People who make Internet of Things (IoT IoT Security) devices still aren’t getting the message on security. And as these devices proliferate, the danger of increased attacks is getting more real.
Late last year, popular internet services such as Netflix and Twitter were temporarily taken down amid a massive distributed denial-of-service (DDoS) attack that involved hackers deploying malware to simple webcams that many of us use without thinking. Authorities in the U.S. and U.K. were investigating the Mirai malware used in the attack to create a botnet, an army of zombie devices commanded by hackers. In fact, the Mirai code is still available online, allowing those with only modest technical skills to continue disrupting internet services on a major scale.
IoT threats aren’t limited to things around us – they’re also inside us. The U.S. Food and Drug Administration (FDA) recently confirmed the existence of flaws in implants and transmitters made by a major U.S. medical device company. These transmitters are connected to the internet and designed to automatically monitor patients with implanted cardiac devices while they’re sleeping. The FDA disclosed that the transmitters have security vulnerabilities that allow them to be hacked in dangerous fashion.
Matthew Green, who teaches cryptography at Johns Hopkins University, pointed out that the devices don’t use strong authentication. He also speculated on the nightmare scenario of hackers accessing thousands of these devices and simultaneously sending commands to shock the hearts of unsuspecting patients. He suggested the only remedy would be a costly firmware fix.
I really believe that if we don’t focus on security, IoT will mean the “internet of threats,” or worse, the “insecurity of things.” That would be a disaster for the burgeoning IoT industry, which is expected to be worth some $1.7 trillion by 2020, according to IDC. We have to make 2017 the year of IoT security.
Some IoT engineers are waking up to this problem. Observers such as Professor Shiu-Kai Chin of Syracuse University’s online Master of Science in Cybersecurity are calling for a system of certified security by design for IoT devices. Safety certification company Underwriters Laboratories (UL) has a new Cybersecurity Assurance Program (CAP) that also seeks to mitigate security risks in devices connected to the internet. If this movement gains ground – and it must – I can imagine a future in which your internet provider would shut down your online activity if any of your devices is found to be infected with malware, or simply not up to standard. This would be a kind of digital quarantine that could dramatically reduce malware attacks, which can cost industries hundreds of millions of dollars in lost revenue.
Standards could also apply to software and service providers. Responsible companies that provide regular patches or updates for their products could receive preferential rankings based on the number of days since the last update, to suggest just one relevant metric.
Regardless, almost everything we do today involves a computer and some sort of connection to the Internet. This is a relatively new phenomenon that requires a different type of thinking. In the past, traditional engineering involved developing products that held up to storms, heat, wear and tear and normal presumptions of, human carelessness, “Murphy’s Law” and other fairly predictable factors. For critical infrastructure, this would include designing for random, accidental and transient faults.
However, we now live in a world where IoT devices (which you can define generally as just about everything) require security engineering. The often-used term “security by design” means that designers also have to account for ordinary people who put convenience first as well as people with malicious intent who are intelligent, and unpredictable and who cheat. In essence, IoT systems have to design security from the beginning on the principal that they will be attacked and compromised.
Furthermore, resilience is key and the security chain is only as strong as the weakest link. And in a security engineering context, even with security by design, one must assume that the system will fail. Thus, we’ll see new products and technologies that will provide resilience in the face of these types of attacks, just as there are data backup services, authentication services, and other safeguards.
I’ve said before, and I’ll say again: the benefits of security and IoT far outweigh the massive problems posed by the threat of cyber attacks. For the first time ever, mankind is using ever cheaper and more powerful IoT devices to collect data automatically from sensors on a mass scale. This is a sea change from past centuries, when all data was created and recorded by people. It will also bring forth a whole new realm of possibilities that we have yet to tap into or understand. We all just need to think with an updated security engineering mindset, and this is the year to get serious about it.