The Security of Things

As I went to CES this year, I noticed a distinctive shift towards a new trend that everyone is referring to as “The Internet of Things” or IoT. People talk about this like it is a new trend, but actually it is a very old concept dating way back to when people started embedding computers in objects.

For example, your average car has over 30 computers and luxury cars can have over a hundred!

The control systems that constitute the air conditioning of large buildings are actually complex control systems with many embedded devices throughout the building, which report and control the complex valves, blowers and heaters through automation.

However, while the “Internet of Things” is not completely new, this incarnation of it is very different.

It’s personal.

As we move deeper into building products and services, which automate away the drudgery of tasks and provide convenience, it is a necessary result that the automation itself becomes more pervasive. Unfortunately, that brings with it an entirely new set of problems, some dealing with the physicality of use and others with the more concerning aspect of security.

You see, with the new Internet of Things, we should be considering security not as an afterthought, but as a design constraint.

The data these devices are collecting can be high density, and hacking into it could reveal all sorts of secondary things about you that you might not want exposed. For example, something as innocent as a GPS jogging band contains the routes you frequent. If someone wanted to see where you are likely to be at certain points in the day, that would be the best place to find out. Perhaps a Bluetooth-controlled light-bulb could be mischievously turned on and off.  I was recently asked, “why does it matter if someone can get to my new smart IoT coffee maker? What will they do, make my morning coffee stronger for me?”

Maybe they’ll run it continuously with no water, sparking a fire. What if they also take control of, and shut down, your smoke detectors?  You have to think maliciously.

Xpiter recently showed how easy it was to find the SSH keys for the popular Home Automation hub, Mi Casa Verde made by Vera Control. This is in addition to the Security Bypass Vulnerability that Trustwave discovered. Now I am not picking on the Mi Casa Verde or the other IoT hubs Vera Control makes (okay, maybe I am). Vera controls doors, motion sensors, cameras, outlets, motion detectors, coffee makers etc.  Basically, if it has Bluetooth, Zigbee or Z-wave, Vera can control it. With those vulnerabilities, you may not be the only one controlling your home, or business.

Once you start connecting embedded devices like these to a network, there are all sorts of interesting possibilities for collecting very personal data about you, ranging from usage patterns, your comforts relating to temperature, what time you sleep, where you are during certain times of the day, etc…

So, what we are really entering is an even more intrusive environment where seemingly harmless data can be streamed and studied by hackers or other interested parties.

This is why it is important to secure the Internet of Things before it gets into gear.

Many of the techniques we advocate for BYOD and endpoint monitoring can be applied to the IoT environments. For example, the kinds of communication that are currently on media like Bluetooth could be monitored by an IoT security system that would prevent new ones from being added ad-hoc, or you could do passive listening for unregistered control of IoT devices within your domain and flag such intrusions.

There is also the aspect of IoT technologies that are being developed by companies like Spark.io, where the devices are implicitly connected to a cloud infrastructure. While convenient for companies offering products they want to deploy and collect data from, unilateral control as to what they want to share with such services, needs to be in the hands of the consumer.

Personal data needs to stay personal. Just because we are moving to an age of convenience doesn’t mean we need to sacrifice privacy.

Corporate data needs to stay within the secure confines of your company. This giant move forward with IoT means many, many more “things” on your network. Whether you approved their use by policies or not, they are there now today.

 

It’s time to #TakeBackYourNetwork

 

Starting this month, we will be hosting a webinar series titled “Internal Security Threat Introduction: Stop Malicious Behavior Before It Takes You Down”

 

I highly encourage you to attend!

 

 

www.MiltonSecurity.com.

 

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *