From its early days, the Internet today has evolved into a robust network with a number of security mechanisms such as mutual authentication, secure protocols, strong encryption, and trust models. Comparatively, the Internet of Things (IoT) does not possess similar security measures, thereby rendering it vulnerable to attacks. The lack of built-in security measures for IoT is due to the fact that the devices connected with it were already owned by people. It was only in 2014 that Symantec came up with the implications of built-in and bolt-on security measures in the IoT space.
WannaCry: A Serious Ransomware
Due to the vulnerabilities in the IoT, a ransomware named WannaCryptor aka WannaCry was able to wreak havoc across the globe. Multiple National Health Service (NHS) hospitals fell victim to this dangerous malware. WannaCry holds the infected computer hostage and demands a ransom of $300 in bitcoins (a type of digital currency) from the user of the infected computer to let him/her regain access to the computer.
Hospitals store comprehensive information pertaining to their patients, such as schedules, dietary information, and drug detail regimes, and most of this information is highly sensitive that must not leak anywhere. Criminals can utilize the stolen medical information to illicitly obtain drugs or commit medical identity fraud.
The WannaCry attack made it difficult for the hospitals to continue providing their services as the patient information stored in the infected computers could not be accessed.
Security researchers noted the vulnerabilities of routine medical equipments such as pacemakers or drug injectors. These devices accept firmware updates without authenticating them. One such vulnerability even forced the FDA to direct the hospitals not to use an easily compromised device.
Security Measures: Built-in vs. Bolt-on
Security measures can be a part of a system in two ways: they are either built-in or bolt-on.
Built-in security measures are an integral part of the devices, whereas, Bolt-on security measures are added later to a finished product or device. As IoT interacts with the physical world via a device’s human interface, an Internet-connected device with less stable bolt-on security measures could easily be attacked.
Consider a smart building where lighting, heating, and ventilation are controlled using sensors. A bolt-on, Internet-enabled network working in conjunction with these sensors may increase the monitoring and efficiency of the overall system. However, as these sensors are not designed to resist security threats when connected to the Internet, it puts the entire control system of the building at risk.
Traditional internet security measures are significant but not enough for IoT. The inclusion of proper authentication, encryption, authorization, accounting, intrusion detection, software signing, and trust models sound promising, but. It needs caution and deep expertise; if not done right, it can prove quite costly to the user.
For example, in 2017, researchers were able to acquire a reduced set of possible patterns for the swipe patterns used to unlock Android devices. This didn’t require high-end cameras. Instead, they utilized data acquired via low-resolution cameras in shopping plazas to do so.
Think Before You Network
An attack, in terms of IoT, is no longer just a metaphor—it is an actual assault in the physical world. These attacks can be initiated without even having access to the Internet. The criminals also don’t need any technical expertise to orchestrate these attacks; simply knowing how to install a legal packet sniffing application can enable a criminal to attack a network.
Imagine a public building with an IoT-connected motion detector at the entrance. A person with malicious intent enters the building and intentionally sets off the motion detector. Simultaneously, an application is used to sniff the wireless network to capture the encrypted communication transmitted when the motion sensor is triggered. This person could then store the data in a mobile device, collect enough samples to analyze and compute a smaller encryption key than the original set of nearly infinite permutations. The ability to deduce specific packets from a motion event enables this person to reduce a well encrypted data down to a readable code in the IoT. This provides access to packet headers and structures, which in turn, enables further attacks on the network. All this is possible just with a person being able to install an application and utilize it while moving back and forth an entrance.
In Australia, another ransomware recently targeted hotels. This particular attack type locked the electronically controlled doors while occupants were still inside the building and then demanded a ransom. The attacker took advantage of the hotel’s trust on the encrypted keys and the lack of a physical-bypass method. Eventually, the hotel had to pay the ransom to the criminal. This could have been easily avoided if the hotel had a physical override key or bypass. Such issues establish the necessity to be sensitive to the vulnerability of security features.
IBM also demonstrated the vulnerability of the networks to such attacks by ‘ethically hacking’ the smart system of an anonymous building. Their initial attempt to gain remote access to the network was a failure. However, after driving over to the building and using the local network, they were able to gain access to the building’s control and automation systems. This proves that even with strong security against remote attacks, systems are still susceptible to security breaches.
These recurring security breaches mandate re-evaluation of security features of a system before it is connected to a network. It is absolutely necessary that engineers design systems keeping in mind the following questions:
- How was the system secured before it was connected to a network?
- How can connected things be secured within the new network model?
Recent events dictate that it is necessary to involve physical security as well, which, in turn, provides higher levels of network protection. This will serve as a foundation for safer and broader interactions with Internet-connected systems.