications are the ones with smart features enabled. I certainly don’t need them but if I want the best TV, I need to buy that type of TV. Here’s the thing, though. If you’re not going to use a device’s Internet connectivity, don’t plug it in or don’t use it.
CC: Well said. Users should just turn things off when they’re not going to use them. So, we’re nearing the end of our conversation. Any last thoughts?
TS: Users should update their products when they can, log into their devices periodically, don’t turn on Wi-Fi when they don’t need to do so, and turn off their devices when they’re not in use.
BL: At the same time, users need to be aware of what connectable devices are present in their house. That’ll definitely help with their awareness as far as whether and how users will choose to connect those devices.