Updated: Feb 28, 2020
We've heard a few times that the "S" in IoT stands for Security. It's humorous, but not actually funny given the truth behind it. Security (and privacy) tend to rely on a late-stage catalyst event — unfortunately, that event is usually a real threat or an incident/breach. In these later stages, some of the options that would truly fix the issues have expired, and you are left with defense-in-depth and mitigation.
This has already happened with mobile devices, gaming consoles, clouds, etc. In these instances, refactoring or even redesigning has been able to incorporate security and privacy more holistically, actually allowing for market or brand differentiation. As an example, consider Apple's recent "Privacy. That's iPhone." (Note that Apple got a little "lucky" here since their closed hardware and software ecosystem plus their anti-tampering measures that were intended to protect their IP and brand have also given them significant advantages in security and privacy.)
However, not all platforms will have a long time and get significant investments. IoT has had a few scary moments (see reference links below), but no catalyst event... yet. The future of IoT security and privacy is a bit murky at this point given its overall maturity as well as its significant and unique challenges. Even just defining "IoT" is a challenge, but any discussion needs to start with an agreed upon definition.
So, what is IoT? You can read definitions for IoT on Wikipedia and other sites, but we doubt you will come away with the same understanding as others who do the same reading. From Wikipedia, IoT is "the extension of Internet connectivity into physical devices and everyday objects. Embedded with electronics, Internet connectivity, and other forms of hardware (such as sensors), these devices can communicate and interact with others over the Internet, and they can be remotely monitored and controlled."
Crystal clear, right? Not for us either. It's simple, but still broad enough to include Things which most would agree are not IoT, like iPhones or Xboxes. IoT does include Things such as modern appliances (refrigerators and baby monitors/cameras, but maybe not microwaves), industrial controls, medical devices, etc. There are also some grey areas, including personal assistant devices (Alexa, Siri, Cortana), wearables (Fitbit, iWatch, Google Glass-es), and pretty much any modern car, truck, or SUV. Rather than list or debate what is or isn't IoT, we'll go with the broad definition and give an example to frame it: A Thing (device) that has computing capabilities and connectivity to the Internet, a network providing services, capabilities, and connectivity with other Things. Still not a completely clear definition, but it is more concise.
We'll provide an example, list the challenges (focus on security and privacy), and explore each challenge as part of this IoT blog series. Consider the common traffic light with its simple functions: red, yellow, green, or flashing yellow. It could be standalone where it just cycles through the red, yellow, and green states based on some pre-programmed timing during peak hours and flashing yellow during off-peak hours (or when it doesn't know what else to do). But it isn't standalone — it has connectivity to a larger traffic network and services (Internet) to tell it what to do and when to do it, including vehicle and pedestrian proximity sensors, an emergency vehicle sensor, and other sensors (e.g., visual/light, temperature, moisture, etc.). The traffic light uses the "Internet" to get the what/when and is programmed for the how including an offline/limp mode where it can revert to standalone operation. It will usually be communicating on the network to get updates, get what/when instructions, and transfer data (state, health, telemetry, etc.). A traffic light meets the basic definition and provides us with a good example to explore the key challenges:
Physically accessible to unauthenticated and unauthorized users: This is key in IoT, especially for security and privacy! The Things are typically devices that can be physically accessed by the owner, users, or the public (including attackers). An attacker could tamper with hardware, software, or its connections, steal a device to reverse engineer or find other vulnerabilities, or just damage it through brute force. This may also mean that they are expected to operate in "harsh" environments with a range of weather, temperature, jarring movements, electronic interference, etc. Important note: While attacks may target or subvert Things directly, a larger risk is an attacker using the Thing as a foothold to attack back through the Internet to the connected network, services, and other Things.
Long life span: Many mixed hardware and firmware/software devices have a realistic life span of five years or less. This is really the effectiveness and serviceability span — while your PC may live for more than five years, it will become outdated in capability and performance as the operating system and software targets newer, faster, and less expensive hardware. IoT Things can have life spans that exceed 10 years aligning with host system they support (e.g., vehicles, traffic lights, or refrigerators). Serviceability of the hardware and software can be difficult since the Things may be deployed in geographically disparate locations and they may move! Hardware updates may be extremely difficult and limited to replacement of the entire Thing. Software updates are easier (we still have the Internet part), but there are still the offline and bandwidth issues to consider. Availability and security of the deployment and update chain is another key in IoT.
Emerging standardization: Hardware, firmware/software, packaging, communications, and integrations are challenged by the lack of standardization in IoT. While this only indirectly affects security and privacy, the challenge and impacts can be significant. Without standard and ingrained security and privacy, businesses much rely on defense-in-depth provided by layers of defenses/deterrents, controls, and monitoring. Security and privacy also require agility to stay ahead of threats and attackers, and standardization can be critical for agility in a response and its effectiveness. For example, we recommend not "rolling your own" or customizing cryptography for data, communications, credentials, or tokens. Instead, use standards that rely on community expertise, then you provide mechanisms to update your products with agility. A lack of standardization can make following this cryptography guidance a big challenge. Standardization issues also trickle into the Internet aspects because Things can communicate via a mix of wired (e.g., Ethernet) and over-the-air (OTA e.g., WiFi, Bluetooth, cellular, etc.) connections, which are all evolving in terms of capabilities and threats. These are all attack surfaces that may be present even if you aren't directly using the capability. There are also protocols that fit well with IoT given their low power/performance footprint that are nudging their way into IoT standardization (e.g., Powerline or Zigbee). However, these don't necessarily have security and privacy as priorities.
Cylidify has a depth and breadth in IoT security and privacy that comes from direct and consultancy experience with embedded and IoT systems. We've been there and done that in many regards, but we are also committed to staying on the leading-edge to help business keep pace with the emergent nature of IoT, including the threat and attack landscapes. We are here to help IoT businesses with consulting, services, and referrals!
Please continue to the next blog in this series: IoT - Physical Security
IoT has had some scares, but not a catalyst event that brings security and privacy to the forefront. However, there are many attack scenarios that could occur now or in the near future. We'd much rather you be ahead of the curve on that drama.
Hacking history: https://www.iotforall.com/evolution-iot-hacking/
Necessary feature, but lacking authentication & authorization: https://www.caranddriver.com/features/a15133690/how-to-become-a-felon-without-really-trying/
Cylidify posts that are interesting in an IoT context: