If there’s a Wild West of the Internet today, it’s the Internet of Things. There’s a lawlessness caused by ineffective and insufficient security, a lack of understanding of who the enemy is, and, while outlaws have yet to appear on the scene, their arrival can only be imminent. As it was in the Wild West of the American frontier, it is becoming necessary to treat all IoT devices that approach our fort as “the enemy.”
The frontier problem starts with the fact that IoT is not well-defined and, today, it seems that everything is an IoT device–from cars to home thermostats to traffic lights to door-entry systems. The trouble is that we–the consumer–are trusting that these IoT device manufacturers have figured security into their IoT device design. The truth is that some have and some haven’t, and, just as hackers are targeting the security holes of our operating systems, it is only a matter of time until they start targeting our IoT devices. It isn’t much of a stretch to look at all the recent attacks on Point of Sale (PoS) systems as IoT attacks, for example. Look at the recent security issues around Nest thermostats and WINK hubs as further evidence.
There are a couple of major issues around IoT devices from a security perspective today. One is that there are too many and too few IoT standards. Huh? How can you have too many and too few at the same time? On the too many front, we have too many standards for IoT device communication protocols. IoT devices don’t just communicate via TCP/IP but also via BlueTooth, SCADA, Z-Wave, and Zigbee, to name a few. That means that monitoring all of these different protocols from a security or firewall perspective is very difficult.
Despite all that “choice,” however, we have no single standard that effectively enables authentication, identity, and privacy for IoT devices. Sure, we’ve had progress with things like PKI, OAuth2.0, and OpenID Connect, but we don’t have one standard that covers these concerns for the IoT.
Let me illustrate a small example of my own IoT security problem–one that I think many of us already have or will soon have. My home network is probably very similar to yours. I have various different devices that all use my network: iPhones, iPads, laptops, Roku and other TV devices along with some network-attached storage for file storage. The main difference in my home network and yours might be the fact that I run a commercial hardware-based firewall. With that firewall comes many security bells and whistles including features like IP blacklisting, botnet detection, and GeoIP location analysis.
Recently, I turned on that last option related to GeoIP analysis and, after two weeks of monitoring I looked at an analysis of my Internet traffic and imagine my surprise when a chart appeared showing what countries my devices were communicating with. I expected that my number 1 location for IP traffic would be the United States because I live and work in the United States – that part turned out as expected. But the number 2 location really threw me for a loop: China! The immediate questions I had were: Is this inbound traffic? Is this outbound traffic? Both? Which device(s) on my network was sending or receiving this traffic? For what purpose?
The average home user will not have a sophisticated firewall like I do – but many businesses do. Still, I wonder how many enterprises are truly tracking their IP traffic by GeoIP destination? How many people track this type of data over time to try to correlate which devices might be leaking or absorbing packets from suspicious locations? Once you know what device(s) is communicating with what location, how do you analyze that communication to make sure it is appropriate?
Until every business can answer those types of questions, there’s only one recourse: hunker down in your fort, isolate all your IoT devices – the “enemy”- on separate virtual-LANs (VLANs) and monitor and analyze your IP traffic for warning signs. Oh, and if you’re a home user whose firewall is what your ISP shipped you, then you are approaching the IoT frontier in a covered wagon so you’d better get prepared for an attack–it’s not if, but when.