Infosec IoT challenges for 2017
Last year we got a pretty massive example of how scary unsecure the IoT is.
So, last year we got the first massive results of how insecure the Internet of Things (or IoT) world is: the Mirai botnet gave us an example of it for all to see, and it doesn't seem like it's going to get any better soon. Also, to make an example the CES 2017 in Las Vegas running these very days, is promoting a massive amount of IoT "news" to the general public, so things could (possibly) get even worse, when not only our cameras will start performing massive DDoS attacks, but also the lawnmowers will start misbehaving.
So what's the deal with IoT and Infosec? Will security experts keep complaining about how insecure products are and how they should fix it or, rather, how consumers shall configure their firewalls at home? Whether we like it or not, consumer products must get as low price as they can so they can be sold, meaning they have to roll out “effective” software and hardware with as low effort as possible. We can’t really hope for a massive “security culture” spreading.
For those willing to complain, please be my guest. Although I feel that is the longest way to get nothing done. Except headaches.
Rather we should focus on something else, moving our attention to the companies that install or supply IoT stuff to give some further support to those who, like all of us, will start approaching the IoT world and gain the benefits it will propose.
You may want to look into this infographic for a better view of what is going on in the IoT market (click to open the full infographic)
(source - Credit: Comparitech, (C) 2017 Comparitech Limited - used with permission)
From my perspective, there is a lot we can do by focusing our attention to where we can bring security. Given any IoT device within a home environment (please allow me to focus on this specific issue within this article) we can operate here:
- The home network’s border, i.e. the home router/firewall
- At the ISP level, with MSSP solutions
- At the CSP (Cloud Service Provider) with new cloud based services (perhaps more secure)
I see a future not so distant where a home should be equipped with a security appliance that gives two different security models. The first being protecting home devices like computers, tablets, smartphones and smart TVs from inappropriate or dangerous content. And with this kind of protection I also mean protecting children from content they should not be able to access, neither accidentally nor intentionally. Pornography, Darkweb, Malware, Ransomware, the Internet is a massive amount of things that could harm, directly or indirectly, adults as well as minors. Therefore, I would see this this kind of protection from what is accessible and visibly by people.
The second model is to protect every other device which traffic is not visible, or IoT. Security cameras, fridges, and any future IoT device that will start showing up in our homes. This kind of devices shall be isolated and protected at the time of installation so they won’t produce any harm when a breach is found.
Most failures I could experience directly were driven because who installed the device did not have any idea of what it could lead to. Hence the issue is not with the device(s) alone, but who does the job. And that’s why I can see homes with a firewall wall-mounted and managed by a company that, when installing it, informs you which thing goes where. Whereas there is a security by design implemented things might get easier, and honestly, I don’t see it so unachievable.
Want it or not, ISPs are always in the middle of the fight, and IoT devices wants to have an Internet connection… guess why. So why ISPs don’t just consider the idea of securing their networks? Perhaps because if they are too big it would be too expensive to handle. So they might consider asking support for local MSSPs (see below) for support in handling this kind of issue. Probably the solution could be cost effective and more reliable.
More and more devices are not even needing of inbound connections, which forced them to have their services exposed on the Internet, but they use an outbound connection to connect to the Cloud Service Provider. Whereas these devices do not provide such kind of feature, a service provider should consider building such feature. Say, having the firewall wall-mounted at home, they could just build a VPN tunnel to their infrastructure and supply secured access to home services. And this kind of service doesn’t require a specific infrastructure to be built, Azure or AWS are already up for the challenge.
So, saying the IoT will fail its security is as much as saying that we need to solve the pollution problem, but nothing will be accomplished unless we start acting. And for “we” I mean the System Integrators and Security Firms that have security in mind and see the opportunity to make a change.
We already have security solutions that can give us the right level of security at an accessible cost, and commodities like house automation brought by IoT don’t come for free. Using this technology in a better way is only our choice.