The State of IoT (In)Security

The state of Internet of Things (IoT) security today is clear: it’s terrible. IoT devices are everywhere – from Fitbits and Amazon Alexas to smart appliances and intelligent home security systems, they’ve already permeated our consumer lives. Outside of the consumer space, however, IoT is even more prevalent. IoT devices control electrical grid switches and public water systems; monitor road traffic in real-time to optimize city travel; track patient health in hospitals, so doctors and nurses can stay alert; control servers for Facebook, Spotify and our other favorite media sites; and much, much more. Not to mention, IoT devices will soon be increasingly used in music, construction, film and countless other industries – in addition to totally permeating infrastructure, healthcare and home life. As machine learning and blockchain become more sophisticated, they’ll integrate with IoT, as well. Its potential will only grow with time. Obviously, the prevalence of these devices makes them a prime target for a whole variety of hackers (from nation-states and cyberterrorists to hacktivists and organized crime groups). Ransomware and other forms of extortion are just two types of cyberattacks we’ve seen. The Mirai malware from this past August, which wiped out entire Internet services across the east coast, is a prime example of how damage might not just be financial. We only need look to other countries to see how these attacks can be replicated against electrical grids and other critical infrastructure, potentially putting millions of lives at risk. On top of this already precarious situation is that IoT devices are insecure by default. Encryption is often sub-standard; basic hardware security features are overlooked; default passwords are weak and duplicated across devices; and internal security controls, like dynamic information-flow tracking, are similarly (almost) nonexistent. There are certainly reasons for this fact. IoT devices possess significantly less computing power than most modern machines, and so implementing modern security techniques in IoT devices without significant overhead is difficult. Further, the organizations that use these devices (and the systems that these devices are built into) usually depend on the speed of “edge computing,” so security may even be considered, on its face, as economically undesirable for manufacturers. Will companies really buy a slower but far more secure device in favor of a faster but insecure one? The answer is that this shouldn’t even be a question.

Security should be the default in IoT devices because our current state of affairs is only asking for disaster.

As extensive research in both cybersecurity and the behavioral sciences tells us, most people, given a set of options, will stick with the default choice. Thus, most IoT “users,” whether everyday consumers or a federal agency, likely won’t change default passwords; they likely won’t change the encryption settings; they likely won’t look into the device’s security at all. They are insecure because the provided, default settings are insecure. If we break this down further, there are many reasons for this fact. Behavioral economics and decision heuristics account for some of this “complacent” behavior and “status quo bias,” but it mostly comes back to a lack of education on technology and cybersecurity. Since most of the people purchasing and using these devices aren’t aware of these security problems – let alone how to fix them – the devices are left unsecured, and hackers can easily break in. By changing the defaults, however, we can drastically improve IoT security – and play to people’s biases in a way that makes everyone safer. It’s time we change the state of IoT (in)security:

Technology Leaders

Pressure IoT manufacturers to strengthen device security. As soon as you purchase devices for your company, check their encryption standards, change their default passwords, and don’t put them online until you rigorously penetration-test each individual device (e.g. with buffer overflow attacks). Work with policymakers to write compliance guidelines that make security the default – and continuously speak with them about new security techniques as they’re developed; if policy is to stop falling behind technology, we need better communication across channels. When developing organizational security policies, expect IoT insecurity. Purchase additional software to secure IoT devices, minimize network overlaps whenever possible (i.e. don’t connect a water system to a power grid), and encourage your peers to do the same. And collaborate with educators to bring the public, and the leaders of tomorrow, up to speed.

Policymakers

Write regulations that makes IoT security the default. Require device manufacturers to use industry-grade encryption, to implement essential hardware security features, and to use strong default passwords that are different for each device. Consult industry experts – both development- and management-level – to understand cutting-edge hardware and software security techniques, and then integrate them into your standards. Continuously speak with these technology experts so your policies don’t fall behind (which in today’s world, can happen very quickly). Implement checks and balances that ensure compliance on all fronts. Reach out to educators and work to increase technology “literacy” among citizens. And always keep learning – because it’s vital that all policymakers understand technology.

Educators

Draw attention to IoT insecurity. Educate yourself on the Internet of Things and important cybersecurity jargon, and then spread that knowledge to others. Advocate for general technology education in public schools rather than just coding classes – and if you are a technology instructor, make IoT and cybersecurity a part of your curriculum. Encourage students to explore these ideas on their own, and provide resources to that end. Work with policymakers to support students going into cybersecurity. Speak to tech about best preparing future generations for our promising and dangerous cyber world, and try to close any gaps between tech education and tech “reality” that may exist. IoT is insecure and everywhere, and its presence is growing. The time to act is now.  

Image

About the Author: Justin Sherman is a student at Duke University double-majoring in Computer Science and Political Science, focusing on all things cyber. He conducts technical security research through Duke’s Computer Science Department; he conducts technology policy research through Duke’s Sanford School of Public Policy; and he’s a cybersecurity contributor for the Public Sector Digest. Justin is certified in cybersecurity policy, corporate cybersecurity management, social engineering, infrastructure protection, insider threat prevention, and homeland security planning from such organizations as FEMA, the National Institutes of Health, the U.S. Department of Homeland Security, and the U.S. Department of Defense. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.