Insecurity and the Internet of Things, Part 1: Data, Data Everywhere
In early September, the United States Federal Trade Commission’s first action involving security and the Internet of Things came to fruition. The commission came to a settlement with Trendnet, which makes Internet-connected video cameras, over the firm’s lax security practices.
The settlement was over intrusions that occurred in January 2012, when hackers posted live feeds from about 700 Trendnet cameras online.
Trendnet’s SecurView cameras had a vulnerability that let anyone who had the cameras’ IP addresses use them illicitly for online viewing and, in some cases, to listen in.
In another high-profile case, a hacker gained control of a baby monitor in a Houston home and said terrible things to a sleeping child. [*Correction – Nov. 6, 2013]
No online system is safe, as hacks of banks, hospitals, and government and military systems have shown, and this vulnerability is now spreading to our cars, home appliances and medical devices, as these become connected in the Internet of Things.
Highway To Hell?
Cars are beginning to offer WiFi for passengers, making them more vulnerable to hacking as “that network connection is a potential route into the control systems for the automobile,” Jarad Carleton, principal analyst at Frost & Sullivan, told TechNewsWorld.
For example, more than 100 cars sold by an auto dealer in Austin were disabled or had their horns honk uncontrollably after a worker laid off by the dealer hacked into its Web-based vehicle immobilization system used to deal with delinquent customers.
Google, Yahoo, Facebook and wireless carriers are all interested in having a presence in connected cars. Given that social media sites are a major vector of attack for cybercriminals, and security experts are pointing not only to a rise in mobile malware, but also to the emergence of mobile botnets, this might be a cause for concern.
Already, Innova has come up with a concept-to-cash platform for connected cars that will facilitate the delivery of ads, extending online companies’ presence into consumers’ automobiles.
Work is proceeding on resolving security issues with connected cars — Intel’s McAfee unit is working on this, as are Ford and Chrysler. SAE International has set up a committee of industry experts to advise manufacturers on preventing, detecting and mitigating cyberattacks.
Hitting the Home
Researchers at Italian firm Revuln have demonstrated that it is possible to hack into a smart TV to gain root access, which would let attackers remotely wipe data from attached storage devices and monitor and control the TV.
A presentation by Trustwave Spiderlabs on security issues with some smart home products can be viewed here.
As consumers move to home networks, hackers might have more opportunities to steal personal and financial information from computers connected to those networks, or use them as part of a botnet.
Security in the IoT
The move toward the IoT is picking up steam. Xively Cloud Services has launched a cloud-based platform to build IoT devices and is offering consulting services.
Elektron Technology has selected Xively to help build its next generation of connected solutions.
Machine to machine communications — the basis of the IoT — are so diverse that it is not easy to come up with a comprehensive vision for security, said Andrew Jaquith, chief technology officer of SilverSky, at a workshop in June.
“It’s a system in the same way that healthcare is a system: fragmented, partly analog, few standards, and filled with many parties with competing interests,” Jaquith said.
“In my view, everything should be on the table: software security liability for manufacturers; legal shielding for sharing of security data and incidents; promotion of industry standards and inclusion of these standards in purchasing guidelines; and, in cases where the risks demand it, regulation or legislation,” he added.
Device makers must consider the entire security lifecycle from inception to design, to deployment — and continuously once their product is in the market, Philip DesAutels, Xively’s vice president of technology, told TechNewsWorld.
“Security is needed at the device and application level, as well as service, so that access and interoperability [are] addressed in a permission-based way,” DesAutels continued.
Not Taking Care of Business?
Cost and speed to market are impacting security on connected devices. The best practices “have not substantially changed since the late 1990s,” Kevin O’Brien, enterprise solution architect at CloudLock, told TechNewsWorld.
“Don’t overconnect your systems, don’t trust a locally compromised or accessible device, and subject your code and hardware to third-party penetration testing, both in black and whitebox variants,” O’Brien continued.
However, testing is expensive, “and in a globally competitive market, expense tends to be cut in favor of market speed and consumer price,” O’Brien pointed out.
Going to the Law
Legislation to proactively cope with the dangers of pranking and cyberhacking when the Internet of Things is a reality is needed, Alex Watson, director of security research at Websense, told TechNewsWorld.
In the meantime, “we need to develop best practices for vendors and customers to limit their risk and exposure to cyberattacks targeting critical devices and infrastructure that is more and more connected each day,” Watson suggested.
The FTC “has not taken a position on whether there should be new laws,” commission spokesperson Peter Kaplan told TechNewsWorld. “Right now, we’re doing enforcement and consumer education.”
The commission will hold a workshop on the IoT on Nov. 19, but “it’s not certain what ends up coming out of workshops,” Kaplan said. “Sometimes it’s a report, sometimes it’s policy recommendations.”
*ECT News Network editor’s note – Nov. 6, 2013: Our original published version of this story mistakenly stated that “Trendnet made headlines in August when someone hacked into a baby monitor in a Houston home and said terrible things to a sleeping child.” The camera in that incident was not a Trendnet camera. We regret the error.