Internet of Things (IoT) will be secure, or it will break our technology dependent society – #InternetOfTroubles

The Internet of Things (IoT) is gaining attention, especially now just after CES, the consumer electronics show. Internet connected devices were all over the place. And all kinds of studies show the growth potential. But only few people pay attention to what will make or break IoT: the security aspect. Without a decent security strategy, IoT-devices could be turned into a gigantic army of zombies, breaking the internet. And therefore our technology dependent society. IoT could become the Internet of Troubles…

CONTENTS: Positives, potential | IoT = potential DoS army | The signs are all over the place… | What could happen… | What IoT device manufacturers should do |  Why is this important? | Updates

Positives, potential
Let’s first take a look what the IoT is, what it could bring to us. In short, IoT means that all kinds of physical devices, vehicles, buildings, … have embedded sensors, software and network connectivity, to be able to collect and exchange data. This could be sensors measuring the temperature at home, or diagnostic data from a car or machine, which are transmitted to a you, to the machine vendor. But it could also be a smart doorbell, where you can see who’s ringing at your door via your smart phone, while you are still at work… Nest Labs e.g. has a number of IoT devices: cameras, thermostats and smoke detectors. Here is an overview of ’20 crazy connected IoT products at CES 2017’, to give you some idea.

It is not a new concept: the first internet connected device seems to be a CocaCola machine at Carnegie Mellon University, in 1982… The term ‘Internet of Things’ was first used in 1985. The concept gained momentum a first time in 1999, the Auto-ID Center at MIT was one of the first to put a lot of effort in it.

Growth projections from Business Insidere Intelligence (http://www.businessinsider.com)

And now, in 2017, it is starting to become really big business… If you look at some studies, the numbers are phenomenal. According to a study by Business Insider, companies will spend trillions of US $ on IoT over the next years… By 2021, they project that there will be 22,5 billion IoT devices.  IoT is called the next Industrial Revolution. And this is where most people start dreaming and stop thinking about the real work: implementation and risk management. But I’m not like that. I look at the challenges, even risks of technologies that are hyped…

IoT = potential DoS army
Do you remember what happened on 21 October 2016? That day there was a DoS attack at the DNS provider Dyn. ‘DoS attack’ means: denial-of-service attack. You do this by sending a lot of requests to e.g. a website, so many requests that the server can’t deal with it anymore and becomes unavailable. Imagine a crowd of a hundreds of people trying to enter your home at the same time, via the same, narrow door.

You can attack a website, but you can also attack a DNS provider… which is more interesting (from the point of view of a bad guy). DNS means Domain Name System, which is kind of a traffic agent, who guides the traffic on the internet to the right places. The DNS system tells your browser on which web physical server it can find the website called www.insights4print.ceo. DNS servers are essential for internet traffic: if a DoS attack targets such a DNS server, at the crossroad of the internet, it can do a lot of harm…

Following websites and services were affected by the 21 October attack: Airbnb, Amazon.com, BBC, Box, CNN, Fox News, HBO, Netflix, The New York Times, PayPal, Pinterest, Spotify, Starbucks, Twitter, Visa, Walgreens, Wired. And the list goes on and on… You can read it on the Wikipedia page dedicated to this attack.

Dyn stated that during the attack, they got malicious requests from tens of millions of IP addresses (the address of your computer, of your IoT device). The source of these requests were: cameras, residential gateways, baby monitors. And printers. That’s why I reported on the attack in October 2016. In the list with devices and the brand names, there is a familiar name… One that sells printers and digital presses…

A few weeks later, somebody tested how long it would take before a brand new IoT security camera was infected. It took only 98 seconds… That’s only one and a halve minute after it was connected to the internet… 

And even your smart TV set isn’t safe: there are reports that LG TV sets were hit by ransomware

The signs are all over the place…
The bad guys on the internet are no longer nerds who have nothing else to do or who want to bully their bullies by writing viruses and malware. They have become professionals: in the latest reports you can even see that for some it is a 9 to 5 job… 

Attacks can also be state sponsored… Remember Stuxnet, the really complicated virus that attacked a very specific target?  Or what about the cyber attack at a Belgian telecom, which was probably executed by the UK…

In a survey with security experts, IoT is the number one security prediction for 2017.

What could happen…
Remember the forecast I mentioned at the start of the article? 22,5 billion IoT devices. If they are not secure, if they are hacked, even only a small percentage of those 22,5 billion, that could be a gigantic zombie army… With that army, you can do damage. Serious damage. To anything that depends on, or is connected to the internet. The 21 October attack was ‘only’ with several million devices. Guess what happens when the number is tens of millions, or even hundreds of millions of hacked IoT devices…

Just when I was writing this blog post, I got this news: Lloyds Bank is hit by a DoS attack, customers are blocked from the online services of Lloys, Halifax and Bank of Scotland.

And just before that news appeared, there was the article about United Airlines, where all domestic flights were grounded, due to ‘a technical glitch in the IT system’. I have no idea whether this was a cyber attack, but it does prove that many companies are completely reliant on IT systems, often connected to the internet, to do business, to function properly.

This WE, there was an DoS attack on The Sundance Film Festival, shutting down their box office…

And also hospitals have been under attack. They are an interesting target for ransomware, IoT devices are raising more and more concerns in the healthcare community. As is shown in this article in Healthcare IT News.

The financial system, traffic, healthcare, the power grid, if these are attacked by a large zombie army of IoT devices, that could disrupt our society… We are so technology dependent, a malevolent group (or state) could do a lot of harm.

What IoT device manufacturers should do
A few – rather simple – steps could bring the risk down. First of all, manufacturers of IoT devices should program the software in such a way that it is mandatory to change the default user name and password before a device can be connected to the internet. This would already limit the amount of potential zombies significantly. And second: automatic and regular security updates, with an extensive support lifecycle. For free, not with a yearly service fee, otherwise people won’t take that extensive support. Which will come with a cost and make IoT devices more expensive, but that’s a price we will have to pay. Here are two interesting articles on that: first article, second article.

One vendor of IoT cameras has already started a large recall of cameras involved in the Dyn attack. And government is also getting involved, as this article shows. In the USA the Federal Trade Commission (FTC) has filed complaint against D-Link for the lack of security in their IoT products.

IoT devices are not only ‘consumer’ devices. How many printing presses sent measurement data to the manufacturer, e.g. to predict maintenance or for benchmarking purposes? Sending data over the internet means these printing presses are IoT devices… Also in the industry IoT devices need to be secure.

Why is this important?
IoT has great potential, it can improve the quality of life, it can make a lot of things easier. But it comes with a risk if we – the users – don’t pay attention to security. Default passwords must be changed. Otherwise your smart doorbell, your printing press might disrupt your bank, your hospital, your energy supply. And you don’t want that to happen.

 

UPDATE 12/02/2017: Here is an ‘interesting’ example of the danger of IoT devices: an IoT attack on a university, where over 5000 (!) IoT devices (among which refrigerators and lights !!!) starting querying the university network for seafood restaurants… Slowing down the entire network and with the goal to bring the entire network down.

UPDATE 16/02/2017: PC World today published an article on the 7 security threats that scare experts. And IoT, also combined with ransomware, is on the list…

UPDATE 23/02/2017: IoT Alliance Australia has released a security guideline for IoT development, as a first step to industry-wide security standards.

UPDATE 24/03/2017: PC World just published an interesting article what to look at when starting with IoT: 4 hard truths about IoT.

UPDATE 19/04/2017: providers of IoT devices will have to start to take security very seriously: the latest malware will ‘brick’ devices that are not protected or are only protected with the default username/password, rendering them completely useless.

UPDATE 26/04/2017: today O’Reilly published an interesting article by David Maher, who has over 30 years of experience in secure computing and is responsible for Research and Development at Intertrust. In his article he advocates a ‘human-centric trust model for IoT’. If you are a developper, you should read it!

UPDATE 10/05/2017: a new malware has appeared, targetting over 100 000 IoT cameras.

UPDATE 29/06/2017: yesterday CISCO launched a dedicated ‘IoT Threat Defense’.

UPDATE 11/10/2017: here is an interesting article about the danger of left behind IoT gadgets

UPDATE 14/12/2017: the maker of the infamous ‘BrickerBot’ has said that he is retiring, after having ‘bricked’ over 10 million (!) unsecured IoT-devices. By bricking those unsecured IoT-devices, he may have saved us from much more troubles…

UPDATE 20/09/2021: it has been 4,5 years since I published this article. And the security of IoT-devices has become a seriuous point of attention. Recently ‘Digital Europe’ published a study, including advice on how to deal with IoT-security. You can download the full report here.

 

(Visited 367 times, 1 visits today)
About Eddy Hagen 132 Articles
The printing industry has changed significantly over the last few decades. And that change isn't over yet. Eddy Hagen has been observing all these changes from a front row seat, since 1988. He has seen and debunked hypes that still don't deliver. He has seen and promoted small evolutions that had a big impact. He has connected the dots to get a better view. He is an independent mind who might be able to give you unique insights in the world of print and innovation.

Be the first to comment

Leave a Reply

Your email address will not be published.


*