Reviewing IoT Security Vulnerabilities: The Real Cost of Interconnectivity

November 22, 2016 Katherine Oberhofer

Last week, over 10,000 CIOs and CTOs, buyers and sellers, experts and investors, startups and established companies came together in Lisbon, Portugal, for SaaS Monster, the world’s largest SaaS conference. SaaS Monster’s organizers call the event “a crossroads for the world’s largest buyers and sellers of technology, alongside many of the world’s most disruptive emerging technology companies”, and Distil’s CEO, Rami Essaid, was once again invited to speak at the event.

Rami’s session is the last in the clip above.

Rami and Emanuel Schalit, CEO of password and identity management vendor Dashlane, participated in a session on “How to Protect our Connected Devices” – a topical choice given that the recent Mirai botnet attacks brought down many of the world’s largest web players through vulnerabilities in poorly-secured web-connected cameras.

The risk is not a new one. Nine years ago, then-Vice President Dick Cheney had to have the wifi capability in his pacemaker turned off because of concerns that someone could hack into the device and kill him remotely. Moderator Dermot Williams, Managing Director of Irish security specialists Threatscape, kicked off the discussion by asking what’s changed since then – if anything.

Both panelists felt that we’re actually worse off now than in 2007. There are now billions of interconnected devices, but the security built into those devices has barely budged – a problem exacerbated by the continued use of the same password everywhere and manufacturers using the same internal certificate across entire product lines.

The majority of connected devices – from smart home devices like televisions and thermostats to the national grid – remain inherently insecure. A web-enabled Barbie™ doll is connected to the same Internet of Things as a domestic smart meter and the city water supply. Markets are demanding wifi everything. And security is an afterthought, just as it has been since the birth of the internet half a century ago. Rami noted that, if you were to run a scan across the web today, you’d find half a million devices using open SSH 4.3, a 10-year-old protocol that could be hacked in five minutes. This “point-in-time” architecture is just as untenable for maintaining security in the face of constantly evolving threats as relying on humans and manual authentication.

Then there is the data. Weak defenses on devices open a back door to data in the cloud - data that’s constantly being collected in real time by those devices and stored in the cloud alongside data from millions of other connected devices. In a better-late-than-never move, the European Union has recently enacted the far-reaching General Data Protection Regulation (GDPR), which requires that any entity storing data collected from European consumers must notify consumers of a breach in 72 hours or face a fine of up to 4% of global revenues. It’s a far-reaching and well-intentioned effort, but the borderless nature of the internet militates against enforcement.

Right now, big data is driving much of the world’s consumer business growth. But if companies begin to equate the volume of data they collect with the size of their financial liability if an insecure device on the other side of the planet is exploited, that business driver is itself at risk. The recent Yahoo breach almost overnight wiped $1B off the company’s sale price.

There is more cause for optimism in another EU initiative under discussion – a certification standard for IoT devices - if those standards will include mandated support for ongoing, built-in upgradeability. After all, today’s PCs and phones silently upgrade themselves as often as necessary, and there’s no reason to suppose other connected devices could not do the same if appropriately architected.

Then, of course, you run into the eternal trade-off between cost, functionality, and security. Gartner estimates the cost of adding even basic security to a device is approximately $1/unit, never mind upgradeable security. Manufacturing (and consumers) will have to slow down the headlong rush to connect everything, so we can buy ourselves time to better understand IoT infrastructure and the vulnerabilities it presents. Only then will we be able to design a security architecture for the future that can be continuously evolved to keep pace with future generations of threats.

In the meantime, the most practical solution to IoT insecurity is to ensure there is always something – gateways, firewalls - between the data stores and the devices that can access them. If you’d like to see how Distil’s solutions can prevent unauthorized access to your networks, sign up for a risk-free trial.

 
Previous Article
Structure Security and Distil: Are Bot Operators Eating Your Lunch?
Structure Security and Distil: Are Bot Operators Eating Your Lunch?

We recently presented a talk on top automated threats at the Structure Security Conference. View the video ...

Next Article
The 2016 Better Online Ticket Sales Act and Advanced Persistent Bots
The 2016 Better Online Ticket Sales Act and Advanced Persistent Bots

On September 12th, the U.S. Government approved the BOTS Act, to prevent online ticket bots from scalping. ...