The “Internet of Things,” or IOT: we’ve all heard the term, but what does it really mean? More importantly, how do we secure all of these … “things”?
First, a stab at defining the term and its components. The term “things” really refers to a broad class of devices that have one of two functions: they tell you when something happened (sensors), or they make something happen (actuators). Many systems combine the two: a fire alarm’s sensors detect heat or toxic chemicals in the air then its actuators trigger an alarm. Geeks use one term – “transducer” – for both types of device, but I’ll just call them “things,” or “IOT devices”.
IOT devices come in all shapes and sizes, but often have unusual or highly constrained design requirements as compared to computers, tablets and phones. Power consumption is a major concern for many IOT devices, which are typically very small, and thus have a small battery, or are deployed in environments where recharging is impractical.
Engineers therefore design the devices themselves, and standards for the devices, with these constraints in mind. The standard communication protocol on the Internet – TCP/IP – is obviously robust and useful, but requires a lot of overhead in its communication. Consequently, the IOT engineering community has created a whole world of communication protocols – ZigBee, MQQT, Thread, and many others – specifically to minimize the amount of power necessary for IOT communication.
Power is not the only resource in short supply, however. IOT devices typically have very little memory, processing power, and storage (if any). Connectivity can also be sporadic in the harsh environment where many devices must operate (battlefields, remote areas of the world, deep underwater locations, etc.).
To meet these challenges, engineers have to economize as much as possible, so they focus on ensuring device functionality and durability, with security taking a back seat. This situation is understandable. If you were in the hospital, would you prefer a heart monitor that reliably alerts the medical staff that you need attention or one that has robust security in place? Manufacturing plant managers – for good reason – focus first on safety first, productivity second, and then security.
Even so, many IOT devices lack even basic security protections. At the Black Hat conference in 2017, I attended a talk about radiation monitors found in many nuclear power plants. These devices scanned everyone and everything leaving the plant to ensure no one was trying to steal fissile material, and as an additional safety precaution to quarantine anyone irradiated by accident.
These monitors – now out of service – had a built-in, unchangeable password (discoverable with a Google search), no capacity for patching, and were accessible via WiFi from several kilometers away. Moreover, there was no logging of access or activity. As the speaker explained, an adversary could enter the plant and steal some plutonium. Their accomplice could easily access the radiation monitors, turn them off while the insider passed through undetected, and then re-activate the monitors – all with no trace. This state of affairs is not unique to those monitors, however, as many devices have these security weaknesses.
At this writing, Congress is working on a law called the “Internet of Things Cybersecurity Improvement Act” to prohibit the Federal government from procuring IOT systems with insufficient security. That law recently passed through the House Oversight and Reform Committee. While such a law is a step in the right direction, it is unclear what combination of market forces, laws, and instinct for self-preservation will move us toward adequate security for the Internet of (vulnerable) things.
