13 February 2016

Internet-enabled objects add to security risks


Divide the IoT security problem into pieces, says Cisco engineer

The Internet of Things (IoT) will create additional security risks for businesses and consumers, according to network security experts at the APNIC 38 conference in Brisbane.

Each new machine connected to the Internet opens another window for malicious attackers to enter, they said.

Eric Vyncke, an engineer with Cisco, said the extent of damage caused by hacking an IoT device can range from minor to devastating. For example, an air-conditioner system could be attacked to cause shivers in a conference hall or a nuclear power plant could be attacked to precipitate a meltdown, he said.

On a more consumer level, a hacker could attack an Internet-connected pacemaker or an insulin pump to bring potentially fatal harm to a person, said Vyncke. Or, a burglar could scan the smart meter of a house to determine the hours or days when the owner is least likely to be home, he said.

Internet-connected devices on the edge of the network should be built with adequate security protections, but this is frequently not the case, said Farsight Security CEO Paul Vixie. 


A recent example was a widely distributed Internet-enabled light bulb that carried a major security flaw, he said. The bulb, designed by LIFX, learns the wireless key for encryption when it's connected to the network but afterward has no security to protect that information, he said.

"In other words, anybody coming into your house could then inquire of that light bulb what your key was and it would tell [them]." 

However, it's not possible to fix this problem, because the manufacturer has no list of customers who bought the bulbs, the bulbs cannot be reprogrammed through a network upgrade, and the company doesn't have the money to do field upgrades, said Vixie.

"So now what we have is an attack surface that has been built through efficient capitalism. We have ... potentially hundreds of thousands of these light bulbs out there with this bug, and we're going to have them forever or as long as these light bulbs last."

Given that IoT is a broad term covering a wide range of technologies in many diverse areas, the best approach to closing the security gap is to break the problem into niche areas to solve, said Vyncke.

"We need to cut the IoT problem into smaller pieces," he said. "Address [the problems] one by one, and it will be easier."

No comments: