How seriously should the security of IOT devices be taken?
Amethyst’s Steve Mash examines the potential threat of unprotected products
Security breaches in IT systems are now a regular event, with frequent reports of theft of personal details, databases full of passwords plundered, bank accounts being emptied and corporate intellectual property being stolen.
At first sight the security of an Internet of Things (IOT) device seems fairly low down on the list of things to be worried about. Hackers remotely accessing a webcam, interfering with internet enabled kettles or accessing a car's central locking systems can be annoying, even devastating for the individuals affected, but will rarely make the front pages of the newspapers.
But what if the exploitation of IOT vulnerabilities lead to catastrophic consequences through a cascade or multiplier effect? What if the vulnerability being exploited was not in one IOT device but in tens of thousands of devices? If sales of IOT devices take off as predicted, then in just a few years’ time every household could each have tens of IOT devices operating innocuously in the background. Suddenly the hackers could have the ability to affect millions of people rather than a few individuals. The consequences could be such that they not just make the newspapers front pages but could have real tangible consequences at a national level.
As a thought experiment, what if in ten years’ time half of the households in the UK had an internet enabled kettle, and that each kettle had a vulnerability that allowed a malicious attacker to take control? What would be the consequence if every kettle was commanded to switch on at exactly the same time? Well, in the UK that’s around 26 million households; an average kettle uses around 1800 watts, so that’s an instantaneous demand from 13 million kettles of 23.4 gigawatts. For comparison, the worst-case spike in demand in the UK, following events such as the end of a major TV broadcast, would be less than 1 gigawatt, and such events are predicted in advance and planned for by the electrical distribution companies. The spike from the malicious attack would come with no warning and could be timed to come when spare electrical generation capacity was at a low point during the day.
So, if there were enough IOT devices with vulnerabilities, a co-ordinated attack could potentially disrupt a nation’s electricity distribution systems. Flaws in the security of devices in the home impacting the electrical supply to a nations industrial facilities, transportation network and key infrastructure. The financial implications could be crippling, the knock on effect on public safety or national security could be catastrophic.
Suddenly the security of IOT devices seems a little more important. However, as consumer products, the pressures on manufacturers will be to include more and more features at ever lower prices in order to compete with their competitors. This business environment is not one that is conducive to suppling the securest of devices. Inclusion of comprehensive security controls will not be at the top of the list of development priorities. The imposition of regulations akin to the CE marking requirements of the European Union could ensure a minimum standard of security, but realistically IOT devices will always have vulnerabilities.
The answer is to minimise the consequences of the exploitation of any vulnerabilities, so that they can be managed and the impact be controllable. One strategy would be to focus not on the IOT devices themselves, but on the devices that facilitate the connection of these devices to the internet. Treating IOT devices as insecure untrusted objects and protecting networks from them removes the need to invest in IOT security. The consequence however, is legitimate users trying to access their own IOT devices, and having to overcome the barriers put in place to protect them. Not all consumers are happy to put up with such inconveniences, they just want to take their shiny new IOT kettle out of its box, fill it up, plug it in and then walk to the bottom of the garden to switch it on using a smart phone… because they can.