Applying Security to the Internet of Things

The Internet of Things (IoT) is producing some of the most fascinating products that have been seen in years - health monitors, air conditioning controls, and some oddities like the smart toilet - and they will only continue to keep on coming. Relatively inexpensive micro PCs like the Arduino and Raspberry Pi have also made it incredibly affordable for startups with great ideas (OK, the smart toilet isn’t exactly a winner, but someone might buy it) to produce a prototype and attempt to hit the market. However, something that has been missing in some of these concepts is a factor of security. When a health monitor communicates with a cloud server to save and sync health data, you want to be sure you can review your health stats later, rather than worry about a hacker breaking in and stealing all of your health data. However, without proper security in place, that is just the sort of thing that can occur.

First, let’s focus on some of the security failures, and why they are so problematic. One of the most well-known security flops was an issue with a series of baby monitors where hackers were able to get into the feed and talk to the baby being monitored, as well as look into the home of the owners of the ‘security system’. As terrifying as this might be, it has absolutely nothing on the scenario where pacemakers and insulin pumps were remotely hacked, which could potentially kill the user by overloading their systems. These are both very scary scenarios, and while not all IoT products even have to do with Healthcare, the fact of the matter remains that protections need to be in place. Even in a relatively ‘harmless’ case like having an air conditioning system like Nest hacked could result in lost credentials and a very unpleasant evening!

So how do IoT products typically interact with the world. For many IoT products, the way data works is that the user controls the system via their smartphone, which phones home to the company’s servers to make sure that everything is working properly and is synced so that if the IoT product is lost or damaged, the user can get back on their feet relatively quickly. This gives us 3 points of failure for most IoT scenarios:

-IoT product

-Mobile Device

-Cloud Server

At the IoT product level, it is important to enable firmware updates so that any security breaches that are discovered after the fact can be addressed. This isn’t always possible, considering the nature of the products, but at the very least basic security options like strong passwords should be in place. This might sound like common sense, but there have been cases where IoT products have had ‘password’ hard-locked as the admin password for the device, so unfortunately it does need to be said. Any communication to the app that communicates with the device (whether it is the mobile device or the cloud server) should be encrypted to prevent a man-in-the-middle (MITM) attack.

The mobile device is another important factor to protect as well, as was recently pointed out at a keynote session at ITExpo Miami by Gary Davis of Intel Security. According to Gary, only 36% of mobile phones have even PIN protection in place, only 22% have a tool to locate the phone when lost, and only 14% have antivirus in place. Combined with an assessment of 25 vulnerabilities per device in the home on the IoT side, and you have a dangerous combination where the tool to control IoT as well as the IoT products themselves are in serious danger. Gary recommends installing a kill switch application for mobile phones in the event that they are lost in addition to adding full encryption to the device beyond having a PIN. In addition to this, it is highly prudent to only install applications on your mobile device that come from trusted app stores to reduce the chances of installing malware on your own.