I have previously written about my worries on the use on internet of things for private use in my home. The Internet of Things Security both physical and logical where my main concerns and I had hoped that the manufactures of the devices would be taking security in to the design of their devices. And then I read an article like this. http://phys.org/news/2016-05-smart-home-flaws-popular.html.
Researchers at the University of Michigan were able to hack into a leading home automation system, Essentially opening the door for anyone. And I just learnt a new term “over-privilege” . Apparently the default access for the automation devices was “full access” instead of a much narrower level of access. More than 40% of the nearly 500 applications that were examined granted the developers (applications) access that was not required.
The researches reported their findings to manufacture in December 2015 and the company is working on developing a fix.
This lack of security in IOT concerns me more than ever. With ransom wear becoming a greater problem Ransomware and the Internet of Things , Why the Internet of Things is the next target for ransomware | ZDNet, and the hacks already taking place BMW Hack: the auto industry’s big cyber-security warning sign [w/video] I feel that we are entering an age of balancing risk & reward more than ever.
To reap the advantages of the connected internet of things opens up your devices to the potential security breaches. It is one thing to loose access to your data as did some hospitals Two more hospitals struck by ransomware, in California and Indiana | Healthcare IT News which can disrupt operations (just Google Ransomeware Hospital to see the number of attacks), it is another thing to have a control system held hostage.
Having a control system hacked and taken over could have catastrophic results. For this reason within the Chemical Industry it is quite common to “Air Gap” control systems, But this starts limiting the benefits that IOT offers.The control systems gather a lot of relevant data and we want to gain access to it. Assuming we want to / need to gather and use the data are collected by the control systems, we need to architect the security into the landscape. Not totally depending on the IOT manufactures to include sufficient security. DMZ’s, multiple firewalls, automatically pushing to data in to a common area and then passing the data from this common are to the analytical systems, not allowing any system that can access the internet to write back to the control systems, these and other options must be considered. In addition the need to update these control systems need taken into account. It seems to me that the IOT vendors assume that they will be able to up date their devices straight form the Internet. This I think, is not going to be allowed in a lot of cases. Testing, verifying the update, scanning for viruses & malware all have to be done.
There now have been instances where the malware has been embedded in software development systems, so that each new application developed would contain the malware Apple&#8217;s XcodeGhost malware still in the machine&#8230; &#8211; Naked Security . When application developers are dependent other companies code (looping to infinity) malware can be inserted at any stage of the development process. How do we clean such infections? Are we going back to the time when everything is custom coded, so there is only one company to blame? Will we insist on 3rd party verification of all components that are used to build the application to ensure nothing has been install unknowingly?
I believe that eventually we will sort all this out, but we are in the early stages of the game. The benefits are there in IOT, but understanding & accounting for the risks involved is to key to really driving benefits out of IOT.