Standardizing Security: Mitigating IoT Cyber Risks

(Part I of an II Part Series)

By Daniel Jetton, Vice President of Cyber Services, OBXtek

And Carter Simmons, Deputy Program Manager, OBXtek

Introduction

We, in America, are fully immersed in this ubiquitous, connected network that allows devices to communicate with each other and their owners. Devices like your smartwatch can communicate with your smartphone and your smartphone can communicate with your DVR and your DVR can communicate with your cable provider and so on. Your Amazon Echo may communicate with all of them. The Internet of Things (IoT), as it has come to be known, is a term coined in 1999 by Kevin Ashton, a British technologist, to describe this network that connects people and objects around them (Gabbai, 2015). Depending on the definition, the first application of IoT can be traced back to 1982 in which a modified Coke machine at Carnegie Mellon University was able to report its inventory and temperature through an internet connection. Intel argues that ATMs (dating back to the 70s) were the first IoT devices (O’Keefe, 2016).  Most people are already aware of smart refrigerators, video cameras, thermostats, lamps, and their capabilities but during the 2019 Consumer Electronics Show (CES) you could have found expanded IoT which included facial recognition pet bowls (for those with multiple pets/food thieves), smart apparel with sensors for sport and health and even a Kohler Konnect bathroom which can start the shower, adjust water temperature and warm your toilet seat through an app (Lee, 2019).

In 2018, there were more than 7 billion IoT devices in use with an estimated 10 billion by 2020 and 22 billion by 2025. This does not even include devices that were bought, but no longer used. We are talking a $151 billion market today expanding to $1.567 trillion by 2025 (Lueth, 2018).  Largely due to global distribution and growing internet availability, the demand for connected devices will increase while the cost of sensors, sensor technologies, and high-speed internet decreases. The biggest segment of IoT is consumer electronics which makes up almost 30% of the market share. The only thing slowing the growth will be a shortage of IoT expertise and trained workers, along with a lack of universally accepted standards and protocols (Inkwood, 2017).

Tradeoff

With the massive and expedient proliferation of all these connected devices, we are looking at a changing world, but at what cost to security? A 2015 Icontrol “State of the Smart Home” study found that 44% of all Americans were “very concerned” and 27% “somewhat concerned” about the security of their personal information in a smart home. Polling 5000 enterprises globally, a 2016 AT&T Cybersecurity Insights Report found that 85% of enterprises were either currently or planning to adopt IoT hardware, yet only 10% were confident they could secure these devices (Meola, 2016). “A lot of the manufacturing behind IoT devices today feels like the Gold Rush… everyone wants to get there in a hurry,” said John Cook, senior director of product management at Symantec. “You effectively have people staking out a claim in the area without further thought to security.”

The Threats

Tony Anscombe, the global security evangelist with ESET, an IT security company, proved this by spending months testing 12 IoT devices ranging from smart scales to wearables and found an array of security issues – from passwords stored in plain text to encryption issues. “We saw unencrypted firmware updates, unencrypted video streaming for cameras, communication and server in plain text and passwords stored unprotected. We saw privacy policy concerns.” While IoT security has been criticized over the past few years, IoT device privacy is another rising pain point highlighted at RSA Conference, a leading cybersecurity event, particularly with the rise of voice assistant devices such as Amazon Echo and Google Home. “One issue we found with these [IoT] devices is that it might not be a vulnerability – it might be that we’re oversharing data,” said Anscombe (O’Donnel, 2018). Even so, hardware issues abound. The TRENDnet Webcam, marketed for home security and baby monitoring, was found to have faulty software allowing viewing and listening capabilities to anyone with the camera’s IP address. St. Jude Medical produced an implantable cardiac device that could have allowed hackers control of the device.  Jeep’s SUV was hacked by researchers in 2015, enabling them to hijack the vehicle and control it over the cellular network. They were able to speed it up, slow it down, and steer it off the road remotely (iotforall, 2017). There have been cases of smart refrigerators sending pornographic spam and televisions recording conversations. One of the most disruptive IoT attacks consisted of thousands of hacked security cameras used to create the largest distributed denial of service (DDoS) attack against a domain name system (DNS). The DNS provided services to Twitter, CNN, and Netflix (Zamora, 2017). These are all documented incidents using the IoT against itself.

IoT Vulnerabilities

The insecurities of IoT stem from numerous things:

• Security isn’t built in. The devices today are being built for convenience and, on the surface, it seems we may be too willing to give up security for convenience.
• Additional security safeguards drive up costs. Will extra cost deter producers from building in security if not a priority for buyers? Is government regulation necessary to mandate protections in the same way they were implemented for the automobile (Palmer, 2017)?
• Devices have a direct interface with the internet and typically an internal network, increasing the number of attack vectors for bad actors.
• The sloppy or residual code is left within the device from development features that are no longer relevant but leave open security concerns.
• Default credentialing (standard factory passwords) allows open access to anyone because a personal code, password or biometric is not mandatory (Zamora, 2017).

Additionally, hackers are continuously trying to exploit IoT vulnerabilities with tools and techniques. A new tool called Autopilot can find vulnerable internet-connected IoT devices using artificial intelligence. Once identified, hackers can conduct elaborate attacks (Mosca, 2018).

Foundational Issues

There are various foundational issues when dealing with security on IoT devices and applications.

• IoT devices and applications are rapidly developed and frequently updated. This makes it difficult for security professionals to keep up with the ever-changing environment.
• There are billions of IoT devices that cross multiple sectors, in their day to day use and this number is exponentially growing.
• Since the devices are in the hands of the user, they have the ability to change various settings as well as the ability to mod their devices.
• The majority of IoT users are not technical people and they do not know how to harden their devices.
• There have not been any security standards or best practices developed for IoT devices and applications.

Government Takes Action 

The Department of Homeland Security (DHS) recently released its 27-page Cybersecurity Strategy focusing on seven goals divided into five pillars of their approach. The provided framework accounts for IoT security and addresses it specifically, in the beginning, stating, “The proliferation of technology also presents new cybersecurity challenges and leads to significant national risks.” It goes on to mention the billions of connected devices expected by 2020 and the expanding risk associated with that. DHS uses the term “cyber ecosystem” throughout the Strategy. This can be ascribed to strategic thinking on their part, referring to a holistic approach to supporting the DHS security goals and managing risk. Goal 6 “Strengthen the Security and Reliability of the Cyber Ecosystem” includes, “the widespread adoption of improved operational and policy frameworks” and elaborates, via Objective 6.1, by describing the requirement for identification and development of technical, operational and policy innovation to improve security and resiliency of the cyber ecosystem. The Strategy even goes so far as to call out IoT device developers and manufacturers for their focus on “speed to market” as opposed to security (DHS, 2018).

Senator Edward Markey (D-Mass) and Representative Ted Lieu (D-Calif), two forward-looking lawmakers, are pursuing a solution to IoT security issues. They are endorsing the Cyber Shield Act of 2017 which creates a voluntary cybersecurity certification program to promote products meeting security standards, guidelines, best practices, methodologies, procedures, and processes. In October 2017, the Cyber Shield Act (CSA) was introduced to Congress. This act will “establish a voluntary program to identify and certify covered (IoT) products…through voluntary certification and labeling of…covered products and subsets of covered products that meet industry-leading cybersecurity and data security benchmarks to enhance cybersecurity and protect data.” The CSA also establishes a Cyber Shield Advisory Committee under the Secretary of Commerce (Congress, 2017). The Cyber Shield Act would pull together professionals from industry, academia, and consumer groups to create an advisory committee on standards for IoT.   Products would be submitted for evaluation and, once passed, receive the established logo (Heckman, 2018). The committee would have one year to establish the format and content which would be the precursor for receiving the certification/label (Segura, Woo, Butler & Cadigan, 2018). The biggest issue when introducing the government sector into the IoT environment is the ability to keep up with the amount of IoT devices and applications that get introduced to the market every year. This legislation could prove to be very resource heavy and tedious. What would be the baseline? What current standards could be recycled? The last action of the CSA were hearings in April 2018 (Congress, 2019).

California lawmakers introduced bill SB-327 in February 2017 which was signed into law by the governor on September 28, 2018, and will take effect January 1, 2020. The focus is that “a manufacturer of a connected device shall equip the device with a reasonable security feature or features.” Unfortunately, vagueness is not its only weakness. It simply requires authentication to either 1) have a unique password or 2) prompt users to set up their own. That’s it. Hardly a solution for the security of IoT (Cimpanu 2018).

The ubiquity of IoT devices and functionalities has gotten ahead of security. Our penchant for convenience will ensure that IoT devices promulgate, but without security, these devices can and will be used for nefarious purposes, often against the device owner. The industrial revolution and the production of manufactured devices mandated action to ensure the safety of the public. IoT is no different in that it requires an entity to advocate security. The government has taken action to address the vulnerabilities of IoT in various initiatives like the DHS Cybersecurity Strategy and as specific legislation like the Cyber Shield Act of 2017. California has also moved forward. While this is a good start, we feel that solutions based on tried and true processes and models the prudent way forward. Please read our follow up to this research in Part II of our article coming next month.

References

Cimpanu, C. (2018). First IoT security bill reaches the governor’s desk in California. Retrieved from https://www.zdnet.com/article/first-iot-security-bill-reaches-governors-desk-in-california/

Congress. (2017). Cyber Shield Act of 2017. Retrieved from https://www.congress.gov/bill/115th-congress/senate-bill/2020/text

Congress. (2019). S.2020 – Cyber Shield Act of 2017. Retrieved from https://www.congress.gov/bill/115th-congress/senate-bill/2020/actions

DHS. (2018). U.S. DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY STRATEGY. Retrieved from https://www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity-Strategy_1.pdf

Gabbai, A. (2015). Smithsonian Magazine. Kevin Ashton Describes “the Internet of Things”
Retrieved from https://www.smithsonianmag.com/innovation/kevin-ashton-describes-the-internet-of-things-180953749/

Heckman, J. (2018). NIST lays out a roadmap for the Internet of Things security. Retrieved from https://federalnewsradio.com/technology-main/2018/02/nist-lays-out-roadmap-for-internet-of-things-security/

Inkwood Research. (2017). Consumer Electronics Regenerated with the Internet of Things.  Retrieved from https://www.inkwoodresearch.com/consumer-electronics-regenerated-with-internet-of-things/

Iotforall. (2017). Retrieved from https://www.iotforall.com/5-worst-iot-hacking-vulnerabilities/

Lee, S. (2019). CES 2019 Preview: 10 Must-See Products.  Retrieved from https://www.iotforall.com/ces-2019-preview-10-key-products/

Lueth, K.L.(2018). State of the IoT 2018: Number of IoT devices now at 7B – Market accelerating. Retrieved from https://iot-analytics.com/state-of-the-iot-update-q1-q2-2018-number-of-iot-devices-now-7b/

Meola, A. (2016). How the Internet of Things will affect security & privacy. Retrieved from http://www.businessinsider.com/internet-of-things-security-privacy-2016-8

Mosca, D. (2018). Hacking the internet of things just got easier – it’s time to look at your security.  Retrieved from https://www.computerweekly.com/opinion/Hacking-the-Internet-of-Things-just-got-easier-its-time-to-look-at-your-security

O’Donnell, L.  (2018).  IoT Security Concerns Peaking – With No End In Sight Retrieved from  https://threatpost.com/iot-security-concerns-peaking-with-no-end-in-sight/131308/

O’Keefe, S. (2016). 24 Cool IoT Facts to Celebrate Internet of Things Day. Retrieved from http://blog.calysto.com/iot/24-cool-iot-facts-to-celebrate-internet-of-things-day

Palmer, D. (2017). Internet of Things security: What happens when every device is smart and you don’t even know it? Retrieved from http://www.zdnet.com/article/internet-of-things-security-what-happens-when-every-device-is-smart-and-you-dont-even-know-it/

Segura M., Woo, M., Butler, C. & Cadigan, B. (2018).  Sticker shock? The Cyber Shield Act of 2017 attempts to make IoT manufacturers prioritize IoT security. Retrieved from https://www.reedsmith.com/en/perspectives/2018/03/sticker-shock-the-cyber-shield-act-of-2017

About the Authors

Dan Jetton is the Vice President of Cyber Services for OBXtek. He is responsible for leading and defining cyber strategy while ensuring security, defense and risk mitigation for his clients.  OBXtek’s accomplished teams have an established reputation for consistently and efficiently achieving goals for its portfolio of federal government customers. Dan Jetton, MBA, MS, MA is a CISSP, CAP, and PMP with 20 plus years of military service.  He can be reached online at https://www.linkedin.com/in/danieljetton/ and at the OBXtek website http://www.obxtek.com/. You can follow him on Twitter @CyberPhalanx for cybersecurity news.

Carter Simmons, MS, CAP serves as deputy project manager on OBXtek’s State Department Bureau of Consular Affairs and Office of Consular Systems and Technologies’ Information Systems Security Support (ISSS) team on which he offers expertise in the risk management framework (RMF). In addition to his certification as a CAP (Certified Authorization Professional), he holds a master’s degree in Cybersecurity from the University of Maryland University College.