“Mr. President, the Problem is Much Worse than You Think”
Late one night in 1983, then-President Ronald Reagan – an avid movie lover – watched War Games, about a teen who hacks NORAD (the North American Aerospace Defense Command) and nearly starts a third world war. A few days later Reagan asked General John Vessey, then Chairman of the Joint Chiefs of Staff, whether this could really happen. After a week of investigation, General Vessey’s answer was, “Mr. President, the problem is much worse than you think” – a response that quickly jumpstarted new efforts to develop America’s cyber capabilities.
You’re probably thinking: That was then, this is now. Right? In the Eighties, concepts like cyberterrorism were new and nobody – not even the White House – was prepared.
We’ve made great strides in terms of our awareness, sensitivity, and readiness for cyber threats over the last thirty-five years.
But while this may be true of many aspects of network security, it’s simply not the case with IoT. When it comes to this relatively new area of cyber terrorism, the shocking truth is that our naiveté is not that far from that of the Reagan era.
Sony Camera’s Backdoor
One example that illustrates the vulnerability and danger of IoT is the recent story about Sony security cameras. Last October, researchers from SEC Consult found two backdoor accounts in 80 models of professional Sony security cameras – the kind that’s primarily purchased by enterprises and authorities, because of their high cost.
The cameras’ backdoor accounts have the potential to give hackers full access to the cameras. A camera taken over by an attacker could spy on a client – or worse, use the camera to take a foothold in a network and launch further attacks.
End of story: Sony released firmware updates for all affected camera models on November 28, 2016 that remove the backdoor accounts, and advised all users to install these updates as soon as possible. But clearly, what happened to Sony can happen in other contexts. Hackers know this, and in today’s reality it’s specifically IoT devices that pose the greatest risk to security and have become an attractive target.
The Issue of Price Point
IoT devices are generally mass-produced using simple techniques, and at the lowest prices. The problem is that “cheap and easy” usually translates into “highly insecure.”
Manufacturers are motivated to keep the price down. And because hackers use devices to attack third parties, there is little incentive by users or manufacturers to take responsibility for the resulting security issues. This leads to the obvious question of who is handling the resulting security risks.
The Limited Nature of “Things”
One of the reasons IoT vendors do not prioritize the installation of security capabilities in devices is that the devices are not as easy to secure as more traditional computing devices. In some cases, they have limited configuration capabilities. And in most cases, vendors do not issue regular security updates or patches when vulnerabilities are discovered – meaning that your IoT device firmware is only as secure as your last patch.
Because most IoT devices do not have large amounts of extra storage space, memory, and processor power, adding strong security to them can be problematic. Encryption, blacklisting and other security mechanisms often require storage space and memory/processing capabilities, which are well beyond what the device has built in.
Unlike a typical computer, when it comes to IoT you cannot just “open the box” and add more of these resources. If security is going to be a consideration, it needs to be addressed at the design stage. But this potentially leads to changes in product design – and more money spent by the vendor.
Unknown and Undetected
IoT vendors usually have much more information on your network that they keep to themselves – and that users are not aware of. IoT devices collect a wide variety of information, and because the devices are not sufficiently protected, it can mean the exposure of an organization’s critical data or infrastructure.
Take, for example, something as mundane as multifunction and digital hardcopy devices. These machines generally come complete with their own operating systems, hard drives, and supporting subsystems. When employees copy confidential company documents, it’s unlikely that they are aware that the images of these documents are saved on the system’s hard drive. Similarly, when employees scan documents and send them to file servers across the network, they probably do not know that they are sending unprotected files across the network.
The Buck Stops…Where?
So who is taking responsibility for tackling our troubling reality, a reality that includes increasing IoT vulnerabilities and the constant threat of cyber attack?
There are several ways of tackling the problem. One possible approach (described in this recent article by SearchSecurity) was pitched by security expert Bruce Schneier at the recent RSA Conference 2017. Schneier called for the creation of a U.S. government agency focused on IoT regulation, warning, “We need to think about smart regulations now, before a disaster, or stupid regulations, will be foisted on us.”
Another, completely different approach involves keeping our focus on developing innovative technological solutions that help protect networks.
As outlined in this recent post on Forbes, one possible way forward involves building smarter, more resilient networks that can shunt a load away if it’s malicious. The vision involves using the combined forces of automated tools, for the analysis of network behavior, and skilled human operators, who can figure out how best to combat each threat.
Given the complexity of the threat, what we need here is not an either/or approach, but a combination of options. Because one thing is clear: the nature of IoT requires thinking out of the box and exploring new and innovative means of keeping our networks protected.