Internet of things: It could get nasty

More and more connected devices are being rushed to market. But the lack of security standards leaves many of them wide open to abuse. So what are the challenges to be overcome in securing the Internet of Things?

For many people, the idea of "smart lightbulbs", internet-connected refrigerators, thermostats that can be controlled over the internet and other connected devices is an absurdity.

Why, they ask, would any sensible person want to connect ordinary household devices to the internet for the marginal utility of being able to check whether their refrigerator has milk in it by sending it a text message from the supermarket, or of being able to switch on the heating while on the train home?

Then, there is the fear that these devices could, unknown to the householder, start spying on them: televisions that tell the manufacturer what you're watching - perhaps even spying on you via a built-in webcam at the same time - smart meters that not only tell the power company how much electricity you're using and when, but anyone else watching your house.

And then there's the question of where that personal data might end up. Will the television manufacturer keep your viewing habits to itself, or maybe sell it on?

Such fears should not be lightly dismissed. In the past year or so, smart televisions manufactured by LG have been found to be feeding back data to the manufacturer, while software flaws in some high-end Samsung models could have enabled hackers to activate built-in webcams.

Security? We've heard of it...

Security, meanwhile, has been central to the debate over smart meters, with opponents arguing that the evidence, or otherwise, of energy consumption at particular times could be used to target households, while power companies could cut households off remotely for non-payment or demand management.

The inadequacy of security controls over the emerging so-called Internet of Things (IoT) - the name given to the increasing number of otherwise "dumb" devices that manufacturers want to connect to the internet - was graphically illustrated in a report released in August by HP Security Research.

It analysed a diverse variety of devices including smart televisions, webcams, home thermostats, sprinkler controllers, and even door locks, home alarms and garage door openers.

Not only were the majority of devices supported in some form via a cloud service (an extra potential vulnerability, which the recent celebrity iCloud hack suggests that many users may not be fully aware of) but also by mobile applications that enabled them to be controlled remotely, but the majority also fell short in terms of the most basic elements of security:
• ninety per cent collected personal information, including names, addresses and even credit and debit card details;
• eighty per cent failed to require passwords of sufficient length and complexity, making them easy to crack;
• seventy per cent communicated information, including personal information, in an unencrypted form; and,
• sixty per cent had user interfaces vulnerable to a range of common software flaws, including cross-site scripting vulnerabilities and weak credentials.

Mike Borza, chief technology officer of security company Elliptic Technologies, blames the companies producing the devices for being in more of a hurry to get their devices out into the market than in getting the security right first.

"We are still at the experimentation stage where technology companies are just deploying functionality and saying ‘Look at all the cool stuff we can do'," says Borza.

Not only are many companies in a rush to capture both "mind share" and market share, many are also start-ups that need to turn their ideas into products, fast. Furthermore, security might get in the way of functionality.

"A lot of these early Internet of Things devices are being developed on shoestring budgets by development teams anxious to get into the market quickly. What they want to do is to demo their capabilities and, frankly, designing devices to be secure and reliable is a difficult task. It takes a lot of effort that doesn't show up in the functionality of the end product," says Borza.

In other words, when it comes to security, many companies developing connected devices are winging it and hoping to get away with "security by obscurity".

Part of the problem is that, at the moment, there are no standards governing such devices. Indeed, there are many challenges in the way of developing such standards.

First, of course, is that it is hard to define a standard for a device of unknown compute power, and prescribing a layer of security on what is supposed to be a low-cost, low-power device might make it uneconomic.

Internet of things: It could get nasty

More and more connected devices are being rushed to market. But the lack of security standards leaves many of them wide open to abuse. So what are the challenges to be overcome in securing the Internet of Things?

How can you define a standard encompassing anything from a light bulb, which will have little built-in compute power, to a smart television, which could potentially be as powerful as a games console? There is also a big difference in compute power built into a cheap television compared to a high-end television. Any standard would have to straddle that wide gulf.

Furthermore, who would buy a £5 LED light-bulb if the computing power required to make it “smart” and secure added another £20 to the price?

Second, is the sheer number of bodies bidding to define the standards. According to Intel security officer EMEA Richard Curran, there are a number of major standards-setting bodies all involved – and countless other industry initiatives all focused on the security of connected devices.

Then, there are the natural market challenges that need to be overcome: not least the desire of device makers and their partners to acquire information from connected devices for their own commercial reasons that users might feel uncomfortable giving to them.

Knowing me, knowing you

Major television maker LG, for example, admitted that its smart televisions have not only been logging owners’ viewing habits without their permission, but also transmitting this data back to LG headquarters.

Even when users scoured the settings menus to switch off the option marked “collection of watching info”, the televisions still continued to transmit viewing information back to LG. Not only that, but the information was transmitted in plain text as well – an indication, perhaps, of how highly the company values its customers’ private information.

LG promised to remedy the security lapse with a firmware update, but the ease with which such a simple connected device as a television can be set to spy on users without their knowledge and consent will no doubt make many people feel uneasy.

Indeed, LG is not the only major television maker whose security has fallen short. At the Black Hat security conference in 2013, one researcher demonstrated how to remotely activate the microphone and camera in a Samsung smart television.

Astonishingly, Samsung advised owners of the affected televisions to cover up the built-in webcam if such risks bothered them. “We have released a software update to resolve this issue. In addition, the camera can be turned into the bezel of the TV so that the lens is covered, or disabled by pushing the camera inside the bezel. The TV owner can also unplug the TV from the home network when the Smart TV features are not in use,” advised the company in a statement.

Part of the problem, suggests Borza, is that on the one hand, many consumer markets are highly price- and feature-driven – yet security comes a long way down the list of features prized by potential buyers and, in any case, just gets in the way when buyers are trying to use their new electronic toys for the first time.

Finally, many companies involved in developing security standards for connected devices are also bidding to acquire some form of proprietary advantage for themselves – whether in standards committees or via sheer market power. This may both increase costs and hamper potential interoperability between different devices from different manufacturers.

Next steps

Regardless of the challenges of devising security protocols and standards for connected devices, much work is being done.

Borza believes that any security standard for connected devices will start with “secure bootstrapping”, providing all connected devices with application-independent functions for security, particularly setting up secure authentication with servers for handling firmware upgrades. Transport Layer Security (TLS) will be used as the cryptographic protocol for secure communication, believes Borza. For devices sending short messages, he adds, User Datagram Protocol (UDP) will likely be used.

It is inevitable, he continues, that bugs will creep into the software and this needs to be upgradeable, not built into the hardware. “The whole idea of a secure bootstrap platform is that it gives you the opportunity to do secure updates of firmware so that the inevitable bugs that are going to be delivered in software can be corrected and field-upgraded,” says Borza. “Trusted platform modules,” he adds, “are overkill for small devices”.

Making devices securely upgradeable in the field needs to be planned in advance, he continues, and built in not just to their design, but also emerging network topologies.

A houseful of smart lightbulbs, for example, might require a software or security upgrade all at once. Instead of multiple downloads of the same software, it would be more efficient if the upgrade were downloaded to a gateway device once, then applied to the devices one-by-one.

The “alphabet soup” of standards committees, both in Europe and worldwide, as well as industry bodies, are also nevertheless knuckling down.

“In Europe, there are three main standards bodies: the European Committee for Standardization (CEN), the European Committee for Electrotechnical Standardization (CENELEC), and the European Telecommunications Standards Institute (ETSI),” says Curran. “Worldwide, you’ve also got the Institute of Electrical and Electronics Engineers (IEEE) and the International Electrotechnical Commission.”

Such standards bodies are not exactly famed for moving at internet speed.

Intel, meanwhile, is working with networking chip maker Broadcom, Samsung and Dell in the Open Interconnect Consortium to define open standards for IoT security across multiple operating systems and platforms. “It’s all about understanding the ‘risk challenges’ around security, because security has to be end-to-end,” says Curran.

Perhaps illustrating how IoT security groups have proliferated, Intel is also involved in an industrial-focused group, the Industrial Internet Consortium, with IBM, HP, Fujitsu, Toyota and General Electric, among others, to examine machine-to-machine communications.

On top of all that, there are also emerging regulations in the energy sector, in particular, that are starting to dovetail with some connected devices standards – especially smart metering.

In the home, believes Curran, the most immediate answer lies in white listing, rather than employing the whole gamut of PC-derived security, such as anti-virus-scanning and firewalls, on every device.

Underlying all these challenges, though, is the key one of usability for ordinary people. Unless the security standards that emerge are genuinely user friendly, the Internet of Things will be as insecure as a Windows 98 PC in the hands of 65-year-old “noob”.

The bottom line, perhaps, is that in an increasingly computerised and connected world, users might have to become more educated about security matters – or either be forced into a better acquaintance with IT security, or have to make do with an un-smart house and car.

For many, that probably also sounds like the best option.

@GraemeBurton