Curated by Vinay Prabhakar Minj
“Security has to be thought in all stages starting from planning, design, implementation, verification, validation, deployment and operations.”
With the advent of Internet of Things (IoT), we are drifting into an era of smart things. We started with smartphones, then moved on to smart TVs, smart refrigerators and smart cars. And we are scaling it up to smart traffic management, smart energy, smart buildings and much more. But what is making these things Smart?
We now have sensors like accelerometers, gyroscopes, proximity sensors, humidity sensors and GPS location sensors – all in the size range of millimetres. Every Smartphone in your pocket has on an average 10-12 sensors. So, is this proliferation of sensors making everything smart? Or is it just with machines like the Servers, Cloud and HPC? Computing is becoming incredibly powerful day by day and is growing exponentially (Moore’s law). Big Data Analytics, Machine Learning, Artificial Intelligence, Predictive Intelligence, Prescriptive Intelligence…all these technologies are possible because of the Cloud. So, can we say that Cloud is making everything Smart? Or, is it Machine-to-Machine Communication?
IoT devices are going to be ubiquitously connected; 50 billion devices as per Gartner by the year 2020. Devices can talk to each other. They can take data-driven decisions without human intervention. Gone are the days when you would use a mobile app to order milk from a grocery store. Smart Refrigerators have automated this. They can sense the availability of milk and place an order by itself. So, is this M2M connectivity making everything smart?
I believe it’s the combination of all these three. If you remove one of them, then it’s no longer smart. Sensors, Cloud, and M2M are driving Smart things. When we combine these three things, then we get the power of innovating interesting IoT services, businesses and applications.
IoT Devices and Cyber Security Threats
If we give a closer look, all smart things – be it wearables, implantables, or injectibles – are trying to bridge the gap between the physical world where we all live in and the digital world where we get data-driven decisions. The sensors (tiny computers of the digital world) are getting connected to those massive computers of the digital world like the Cloud, Servers and HPCs where we can optimize at the pace of Moore’s law. They are getting connected in ways that allow physical to become digital; to sample the world and turn it into something which massive computers can ingest. Thus, we are able to take the digital and make it physical. But, when digital things become physical, then digital threats also become physical threats. Let’s see how.
The Jeep Cherokee by Tesla is an awesome SUV with lots of hands-free, voice command & control for dashboard functions and smart infotainment system. But a couple of years back, it was hacked by two people. They reverse engineered the car’s communication protocol and took over the dashboard functions, such as the steering, transmission and brakes. They demonstrated that they can remotely control the car and even crash it without the knowledge of the driver.
WiFi Hello Barbie, the world’s first interactive doll by a company called Mattel used voice recognition technology and progressive machine learning features to tell interactive jokes or (play) interactive games with your child. It could read a book, do language translations and even tell a conversation based on history. Here you should know that intelligence is not put into the doll. It is connected to those massive computers (Servers) of the digital world. This seems a very interesting proposition in terms of IoT. But, even this was hacked. The doll failed to validate assessive certificates and the attackers quite conveniently crafted in manning a middle attack and were able to get control over the doll. They could listen to the private conversation that the child was having with the doll or all the audio files that the doll recorded. The hacker was also able to penetrate into the home WiFi network and sneak into the regular internet traffic.
Just imagine what could happen if the device can be exploited to teach offensive languages to your child. What if someone is eavesdropping on your children with such devices? The higher version of this device also has an embedded camera.
Eavesdropping can also happen with other devices like Smart TVs. Smart TVs are coming with a lot of intuitive voice command and control these days. The same microphone can be used to listen to private communication of your bedroom. Smart TVs have been reported to be infected by malware that can do automated ‘ad-clicking’ and cryptocurrency mining.
WHEN DIGITAL THINGS BECOME PHYSICAL, THEN DIGITAL THREATS ALSO BECOME PHYSICAL THREATS
About 10 per cent of the world’s population suffers from diabetes. 70 million people in India suffer from diabetes and Smart Insulin Pump is a wonder for them. Smart Insulin Pump is a small glucose sensor which detects the blood sugar level in real time and sends the data to the electronic pump. Based on historical data (of the person), the electronic pump decides what amount of insulin has to be injected into the body. Also, the sensor communicates this data through infrared waves. You also get updates on your mobile app which can be shared with your doctor. This is a very good use case of an IoT device. But again, even this was hacked.
The world’s smallest computer called Michigan Micro Mote or M3, made by the University of Michigan, USA is a fully autonomous system smaller than the size of a grain of rice (mm). It has several computerized sensors like humidity and pressure sensors, processor and a radio to transmit data and solar cells power the battery with ambient light. There are a lot of use cases of this device. One can put this device into the farms and have precise moisture detection for smart agriculture. One can also put this device in the blood vessels, arteries and veins of a human to have real and precise detection of blocking and have better smart diagnostics.
But the dark side is that these devices have no security built into them. All the collected sensor data is released into the air using infrared waves. And these devices are programmable remotely through those infrared signals. Don’t expect any WPA2 kind of encryption at this level. This is all happening through general WiFi networks.
If we can’t secure one IoT device, then how can we secure thousands of IoT devices?
Emerging Malware Threats
Over the past few years, ransomware has become quite popular in the cyber security field, especially the web, where a hacker will put malware into your system, encrypt your hard disk, then keep the key to itself and only release it if you pay the ransom money. Now, ransomware is coming into the IoT field as well. The reported case was called Nest Thermostats, where the homeowner went for a vacation and got a message that the room temperature has been increased to 50 degrees Celsius and it is burning hot. If you want to unlock the thermostat, pay XYZ bitcoins.
Imagine the amount someone would pay to remove ransomware from a pacemaker.
TO SOLVE THE PROBLEM OF MALAWARE THREATS, WE NEED TO UNDERSTAND THE SECURITY CHALLENGES IN IOT
I believe the day has come when it would be no surprise to get a message on your iPhone asking you to pay US$ 9.9 in return for deleting footage of your activity in the living room.
It’s time to ‘WannaCry’ with your Smart TV. WannaCry was the name of the largest ransomware attack in 2017 to hit the Windows OS. And WannaCry’s Android version is about to come soon.
Denial of Service is also another problem. Imagine on one fine morning you are ready to go to the office, you start your car and see a message stating that your car needs an immediate critical firmware update so do not drive for 45 minutes. This a clear Denial of Service.
Denial of Service can also happen with Smart Watches.
What if your fridge gets hacked? You may say ‘I don’t care!’
But the hacker may be trying to know the amount of food you consume or find out whether you are at home or not. And, what if one day the police comes knocking at your door telling you that your refrigerator has been sending spam messages to the Prime Minister’s office? One can easily convert the processor inside the refrigerator into a BOT. And this has been reported. The famous Mirai attack where the CCTV cameras were infected with BOTS and they did DDoS (Distributed Denial of Service) attacks on Twitter. Twitter went offline for six hours. These attacks can happen from any device and can be exploited to harm people.
Security Challenges in IoT
To solve the problems, we need to understand the security challenges in IoT. Any typical IoT deployment consists of sensors in field, aggregators or gateways (in premise or on the Cloud), analytics platform and finally, web services where you do machine learning and future predictive analysis. As we move on from one to another, resources such as CPUs, limited memory and limited power becomes a big problem. Thus, implementing cryptographic encryption or antiviruses in the field devices (sensors) is not possible.
Another security challenge is STRIDE Threat Vectors. Attacks are getting innovative day by day and they can be classified into the following six categories.
First is Spoofing Identity. How can we know that we are talking to the right device? Can we have a PKI (Public Key Infrastructure) for field level devices? For example, EVMs (Electronic Voting Machines) have digital certificates inside all control and ballot units. After the election, if a control/ballot unit is replaced, then on the counting day that device will not be accepted into the network at all.
Second is, Tampering with Data. How can we ensure that data is not tampered when it comes from the field to the gateway or aggregator? Anybody can re-calibrate a field device by just replacing its firmware. Here, solutions like Secure Boot can ensure that the firmware is not replaced.
The third is Repudiation. No logs are stored in the field devices. So if something bad happens, how can we find out from where it happened? Think about forensics for IoT devices. Most of the field devices send their data through wireless modes, mostly through Infrared, Bluetooth and non-encrypted.
Fourth is Denial of Services.
Fifth is Elevation of Privilege. Like the WiFi Barbie Doll attack, where there was an attack by penetrating into the home WiFi network by exploiting the doll, similarly, by exploiting the field device, one could get in another network also, may be corporate networks.
These are the big challenges and there is no perfect solution for all this. It depends on the use-to-use case.
Privacy and Anonymity Challenges
Apart from security challenges, there are other privacy and anonymity challenges. And this is a much darker side of IoT. There’s a very subtle difference between the terms security, privacy and anonymity. Most people use them interchangeably, which is quite wrong. Security is defined by three words: the CIA triad or Confidentiality, Integrity and Availability. If you remove one of these, then security is breached.
Privacy is not about hiding your personal or private data. Privacy is about not getting monitored. It’s not about your permission. Privacy is about not getting surveyed. It’s not in your hand. Because whenever you are getting monitored, whenever you are surveyed, then that observation changes your behaviour.
What we tell (ourselves) that by encryption and by securing our personal data, we ensure privacy. That’s not privacy, but in fact confidentiality as a part of security.
Anonymity is again not privacy. Anonymity is about masquerading where the other person gets to know what you are doing but that person should not know who you are.
Suppose two persons in a room full of people are talking to each other. All other people can see that these two persons are talking and can hear also. So, those two persons don’t have the privacy of what they are talking. Now suppose these two persons whisper to each other. Still, privacy is not achieved because their talk can be heard even though can’t be seen. Whispering is akin to encryption, enabling confidentiality.
Now, while they are talking, they are wearing masks so nobody knows who they are. In this case, anonymity is achieved but not privacy because we cannot know who those two persons are but we can hear what they are talking. And based on that conversation, we can find out the identity of that person.
By combining confidentiality and anonymity, a certain level of privacy can be achieved in this case. But not always.
Sensors of the digital world are fuelled with our data. Our purchasing and browsing patterns, driving and eating habits, social data, locations, friends, contacts…every data is being collected by these smart devices and sent to huge server farms of the digital world.
Data crunching companies like Google, Facebook and Amazon sell our data. There is a lack of transparency about why that data is collected for and what it is being used for.
Example, we all like to wear smart health devices like smart bands which tells us the number of steps taken, our heartbeat, blood pressure, when we have to drink water, etc. Although the company is not making huge money by selling those devices, the data it collects sends to your health insurance company which is indirectly increasing your premium. So that’s how your data is being misused without your permission.
The next factor is trust. We cannot trust anything. Take the example of the case of Apple versus FBI. The FBI found that the Apple phone had been used by terrorists and had information in it, which was encrypted. So they wanted Apple to decrypt it. But Apple refused to do so, stating that they value the privacy of the customers more. After a week, FBI got the data by decrypting the information without Apple’s intervention. And the case was closed (thereafter).
Facebook tells that it will provide end-to-end encryption while sending messages through Whatsapp. But they know what you are messaging about and are saving it in the Cloud. And maybe on Google Drive. So Google is also reading it.
THERE IS NO SILVER BULLET TO EFFECTIVELY MITIGATE ALL SECURITY, PRIVACY AND ANONYMITY CHALLENGES. WE CANNOT APPLY SECURITY BY OBSCURITY PRINCIPLE
We cannot trust even hardware. Example, we got a CISCO router in the IT Forensics and Hardware Standardisation Lab of ECIL which was to be supplied to some defense establishment. That router was emitting the route password of that router through LED bulbs of the Ethernet ports. On doing a side channel analysis on that device, it was found that based on the blinking of LED lights, one detects the route password of that device.
Devices of Apple are designed in California, manufactured in China and sold in India. Who knows who is putting malware or backdoor inside it?
In the Stuxnet attack which happened on the Iranian nuclear reactors, Israel had put malware or, logic bombs as they called it, inside the PLCs of Siemens. And it was funded by the US for the Iranian nuclear reactors. Such state-sponsored attacks are happening in a very coverted and hidden manner. It might not happen at the end user and consumer devices but, there is a possibility for that.
Security has to be thought in all stages of IOT
What can we do to overcome these challenges? Do we have smart devices smart enough to be secure? For this, we need to understand that there is no silver bullet to effectively mitigate all security, privacy and anonymity challenges. We cannot apply security by Obscurity principle. We can’t say that IoT product is secure because we use indigenous technology or isolated air gap networks or property protocols because even they can be breached.
We need to think of Security by Design. Security cannot be an afterthought but, has to be thought in all stages starting from planning, design, implementation, verification, validation, deployment and operations. Generally, security is thought of only at the deployment or implementation stages but, not in all. We have to think in the planning and design stages itself. A lot of research is happening in various parts of the world regarding how to bootstrap trust and security in the very basic design stage, such as a powerful system on a chip with cryptography, secure boot by Intel and homomorphic encryption, which are all coming up and require reduced computational demands which can work on IoT devices.
SECURITY CANNOT BE AN AFTERTHOUGHT BUT, HAS TO BE THOUGHT IN ALL STAGES STARTING FROM PLANNING, DESIGN, IMPLEMENTATION, VERIFICATION, VALIDATION, DEPLOYMENT AND OPERATIONS
We need to implement technologies which can help decentralisation because whenever power is given to a central authority, then that is misused or exploited by the third party.
Some people believe that blockchain can help because it can have a distributed, trustworthy and publically verifiable systems with blockchain. It may help but I don’t think so. That’s a debatable matter.
In the era of industry 4.0, we are unknowingly and inherently getting connected to a hyper-connected global sensor net. What I mean is that this amazing distribution chain that is happening is quite different from any other technology trends. Because here, an active adversary is always trying to change and create benefit out of what we do.
How Can We Make IoT a Success?
To make IoT a success, our businesses have to change. We have to be smarter than our smart devices. And awareness is the key to this.
We need to understand the delicate balance between speed to market and the level of security. If you want IoT products to be fast and cheap, then it won’t be secure. If you want it to be fast and also secure, then it won’t be cheap. And, if you want it to be secure and cheap, then it won’t be fast. So at least we need to pick two.
In conclusion, I would like to say that I believe in Amara’s law which states that, “We tend to overestimate the effect of a technology in the short run and overestimate the effect in the long run.”
|From Industrial IoT perspective, what is to be looked at when we try to implement it from a security perspective?
First, you need to identify your attack surface. Based on your business case, try to identity the hackers and attackers who are trying to take advantage by breaking into your system. After you have a sound knowledge about your attack surface, you can take initiatives. Then you have to decide which one you want more: security, privacy or anonymity. You cannot have all of them in 100 per cent.
Why do you say that blockchain can be attacked?
Ans. Those who think that blockchain can solve privacy issues because it is decentralised are wrong. We are not giving control to a single person. But, there are nodes who run the chain itself. And these nodes can be compromised or can be run by a single entity. There is a concept of 50 per cent + network attack in the blockchain. If you control more than 50 per cent of the network nodes, you can control the chain itself.
About the author:
Abhinav Biswas is a technology evangelist with wide range of agile experience in embedded systems, web & object-oriented development, cyber security and cloud computing & machine learning. He is also a recipient of the ‘Security Leader of the Year Award – 2016’. Currently, he is holding the role of Alt. CISO for Electronics Corp of India Ltd (ECIL), Dept. of Atomic Energy, Govt. of India. He gave a very thought-provoking speech on the various aspects of cyber technology threat faced by IoT and how it can be overcome at the IEW, 2018 held in Bengaluru. The above article is an extract from his speech.