Every vendor’s got a piece of the Internet of Things, including Wilson Sporting Goods, which on Monday revealed a Bluetooth-enabled football that captures data about the ball’s performance in the air and relays it to a smart phone app.
But also on Monday a security researcher at Trustwave SpiderLabs blogged about a vulnerability he found in a Trane smart thermostat he bought last December as part of a new furnace from manufacturer Trane.
Username and password credentials on the Wi-Fi Comfortlink XL850 thermostat were hard-coded into the firmware and couldn’t be changed. It also held open a TCP port. Combined, an attacker could get remote access to the device and not only do harmless things like change the home’s temperature, but also gain access to chat and alarm history, active socket connections, trusted URLs, secret IDs, detailed address and installer information.
Among other things an attacker also might be able to figure out when someone wasn’t home.
In addition, Trustwave found a lot of the source code for the thermostat’s Nexia mobile platform could be found on Github, the public exchange for developers, which included sensitive information about the software including encryption keys, credentials and others.
Almost as bad is that it took Trustwave about two months to find someone at Trane who it could notify about the problem and have it fixed.
Eventually developers at Trane’s parent company, Ingersoll-Rand were made aware of the vulnerabilities and issued software updates – and also improved their bug notification process – which is why Trustwave was able to publicize the incident now.
“It was kind of a horror story at first that ended up having a happy ending,” Karl Sigler, Trustwave’s security research manager for threat intelligence, said in an interview. “It’s a cautionary tale of how you can actually deal with these vulnerabilities as an IoT-developing organization.”
A Trane spokesperson couldn’t be reached Monday for comment.
For CISOs at firms that make IoT devices – which range from footballs to medical equipment – as well as organizations that use them, IoT security is a relatively new field. Not only do thousands of devices need to be made secure, so do the networks the data they collect run on. Unlike enterprise data, if not secured right IoT devices and data can put lives at risk, affecting car operations, stop lights, electrical grids and pacemakers.
It’s not like security is new to developers, says Merritt Maxim of Forrester Research, but “in a lot of cases awareness and action are two different things.” The rush to get products to market “is enough to offset security concerns.”
Jon Oltsik, a security analyst at the Enterprise Strategy Group, says many makers of industrial IoT devices have got the message and are building in resiliency into their devices. “In other industries however, security considerations for IoT remain lacking. This is especially true in the medical industry and in consumer goods. We’ve seen hacks of things like insulin pumps and automobiles for years. Things are getting better but these industries remain behind.”
In a report issued earlier this year on securing IoT, U.S. telco AT&T said “the IoT ecosystem has become a digital Petri dish for hackers and other cybercriminals eager to probe for new weak spots.” Over the past two years, AT&T’s Security Operations Center has logged a 458 per cent increase in vulnerability scans of customers’ IoT devices.
There’s no shortage of IoT-related horror stories:
— In June security vendor Securi Inc. described a botnet that leveraged thousands of Web-connected video surveillance cameras ot launch a targeted distributed denial of service attack.
–In December a malware attack on a Ukrainian electrical utility cut power for several hours ot 1.4 million people.
–The AT&T report says in 2014 attackers inflicted “massive damage” on a blast furnace at a German steel mill after a phishing attack allowed them to steal employee login information.
One problem is there are no IoT security standards, although some groups are working on one. The Open Connectivity Foundation, for example, an industry group that includes Cisco Systems, Intel, Qualcomm, GE Digital, Samsung, Microsoft, IBM and dozens of others, is working on interoperability and security standards. In June it issued a draft candidate 1.1 specification that includes a 108-page security spec covering a network connection to an application server, data encryption and access control.
The U.S. National Institute of Standards and Technology (NIST) has just issued a model to help developers and network architects understand the building blocks of an IoT system, including security.
But AT&T’s report warns the C-suite can’t wait for standards to take hold. “The steps you take now to secure IoT devices will have a direct impact on your ability to do business with customers and partners in the IoT economy.”
Design is important. For example Google say its Nest thermostat security stack has application-specific encryption keys. So someone can’t unlock your front door by hacking your patio lights. Basic security — including assessing risk, network segmentation, encryption, no default passwords — comes into play as well. The difference, of course, is scale.
Beyond device security IoT creators and users have to decide on how much personally-identifiable data needs to be collected. For that they can rely on the Privacy by Design approach first detailed by former Ontario privacy commissioner Ann Cavoukian.
Another difficulty is the scale of IoT devices, which for some organizations could be in the thousands or tens of thousands. That creates security problems at scale. “The problem with IoT is not the “T”, it’s the “I,” says Forrester’s Maxim, because hackers can use IoT devices to launch large-scale attacks against a firm’s infrastructure and on other firms’ resources That’s why he maintains identity and access control on IoT data is needed on top of encryption.
In a report Maxim co-authored and issued in May, Forrester says security leaders have to treat access management for IoT as a specialized domain, not simply as an extension of traditional IAM processes for mobile devices, laptops, and desktops. Among other recommendations Forrester says device manufacturers must provide hardened IAM APIs for devices aimed at enterprise IoT.
Finally, let’s not forget the bug reporting problem Trustwave reported. Device manufacturers should have a formal process and publicly-available resources (phone number, Web site) for reporting vulnerabilities.
“By approaching the IoT strategically and with security at the core of every connected device, your organization can begin to capture new business value,” says the AT&T report, “while keeping potential risks in check.”