November 5, 2014 – Kevin Sullivan – Principal Security Strategist, Trustworthy Computing
With the return of cooler weather to Seattle I appreciate that the heat at my house turns up just in time for me to get home. From an efficiency perspective, it is comforting to know that the heat also automatically turns down when I leave the house. These simple optimizations are just the beginning of what the Internet of Things can enable in our everyday lives. I am looking forward making more of the devices in my home “smart” and especially to when I can interact with them by voice or even have them predict what I want to do and just do it.
However, as a security professional I am both blessed and cursed with a mild state of paranoia. It doesn’t help that every day there are new articles that proclaim how the internet of things will allow criminals to access my refrigerator, turn off my lights, open my front door, or interfere with traffic in the city. Without a doubt, there are significant security challenges for information technology generally whether its criminals running botnets or cyber organizations targeting large corporations. Moving more assets and valuable data to the internet of things will make it all the more enticing to attackers, of course.
Security professionals have never backed away from the challenge of defending individuals and organizations against these threats so why are we so negative about the IoT? Well, I think a lot of it has to do with the term itself. “Internet of Things” has been used to the point where there is no single definition and means different things to different people. If we don’t know what something is, it is very difficult to think about how to defend it.
So then, what precisely is the internet of things? From Microsoft’s point of view, it’s about theInternet of Your Things, and I find it helpful to consider some key characteristics of the internet of things:
Ability to communicate with physical objects. From household objects to industrial equipment, IoT devices will send and/or receive data over a network.
Physical world input or output. Perhaps the biggest difference from traditional computing, IoT have physical inputs and outputs. For example reporting the current temperature or closing the lock on a door.
Automated or even autonomous control. IoT devices can be controlled without direct human interaction and may be controlled by other physical objects. Some of the most interesting IoT scenarios involve devices communicating directly with each other to take action.
Data from things. When things act as sensors they can generate enormous amounts of data about their own operation and the environment around them. This data can be stored and processed locally or more likely in the cloud.
Analysis of sensor data. Analyzing the data generated by these sensors can reveal non-obvious usage patterns or even make predictions about what is likely to happen.
Examined through this lens, I argue that the problem is much more tractable. The characteristics listed above can help security professionals construct threat models for internet of things devices and services. While the Internet of Things brings about many exciting new scenarios the security principles of Confidentiality, Integrity and Availability have not changed. Fortunately, this means that many existing security approaches can and should be adapt to help secure the Internet of Things.
I want to be clear that I am not understating the added attack surface and potential risks that the Internet of Things brings about. However, I am also a born optimist. As an industry we have put a PC on every desk, smart devices in your pockets, and connected nearly half the worlds’ population to the Internet. We owe it to society to tackle the challenge of securing the internet of things.
Stay tuned next week for when my colleague Tim Rains shares several practical steps you can take to secure the internet of things.
As my colleague Kevin Sullivan wrote in part 1 of this two-part series, the Internet of Things (IoT)holds great promise for organizations and consumers. But like many new technologies, it brings with it a number of security and privacy challenges. The industry can work to help address many of these challenges by building on some of the lessons learned from decades of experience connecting traditional computing devices to the Internet, as well as understanding the unique challenges that the IoT presents.
Among those unique challenges is the diversity of devices encompassing the IoT, that range from very simple devices that only transmit data, to complex devices with processors and sophisticated software. Before millions or billions of these devices are deployed across the world, some security and privacy fundamentals need to be carefully considered including:
- Insecure design: Some of the early IoT devices I have seen in the market today have not been designed with security in mind. Some of these devices lack basic security capabilities, while others have security capabilities, but they are inappropriate for all the scenarios that the device can be used in. It’s also easy to imagine that some IoT devices have been released with insecure default settings.
- Disclosure of personal information: When devices, sensors, appliances, etc., are connected to the Internet (or when physically accessible), it can raise concerns that everyday activities, preferences, and sensitive information, could be monitored and disclosed without proper authorization. Additional concerns arise with the possibility that data gathered from IoT devices could be correlated with other sources of data and used for purposes, such as the creation of self-learning autonomous systems, without the appropriate consent from the data owner.
- Limited ability to receive updates and change configurations: Keeping systems up-to-date with security updates is one of the most effective security practices today. As vulnerabilities are discovered and attackers attempt to exploit them, it’s critically important that vendors have a well thought through response plan and the capability to update and reconfigure systems to mitigate these attacks. Not all IoT devices are going to be the same. Different devices are going to have different hardware and software, and subsequently different capabilities. Some devices might have limited update capabilities or might not even have an operating system. What’s the plan to update a t sensor that doesn’t have a full operating system installed on it? This type of requirement needs careful consideration.
- Insecure data: How IoT devices store and transmit data is another important consideration. Securing data communications, including authentication, and encrypting data at rest, have become common expectations for systems today. The ability to manage settings for such security features is also a common expectation. Many IoT devices might be connected to networks that are themselves insecure making how well these devices protect data in untrusted or hostile environments a consideration.
What should industry do to help address security and privacy related to IoT? Building software with security in mind during every phase of development has proven to be very effective – something that can inform the development process for IoT devices as well. Among the unique challenges for the IoT is the diversity of devices encompassing the IoT, which range from very simple devices that only transmit data, to complex devices with processors and sophisticated software. Broadly applicable design considerations should include:
- Secure by design, secure in development and secure in deployment (SD3): This is the same mantra we started in Trustworthy Computing at Microsoft many years ago. IoT devices and services should be designed and developed in manner that improves security and privacy during the lifecycle of the device by applying secure software development processes such as Microsoft’s Security Development Lifecycle.
- Secure communications: Presumably, in the future many IoT devices will operate on the public Internet or on other networks where they may face a variety of threats to data confidentiality. IoT devices and services should utilize strong encryption techniques to protect data, and networks should use the latest communication protocols and up-to-date security architecture. On IoT devices that host third-party applications, the security of these communications needs to be addressed as well. Some more primitive IoT devices will lack the ability to perform encryption themselves. In such cases, one possible solution would be to design the device to allow its data to be encrypted by an intermediary gateway device on the local network before the data is sent over the Internet.
- Manageability and security updates: Many IoT devices will likely be built for single purpose applications and will have limited input/output capabilities to manage the device. IoT devices need to be designed to apply important functionality and security updates, preferably with the option of automatic updates requiring little or no administrator interaction. Devices should be designed to respond to security issues impacting devices, services, or applications. Awareness of the security or privacy issues related to other services and devices with dependencies should also be accounted for in update planning. IoT devices lacking the physical requirements for manageability and updates should be designed to allow security management by an intermediary gateway device on the local network before the data is sent over the Internet – as one possible solution.
- Privacy and data use: Because of the potential volume of personal or proprietary data that can be produced and stored by the IoT, both consumers and businesses will insist that the privacy of their information be protected. IoT products should take privacy-impacting collection and use of data into consideration from the earliest stages of design through development and deployment. IoT devices and services that seek to collect data pertaining to people should undergo appropriate scrutiny and evaluation for privacy concerns. Companies should also consider how they manage the commercial sharing of data as the IoT becomes a platform for trading information.
- Appropriate level of cloud service capacity: Cloud services will need to be designed for a significantly higher number of simultaneous connections and greater volumes of data traffic given the expected proliferation of IoT devices. If cloud services are unable to manage the expected data flows generated by the IoT, they could be overwhelmed.
What should consumers do to protect their security and privacy related to IoT?
- Evaluate security and privacy at purchase: Understand what security and privacy controls the device and services provide.
- With updatable devices, keep software/firmware for your devices up-to-date: If the device offers automatic updates, consumers should enable them. Otherwise, consumers should check the manufacturer’s website regularly for new security updates.
- Stay informed: Be aware and learn more about IoT devices and services.
You can learn more about Microsoft’s Internet of Things strategy here.