Barry Mattacott, marketing director at security specialist Wick Hill Group, looks at the security risks of linking more and more smart devices to our networks. Are we just creating ever more vulnerable endpoints in today’s world of the Internet of Things?
Back in the good old days, we nailed the front door up tight with a firewall and we knew, that with good security on our gateway, our network was safe from the nasties of the outside world.
But those pesky kids in their bedrooms, not to mention state sponsored cybercriminals, worked out that they could circumnavigate our state-of- the-art firewall by looking for a way in at the opposite end of our network – the endpoint.
So now we all agree that securing the endpoint is essential, but just where is it and what does it look like?
Since those early days, there has been a massive proliferation of endpoints and security issues have grown alongside them. You can’t go anywhere or do anything without risking an infection.
A recent survey found that almost two thirds of USB sticks that were lost/found on public transport were infected with malware.
I guess this raises several issues. Definitely, don’t plug any old USB stick you find into your computer – that’s how Stuxnet got its start in life after all. The survey also begs the question, of why so many of these USB sticks are infected. Could it be that people are deliberately infecting USBs and ‘losing’ them?
Infected USBs can today be considered a fairly traditional attack vector, along with code attached to downloaded files and drive-bys leaping out of infected websites to get you. The security industry has made a pile of cash developing products to protect us and it’s all fairly much in hand.
But now we have a game changer because endpoints aren’t the same as they were. Firstly, we had the revolution that was the mobile endpoint. Mobile phones and tablets are now huge players on our networks. They have effectively put network endpoints in our pockets and allowed us to take them down the pub and lose them.
The technology to protect them has been available for some time, but the adoption has been woefully slow. You would have thought US Federal Agencies would be right on top of it, but a 2015 survey found 61 percent of agencies do not apply their network security policies to mobile devices!
So what does the future hold for the endpoint? Without doubt, the Internet of Things (IoT) means they are going to be everywhere! Network attached security systems that give you video pictures of your front door and allow callers to leave recorded messages, are essentially connecting your door bell to your main processor (home PC). Your Hive controlled heating system is connecting you to the Internet.
Despite these being serious systems, many have arrived on our networks and in our homes with gaping holes in their security. British Gas took a thrashing in the national press when their control system was found to be a burglar’s dream, easily allowing access to the heating schedule, which could tell them if the owner was at home, or even if they were away for an extended period of time.
Even cars have become endpoints. Until recently they were fairly much self-contained. Yes, they communicated with the Internet and manufacturers’ control networks and as such they were hackable. We saw hackers demonstrate that they could take control of a Jeep and run it off the road. This triggered a recall of 1.4 million cars by Chrysler in order to patch the operating system. But they were somebody else’s problem in that they didn’t communicate with your network, so were not one of your endpoints.
But car manufacturers, including Ford, are developing on-board systems to allow you to carry out vital activities like turning on your smart kettle whilst on the road. This requires them to connect via the Internet to your own network.
On the one hand, that kettle might be ever so smart in that it carries significantly more processing power than the 64 Kb memory operating at 0.043 MHz in the Apollo guidance system that put man on the moon. On the other hand, it’s not smart enough to be fully secured against man-in-the-middle attacks that will allow a hacker to penetrate your network. And once they are in, will they be able to access your car sitting in the driveway and steal it? It doesn’t really matter how secure Ford makes your car, if your kettle is going to leave the door open.
Why? Why is it that the Internet of Things is so woefully behind the curve regarding security?
To start with, your average kettle manufacturer doesn’t have a great pedigree in network security. They might make an awesomely efficient kettle but in the current climate they will find it difficult to find and employ a suitable security expert.
They are also in a rush. They have just come up with the world saving idea of adding internet connectivity to your kettle, so obviously they are in a huge rush to get it to market before everyone else thinks of it and beats them to it. And of course, functionality will always beat security. No one wants to go through multi-factor authentication every time they want a cup of tea.
So what can you do about it? Purchase (and attach to your network) with care. When it comes to the Internet of Things, you are putting your trust in the hands of others. There is little that you personally can do to ensure that your TV, kettle, car, fridge, etc., etc. is secure. One piece of advice is to look out for names that you feel you can trust with security.
So what’s the best tactic if you don’t want to fall victim to security weaknesses in your clever consumer devices, intelligent cars and machine-to-machine equipment which makeup the Internet of Things? The best advice would be to try and resist the frivolous items like kettles and door bells and stick to things made by reputable manufacturers, preferably ones that have some sort of pedigree in networking.