A half year ago we wrote about the expected problems related to IoT. And guess what? Unfortunately we were right. It even became worse in the past 6 months. Nearly everything what was described back then became exploited. And that’s not a good thing.
Especially all hacked cars made it into the latest newsflashes from online news media to the biggest media broadcasters in the world. Some examples were the Fiat Chrysler where 1.4 million cars were called back after the vendors Jeep hack and a Corvette where the brakes of the car could be remotely controlled. These examples confirmed the problems related to the whole car industry described in our former blog (e.g. The BMW problems).
Completely different but fully related to the Internet of Things are the new wristbands, step counters or mobile fitness devices and the data they gather in-the-cloud and on the device and your smartphone. Interesting was the test performed by AV-Test, a worldwide well known independent test organization for security products. This test tried to measure how the private fitness data is transferred from the devices to the smartphones or the cloud and how secure the apps of fitness trackers are. You can find the full test here. These new fitness wristbands are very popular and it is already a trend; all activity results are recorded and analyzed in an app on the user’s smartphone. This means it is possible to immediately see how well the user performed. The question remains, however, is the data transported securely from the wristband to the user's smartphone? Or is it possible for someone to intercept this link, copying or even manipulating the data? Or could the app itself be manipulated? Those questions were investigated, where 9 fitness wristbands or trackers together with the corresponding Android apps were monitored in live operation. How well performed those trackers in terms of security? And what about eavesdropping?
Fitness trackers are expected to play a big role with health insurance companies so it is necessary that suppliers improve their security policies ASAP before it’s too late and the data could be misused. What if people use the data of their neighbor of the same age with a higher level of fitness? Those familiar with what people pay for health insurance in the US and in some other regions in the world, know how large the criminal potential may be in that case. In some cases user data is being sold to health insurance companies. On the other hand fitness data even can be used to track down your habits by criminals to find out when you are out of your home and leaving your home open to burglary.
The fitness tracker test was a good example for the start of a new wave of these kind of tests. But it is clear that they especially looked into one specific direction: data, encryption and authentication. We should not stop there. Encryption is only one aspect of security. It only covers data integrity and data confidentiality. But the field of security covers many more aspects, that should be evaluated in future tests. How about designing tests to find out if the electronics in cars are built with security in mind?
I recently saw that some ethical hackers are trying to help part of the car industry or that the car industry will hire some penetration testers. This only will solve a couple of security issues related to that company. So I’m not really in favor of this method as the IoT is too wide an area and products and companies are using (and misusing) new unsecure technologies at this moment already. One way to solve this is to establish an organization or body which can create guidelines for the different parts of the IoT industries, can control (read monitor) the security issues and could test the security related issues created in the guidelines.
One of those initiatives which is trying to do that at this moment is the Internet of Trust Framework draft by the Online Trust Alliance. This draft and framework wants to provide guidance to manufacturers and developers to help reduce attack surface and vulnerabilities, and adopt responsible privacy and data stewardship practices. It also wants to drive the adoption of security, privacy and sustainability best practices; embracing “privacy and security by design”, as a model for the development of voluntary, yet enforceable code of conduct.
The initiative mentioned here is definitely a good way forward but we aren’t there yet. I am convinced that the IoT is a very big area where it will be difficult to find the right balance between security, the correct privacy in every part of the world, and the correct implementation in every product of the IoT.
I especially have my doubts how security researchers can help all these IoT companies as this market is exponentially growing. Security researchers have already there hands full trying to establish a safer internet with the OS's and devices we are running all over the whole world. So the best way to handle this insecurity of IoT is a more holistic, systemic approach.
The real danger and some solutions: don’t make the same mistake as before!
The forecast for the IoT is staggering. By 2020 there will be 212 billion IoT devices with over 30 billion automatically connected devices with over 3 million of petabytes of data.1 That means that the risk in misusing IoT devices is exponentially much higher compared to risks with computers and that’s where the real danger pops up. What if your car is hijacked while you are driving it? Or what happens when your insulin pump is remotely controlled by cybercriminals? The risk that somebody gets physically injured is suddenly very close to become a reality.
A large part of the security related problems in IoT devices can be solved in security by design. Built in security from the beginning is well understood these days. This especially is very important in firmware build into IoT devices. The need to be updatable very easily is maybe an advantage but could become a nightmare if cybercriminals could interfere in this process. In our opinion the main message should be: create a secure device from scratch before looking into any other options.
As cybercriminals are always going for the low hanging fruit a big danger however lies into applications related threats in IoT. IoT applications can be found in several ways like mobile or desktop applications that control IoT devices, IoT firmware and apps on IoT platforms (e.g. apps for Tizen Watches). All of these applications need to be protected as they can interfere with IoT devices, can steal confidential data or try to have unauthorized access to payment channels. It’s a matter of hardening and safeguarding the apps on these devices. Of course we already have seen attempts and malware (e.g. Vicepass Trojan) which tries to find passwords on the whole network from all connected devices but I don’t count that yet as a real attempt. G DATA will definitely have some new solutions in this ever changing world. Actually we are already taking care of that into our current products for Android, Windows, Linux and Mac OS at least for future malware (apps) misusing IoT devices remotely from these OS’s. Android for instance could be one of the first platforms being used to attack IoT devices as it is already quite popular by IoT device vendors and cybercriminals.
All IoT related industries like smart home, smart cities with smart cars, the industrial automation (called Industry 4.0) and smart health should not make the mistake we all made years ago where nobody counted security as a major problem. We need secure implementations and high security standards. Security by design is key in this. Don’t forget this! We can always fill in the security gaps. Ideally these gaps will be too small to be exploited or misused.