mailing list archives
The internet of things needs a new security model. Which one will win?
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 22 Jan 2014 16:59:37 -0700
The Target data breach occurring over compromised point-of-sale terminals.
The recent news that a botnet army which sent 750,000 spam emails included
a refrigerator. The discovery of a Linux worm that could infect security
cameras. In the last two months all of these headlines have served to stoke
fear over the vulnerability of connected devices and current security
practices. Much like the cloud has allowed denial of service attacks to
grow in might, the array of relatively dumb and unsecured connected devices
threatens to participate in botnets, leak data or act as a weak point for
hackers to target.
And when it comes to securing the internet of things, it’s likely that the
current methodologies will have to change, given the characteristic of how
a connected and interconnected world works. Instead of keeping bad guys
out, the zeitgeist is moving toward assuming everything is compromised and
working out a way to prevent attacks from becoming a success or figuring
out a way to establish and then re-establish a trusted environment.
This is hard. But first, let’s focus on some of the things that make the
internet of things such a challenge to secure in the first place.
- Promiscuity across networks. Because devices are not only expected to
talk to the internet, but also with each other that means that every node
on the network is a potential weak point — and depending on whose numbers
you believe those devices will number in the 30 to 50 billion in the next
five or six years. You aren’t only securing the internet of things from
dangers that might attack it over the public internet, but because most
connected device networks are mesh networks, you must secure a bad node
from attacking or co-opting other devices on the same mesh.
- Connected devices are stupid. As this post from Gartner points out, not
all connected devices are like smartphones or even packing the
computational power of a 32-bit microcontroller. That means tasks like
encrypting data are going to be impossible and any type of security must be
- The owners of connected devices are stupid. Fine, they may not be stupid,
but they certainly aren’t using password generators or even making sure
their hardware is up to date or changing the admin password on the devices.
Many consumer connected devices have to be dead simple and have security to
match. And of course, if the trade-off is between security and convenience
(two-factor authentication? No way!) security will lose.
- The great unknown. We haven’t figured out how we’re going to get devices
to talk to each other and to automate our workplaces and lives yet. It’s
really hard to secure an amorphous concept, which is pretty much what most
implementations of the internet of things looks like today. Sure, there are
closed systems that may feel more secure, but if we accept that the goal
here is to build services on top of hardware and software that shares its
data, then those closed systems are going to look like relics of a quaint
and forgotten past. But so far, we don’t know what will evolve, what
protocols it will use and what ways to build out the system will win.
There are many, many more issues some of which are subsets of these and
others that are just crazy, like the idea of denial of power attacks by
which an attacker sucks an essential sensor battery dry. So how will we
One idea gaining ground is that we will accept that the system is insecure
and then develop software and procedures to determine what we can trust on
the fly. I have no idea what it might look like, although my friend Jason
Hoffman at Ericsson likened it to a Turing test for security that devices
might perform. It has the same underlying assumption that influences
Netflix’s Chaos Monkey concept, which is to assume systems will break and
prepare for it in all manner of ways.
In a related concept, perhaps instead of stopping data breaches we’ll stop
those who profit from them, from actually making money. This week, Shape
Security, a startup founded by some ex-Googlers, launched a productthat
tries to prevent people from mass-charging goods at online retailers.
Shape’s magic is that it can generate a dynamic and ever-changing version
of the HTML, CSS and Java on a web page while still keeping the front-end
looking the same.
The benefit of this is the hackers who have stolen credit card information
can’t write scripts that automatically fill out the order forms on web
sites like Amazon or Wal-Mart. When you’re trying to monetize 30 million
stolen credit cards, you aren’t entering that data by hand.
And finally there’s the concept of designing with security in mind, which
is of course a lot harder than it might seem. But this is the approach most
security researchers are advocating, with some even encouraging government
agencies to impose fines of CE companies if their products are hacked. This
might involve using chips that have trusted zones to store sensitive data
or rewriting the firmware for these devices with far more secure code. Many
attacks on security cameras and routers are hacked via the firmware.
It’s not an area that gets much investment because, until now, it was
something the user doesn’t see. It’s like not dressing up for a conference
call taken from the home office — it doesn’t matter until suddenly the
conference call becomes a Google Hangout or video conference. Once these
embedded devices started connecting to the internet they were switched from
voice to video and everyone could see their flaws.
Other elements of designing for security might be limiting access, or
securing how the device talks back to the cloud and making sure the servers
it talks to are secured. It might be the locked-down version of security
we’re familiar with today, or it might mean implementing that type of
Turing test to ensure it’s secure before transmitting information.
Basically, security models change over time in the IT realms and, as we
enter a new realm with more nodes, differing interconnections, normal users
and dumb devices, we’re going to have to adapt. Let’s talk about how.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus
on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
- The internet of things needs a new security model. Which one will win? Audrey McNeil (Jan 28)