As buzzwords go, the “Internet of Things” is pretty clever, and at the same time pretty loathsome, and both for the same reason. “IoT” can mean basically anything, so it’s a big-tent, inclusive trend. Every company, from Mattel to Fiat Chrysler, needs an IoT business strategy these days. But at the same time, “IoT” is vacuous — a name that applies to everything fails to clarify anything.
That’s a problem because “IoT Security” is everywhere in the news these days. Above and beyond the buzz, there are some truly good-hearted security professionals who are making valiant attempts to prevent what they see as a repeat of 1990s PC security fiascos. And I applaud them.
But I’m going to claim that a one-size-fits-all “IoT Security” policy is doomed to failure. OK, that’s a straw-man argument; any one-size-fits-all security policy is bound for the scrap heap. More seriously, I think that the term “IoT” is doing more harm than good by lumping entirely different devices and different connection modes together, and creating an implicit suggestion that they can all be treated similarly. “Internet of Things Security” is a thing, but the problem is that it’s everything, and that means that it’s useful for nothing.
What’s wrong with the phrase “Internet of Things” from a security perspective? Only two words: “Internet” and “Things”.
Which Things constitute the “Internet of Things” is an easy starting point. If you ask Mattel what Things they mean, they’ll tell you Hello Barbie. For Samsung, it’s your fridge. If you ask Ford, they’ll tell you it’s a car. I was at an embedded electronics trade fair a couple years ago, and there was a company that designs factory-floor robotics telling me about their IoT strategy. It gets weirder: yoga mats, toasters, tampons, sniper rifles, and aircraft.
If you can think up a thing that hasn’t yet been Internetted, test yourself by posting in the comments. Or better yet, seek VC funding first and then work on a prototype second. (And then start your security design after it’s in the customers’ hands.)
The point is that it’s very hard to have a decent discussion of security and the IoT without getting specific about the Things. You do not need or want to take the same precautions with a talking childs’ toy that you do with a Jeep or a Tesla. A malware firmware upgrade for one threatens your child’s privacy (no laughing matter), but a malicious upgrade for the latter threatens your life.
If there’s a cost-benefit analysis being done when connecting a Thing to the Internet, it should be made entirely differently depending on the Thing. Some categorization of the Things is necessary. Off the top of my head, I’ve seen “Industrial IoT” used as a term — in comparison to consumer IoT. That’s progress I suppose.
For security purposes, however, I think it’s reasonable to think about the Things by their capabilities and what potential hazards they bring. Devices that “merely” record data can have privacy implications, while devices that act on the physical world can hurt people physically. The autonomy of the device is important too. Something that’s always on, like an Internetted refrigerator, has more potential for abuse than something that’s used infrequently like a quadcopter hooked up to the Internet: plant a Trojan on my fridge and you can snoop on my passwords all day long, while the quad’s batteries are going down after being online just 15 minutes.
This is just a start. A serious, security-relevant taxonomy of Things is not a task for a Hackaday writer. My point is, however, that calling both toy and real cars “Things” says nothing. Pacemaker-Things aren’t comparable to toothbrush-Things.
When you say you’ve got a lightbulb “on the Internet”, what do you really mean? Is it firewalled? If so, what ports are open? Which servers does it connect to? Are the communications encrypted? And if so, do you control the passwords, or are they built-in? Are they the same for every Thing? Just saying “we’ll put it on the Internet” is meaningless. The particulars of the connection are extremely important.
This is where the security community has spent most of its efforts so far, and there’s great work being done. The Open Web Application Security Project (OWASP) has an IoT sub-project and their checklist for testing the security of an IoT device is great, if not (possibly) exhaustive.
When you try to secure you PC, or run a server on the Internet, you have a great advantage. You probably know which ports you need to open up in your firewall, which services you need to run, and/or what destinations you’ll be talking to. Even the cheapest home routers do a fairly decent job of protecting the computers behind them, because people’s needs are pretty predictable. I don’t think my father-in-law has ever used any port other than 80. This is not the case with IoT devices.
[Dan Miessler] gave a talk at DEFCON (YouTube) last summer introducing the OWASP IoT Project and detailing IoT devices’ attack surfaces. If you’re at all interested, it’s worth a watch. Anyone who thinks a Thing on the Internet is a single device talking to a single server is in for a surprise.
The most important point from [Dan]’s talk, for the armchair security types like me at least, is that an IoT device is an ecosystem, and that means that the bad folks have many more surfaces to attack than you might think, or wish for.
Your device communicates to the server, sure, but that’s just the start. The Thing probably also has a web-based configuration interface. Whatever service it uses (in “the cloud”) has its application interface, and probably also configuration pages. Most devices also use third-party APIs for convenience, meaning your data is going to a few more destinations than you might think, often over non-standard ports. The Thing’s firmware is going to need to be updated, so that’s another very powerful point of attack. Your Thing probably also talks to an app on your cell phone. (There’s more, but you get the picture.)
If some of these sources are trusted by the Thing, you’d better hope that they are all individually secure and properly authenticated. If any part of the ecosystem is under-secure, that’s what the exploiters are going to exploit. The more Things are interwoven with other Things, or services, or apps, the more avenues there are to break all the Things.
None of this is impossible to secure — there are best practices for each step of the way. Indeed, that’s what good-minded folks like OWASP and “I Am The Cavalry” and others are trying to do. Indeed, one of their greatest contributions is pointing out that the attack surface is much larger than it would be for a bank’s server, for instance. But by defining the problem so generally, they risk turning the task of securing your fitness watch into the task of securing “the Internet”. Of course, it may also be that bad in reality.
The Internet of Things: The Whatchamacallit of Thingamajiggies
(See what I mean? It’s even hard to parody “Things” because it’s already so imprecise.)
“Internet of Things” doesn’t describe much that’s useful from a security standpoint. On one hand, it includes widely varying classes of devices with correspondingly varying needs for security. On the other hand, it fails to describe or delimit the extent of the network that needs securing. Saying “Internet of Things security” adds nothing to just saying “security” except to warn the listener that they might need to be worrying about a very large class of problems, and end-users who don’t think they’re using a computer.
Maybe the term is useful elsewhere (it certainly is useful for marketing or getting money out of investors). But when I hear it in a security context, especially coming from the press or from the government, my eyes roll and my stomach turns just a little bit — maybe I should be stoked that they’re paying attention at all, but I pretty much know that they’re not going to be saying anything concrete. Figuring out what descriptive and useful terms replace “IoT” is left as an exercise to the reader, but it’s one that could have profound and focusing effects on the field.
Death to “the Internet of Things”! Long live “network-connected critical health-monitoring devices” and “cars with WiFi connections”.