Security needs to be first for network-based devices

Security needs to be first for network-based devices

Described by some as the third wave of the Internet, the Internet of Things (IoT) is a technology movement to enable network connectivity to devices, from household items such as light bulbs and televisions, to industrial equipment such as warehouse pallets and water pump sensors, to municipalities such as bus stop signs and parking meters. As these products are rushed to market, security features are often delayed or ignored.

In the home, alarm systems, solar panels and thermostats collect and send data to the vendor's private cloud, leveraging your existing Internet connection and wireless network. With industrial control systems, network enabled devices can simplify the remote management and monitoring of critical infrastructures. However, when not properly secured, this technology could be accessed and abused.

Consider these examples:

  • The LIFX light bulb originally shipped with a flaw where it could be silently attacked to leak details of the wireless network it was attached to. Security researchers at Context Information Security coordinated with the company to issue a fix and response.

  • Security analyst Jay Radcliffe from Boise, Idaho, discovered that his own insulin pump was vulnerable to an attack through its wireless connection to control the device and potentially dispense a lethal dose.

  • Electronic meters in millions of households in Spain were installed with weak encryption meant to secure its communications. Once bypassed, an attacker could transfer meter readings to other customers and even shut down power to individual homes.

  • A Russian website was recently hosting a list of hundreds of Internet-accessible webcams secured only with default credentials. The site has since been shut down.

  • IOActive recently published a study on effectiveness of attacking the electronic control units of several automotive vehicles and listed recommendations on how to detect and mitigate some of the attacks.

One organization providing guidelines to identify and solve security weaknesses in these products is the Open Web Application Security Project (OWASP). It released an IoT Top 10 that identifies who the attackers may be, how the products may be attacked, the business and technical impacts that might result from the attack, and steps needed to remediate the flaws.

In January the Federal Trade Commission released a report containing recommendations to vendors developing IoT consumer-focused devices that include:

  • Implement "security by design" by incorporating security at the beginning of the design process.

  • Limit unauthorized access to a consumer's device, data or network.

  • Patch known vulnerabilities to limit out-of-date but functioning devices.

  • Minimize the data being collected.

When evaluating and purchasing these devices, consumers can ask or check for vendor privacy and security policies. Privacy policies often can be found published by vendor websites, but security policies are often not listed. Organizations can add security-focused requirements when evaluating and procuring technology to inform manufacturers that security is an important feature of a product, not an afterthought.

Vincent Hoang is an enterprise architect at Hawaiian Telcom, a Certified Information Systems Security Professional (CISSP), GSNA Systems and Network Auditor (GSNA) and Cisco Certified Network Professional (CCNP). Reach him at vincent.hoang@hawaiiantel.com.

Copyright (c) Honolulu Star-Advertiser

Visit this article in the Star-Advertiser