IoT Is a Boon for Vendors, Spies, and Hackers

RSS

The Internet of Things (IoT) looks to be a boon for vendors selling hardware and services as well as spies and hackers. Vendors with IoT tools and solutions are popping up everywhere, and established vendors are turning their tools into IoT platforms. Not all markets are on the bandwagon yet, but everything from cars to HDTVs is being connected at an ever increasing rate.

Of course, consumers and vendors are not the only ones looking at IoT with ever-growing interest. IoT solutions provide a level of connectivity and millions of targets to hackers and spies that have never enjoyed such a large playground.

This is not to say that hacking IoT devices will be easy or that security is not foremost on the minds of IoT vendors and developers. IoT systems are being built on standards like Thread and ZigBee that have encryption and authentication at their heart. IoT solutions should, in theory, be more secure than earlier embedded network solutions.

In fact, much of this security support will work as designed, preventing straightforward attacks at decrypting encrypted data. The problem is that bypassing security is often the way spies and hackers get into a system. This is sometimes done by taking advantage of programming errors like the Heartbleed bug. It can also be done via a human vector by tricking someone into providing their password or personal information that will allow an attacker to gain access to a system.

Another issue is back doors that are placed into a system by accident or on purpose. Be wary of anyone, from politicians to vendors, that wants to incorporate a back door into your product because it is just one more way for a hacker to bypass all that security built into a system.

There are two major problems that tend to get overlooked in the discussion. One is problem detection and the other is fixing a known problem.

There are firewalls and intrusion detection systems (IDS) available. The challenge is that these systems have been employed in places like the enterprise, but are rarely discussed when it comes to consumer or industrial products. There is also the issue of overhead and integration as the number and variety of IoT devices proliferate. How do you incorporate new devices into an IDS environment?

Fixing a problem can be even more difficult, especially as platforms become locked down. Secure boot and update functionality can be very valuable in preventing a system from being compromised, but if those systems are compromised, then updating the system to fix it is important. A fix typically starts with the vendor that has to send a signed update to an IoT application or device. This is great if the vendors are providing regular updates. It is true for operating systems like Microsoft Windows, but this is not always the case.

Consider smartphones that are often supported for only a few years. Unfortunately, this is more likely to be the case for many IoT devices. Likewise, vendors typically prevent third-party updates. For example, there are some network routers that can be configured with software like DD-WRT, but that tends to be the exception rather than the rule.

This leaves users with few alternatives for using a product with a known problem other than discarding the product. That may not be as much of an issue for a consumer product that has a limited lifetime or that is easily replaced, but it can be a major issue for an industrial product that is designed to be used for decades.

Many industrial SCADA systems highlight the problem of moving to an IoT/Internet-connected environment. Most of the early systems assumed a physically isolated network, so network security was often non-existent.

So what is a developer or vendor to do?

There is no easy answer to this other than to implement new systems with as few bugs as possible and using best security practices. Updated policies need to be put into place as well. Remote updates tend to be easier for IoT devices, but that only makes the job easier—assuming updates are provided. End-user license agreements (EULAs) typically try to minimize liability including security-related issues. In the future, a EULA may not be enough vendor protection as security problems become more common.

The number of nodes accessible via the Internet is growing tremendously and each is a potential point of attack as well as a place where bug-riddled code is running. Hopefully they will not be, but given the quality of software these days it is hard to be too optimistic.

The problem will be that one cannot simply ignore IoT or related products. Connected devices will be standard fare in everything from farm tractors to cars to refrigerators. Unfortunately, most users will be oblivious to security-related problems and issues until they are affected by a problem.

 

Discuss this Blog Entry 3

on Feb 3, 2016

Finger print sensors are being incorporated everywhere and in smaller sizes, that should be a good way to deter hackers.

on Feb 3, 2016

Someday we may learn that my toaster really doesn't need to be connected to the internet!

As far as industrial systems, the smart plant manager will created a dedicated and isolated LAN for them, using a router to pass anything in that is really needed, such as NTP, and using VPN or an encrypted link to connect it to off-site locations that need access. IoT is fine for toys, but in situations where hacking is a hazard, there's nothing quite like isolation.

on Feb 17, 2016

Unfortunately there seems to be quite a few plant managers that don't know much about network security and happily link their networks to the Internet. A single firewall is barely enough security but it is often all that sits between a completely open network and the outside world.

Please or Register to post comments.

What's alt.embedded?

Blogs focusing on embedded, software and systems

Contributors

William Wong

Bill Wong covers Digital, Embedded, Systems and Software topics at Electronic Design. He writes a number of columns, including Lab Bench and alt.embedded, plus Bill's Workbench hands-on column....
Commentaries and Blogs
Guest Blogs
Jul 15, 2016
blog

Simple Yet Effective ESD Testing Methods for Higher Reliability 6

There are multiple ways to test for electrostatic discharge, ranging from implementing a human-body or machine model to....using a balloon and a comb?...More
Apr 8, 2016
Commentary

Confabbing on the Fabless Fad 4

High capital and maintenance costs, and EDA advances along with abstractions to deal with chip complexity, have been leading contributors to the fabless migration....More
Mar 2, 2016
Article

Home or Very Small Office Electronic Circuit Prototypes, Part 4 22

Part 4 focuses on testing for a reflow oven and build of a mixed SMT/through-hole board....More

Sponsored Introduction Continue on to (or wait seconds) ×