iconimage - Fotolia

IoT “plug and pray” all over again, says security consultant

The increasing interconnectedness of IoT systems and services creates vulnerabilities that are making ‘cascade failure’ almost inevitable, says security consultant David Alexander

The internet of things (IoT) could be a case of “plug and pray” all over again if stakeholders fail to switch focus from grabbing market share to information security, a consultant has warned.

“There is little or no effective security,” David Alexander, managing consultant at PA Consulting, told the Crest Con and IISP Congress 2016.

“There is also a lot of deployment without planning for how it is all going to work and lots of land grabs for market share,” he said, which means companies are more concerned about getting products to market than about ensuring those products are secure.

The idea of smart, connected devices is not a new one, he said, but the technology has matured to the point where there is set to be explosion of these devices in the industrial and consumer worlds.

In the UK, one of the most significant IoT networks will be the smart metering network, which will see the implementation of around 53 million smart meters for gas and electricity by 2021.

“This will provide a huge backbone of connectivity for smart meters to communicate with each other, hopefully securely,” said Alexander.

But, he said, it will also provide an infrastructure that lots of people are going to start linking things to, and this will probably be commercialised in ways we can’t yet imagine, adding an IoT utilities network to the internet, starting shortly,” he said.

Companies are more concerned about getting IoT products to market than about ensuring those products are secure

Longer term, Alexander said power suppliers will seek to communicate with appliances so that they can be powered down at times of peak demand, but this could add another set of security vulnerabilities, because even if the smart meters are secure, there is a likelihood that the IP-connected appliances such as washing machines will not be secure.

Manufacturers ignoring security of internet-connected devices

Looking at the consumer market alone, Alexander said connected devices are already a growing presence in many households, but most consumers do not understand the associated security risks of these products and assume the producer or supplier has taken care of that.

“However, many IoT producers, when asked what they intend to do about security, will say ‘nothing’, because it adds time and cost and they typically don’t want to do that,” he said.

As a result, consumers are placing their trust in producers which currently have no real incentive to ensure IoT devices are secure. At the same time, consumers have no idea of what data is being collected or how that data is being used.

Alexander said, in his personal opinion, the evidence suggests manufacturers either do not care about security or do not understand security. Either way, he said manufacturers of IoT devices typically do not test security properly and tend to think it is somebody else’s problem.

Read more about IoT security

“These products have all sorts of holes in them that make them an easy target, and the trouble is there are so many of them being rolled out,” said Alexander.

The unwillingness of manufacturers to address security issues, he said, is illustrated by Trane, which was alerted to serious security flaws in its ComfortLink II thermostat in April 2014, including hard-coded SSH passwords, and yet this particular issue was only fixed a year later, and the company took a further eight months to address the remaining vulnerabilities.

“When [Trane] eventually did fix the vulnerabilities it did not alert customers, so this is a classic example of the problems people are facing, where they have these devices, they don’t know they are insecure, and they are not made aware when is a software update to make them secure,” said Alexander.

He also pointed out consumers should be aware that there is money to be made from data, and that electronics manufacturers have found a way to make consumers pay to put devices in their homes that will give the device makers data that will make them money.

“They are making us pay to spy on ourselves. It is marketing genius and privacy hell,” said Alexander, citing the additional examples of smartwatches and webcams that have been found to be sending data to unknown destinations.

“This is the kind of irresponsible behaviour we are seeing from manufacturers. It is these kinds of problems we are facing, and it is up to information security professionals to help find ways of addressing these issues,” he said.

Interconnected technology could multiply security failures

But with the continued proliferation of IoT communication protocols and frequencies, Alexander believes the problem will only get bigger and more difficult to solve.

“The increasing interconnectedness of these systems and services creates vulnerabilities that are taking us to the point where ‘cascade failure’ is almost inevitable – where the failure of one part can trigger the failure of successive parts,” he said, which could be exploited by nation states and cyber criminals alike.

One potential solution, said Alexander, would be to bring about a change in the configuration of home routers to create an IoT “demilitarised zone” port on the device, and to set up an open source working group to develop and test these kinds of configurations to separate IoT traffic from everything else.

There is also a need for an intelligent home hub to control devices, that supports multiple protocols and frequencies and enables users to do intelligent configurations through a user-friendly web interface, he said, to tackle the addressing and routing issues associated with IoT devices and act as an IoT firewall to provide alerts if something is going wrong.

Finally, Alexander said organisations such as the Institute for Information Security Professionals (IISP) should be more active in the debates around IoT security.

“Security professionals should be contributing to guidance on the topic to influence opinion and best practice, to warn what is possible and to raise awareness of the risks,” he said. 

Read more on Hackers and cybercrime prevention