The Internet of Things revolution has succeeded in making our lives considerably more 'connected' than ever before. IoT incorporates new levels of depth into everyday objects like your coffee machine, watch, clothes, and car, to just name a few.
According to the research firm Gartner, there were approximately 6,381.8 billion IoT devices in use globally during 2016. They foresee this number skyrocketing to over 20 billion by 2020, with more than 60% of the devices being in the consumer market. Cisco has been even more liberal in their prediction, stating that they foresee 50 billion devices out in the world by 2020.
However, IoT is also now facing its biggest hurdle: Security.
Unless IoT security can catch up fast, the revolution will be placed on hold.
IoT and Open Source - A tinkerer's playground
Unsurprisingly, the IoT movement is being built on open source. Much like the rest of the IT world that relies on incorporation of open source components, it is simply easier to build IoT on the infrastructure developed by the open source community. Practically, the dependence on open source code comes down to interoperability and general connectivity. As studies have shown, open source is ubiquitous in IoT technology.
On their own, these devices with tiny brains in them are cute but relatively limited in their effectiveness. What makes them powerful is the ability to connect them to the big data tools and other massive back-end systems to power their increased functionality. In order to do this, though, device makers need to make sure that these systems can talk to all (or at least as many as possible of) the other machines out there.
The Linux Foundation and the Open Connectivity Foundation are already hard at work putting together a set of standards through their joint IoTivity project that they hope will provide a framework for this space going forward.
The Zephyr Project is another initiative from the good folks at Linux and their supporters that is looking to develop an OS for IoT and, at the very least, make sure that devices are speaking to each other following the same protocols.
How vulnerable is the IoT community?
Once these devices are able to communicate properly, some substantial security concerns arise: there is the challenge of finding a way to secure their substantial databases - which gather huge volumes of varied data continuously; the IoT devices newfound hyper connectivity, and the devices ability to automate a decision-making process based on the collected data – which could allow a hacker who gained access could tamper with the process.
IoT devices are continuously collecting data – thus they are connected to massive data bases. We saw a scary example of how easy it is for malware to leverage database vulnerabilities when a data breach in Target leaked 110 million credit card details.
In addition, enjoying a quickly widening threat surface, hackers can now either attack the devices themselves - raising concerns for power plants, medical devices, or autonomous cars - or use them as slaves in a botnet for DDOS attacks like we saw on Dyn DNS in October of 2016 that took major sites like Twitter and PayPal offline.
Harnessing the Mirai malware, which ironically was posted to Github before being modified for this and other attacks, the hackers who went after Dyn highlighted a serious vulnerability in the IoT ecosystem when they took over thousands of IoT devices to overwhelm their target.
So was this a complicated operation carried out by the Russian GRU’s 'Fancy Bear' or one of China’s skilled cyber units? Probably not.
According to the business risk intelligence firm Flashpoint, they believe that the hack was carried out by script kiddies using some fairly basic methods that exploited the low level of security in the targeted IoT devices.
The State of IoT Security
Speaking with Geektime last year, Comcast SVP and Chief Product and Information Security Officer Noopur Davis remarked that, 'There’s a lot of bad practices out there,” giving the industry its fair share of the blame for the current state of security affairs.'
While the defenses against complex attacks are growing, because of legacy software that is built on commonly used open source code, many products and systems are vulnerable to very basic attacks that were popular 20 years ago.
'We see a lot of the same old stuff [on the attacker’s’ side] that we’ve been seeing forever,' says Davis. 'In the early 2000s, they produced these ‘Top 10’ lists like the ‘Top 10 Most Common Vulnerabilities That Hackers Exploit.’ And, so what is it now? Sixteen years later, most of those items on that Top 10 list are still the same: Buffer overflows, SQL injection, cross-site scripting. It’s just amazing!'
'I hear a lot more about ransomware now,' she says regarding trends in the way hackers attack. 'It’s not just that ‘I’ll publish your secrets!’ but ‘Give me money and I won’t publish them.’ I’m reading about those trends, but the exploits themselves? It’s the same dang stuff over and over again. Some old code running on some machine somewhere and you just have to figure out which one of the standard exploits will work. Our job is to just make that harder and harder to do.'
Hackers know that if there is a flaw in a particular library of commonly used open source, then they have an increased chance of being able to use it to exploit the different companies that are using it. This is where bug tracking systems can be a real thorn in their sides. When it works correctly, bug tracking allows the users of open source software to report vulnerabilities in the libraries that they are using, alerting other developers to the dangers and flagging it for repairs.
With any luck, a team can catch these bugs early in their process before their code is out the door. If not, they can at least issue the proper patch in the next update without disturbing their users.
The way forward for safer IoT development
By drawing on the power of the crowd, uncovering these hidden landmines becomes considerably less labor intensive for individual teams, as long as developers remember to use the tools that help them stay on top of any changes to the security of the libraries that they are using in their products.
While perhaps a bit optimistic, ensuring that the future of IoT is built on open source could actually serve an additional public good. The expected wave of new players that will enter the IoT space coming from other sectors like traditional manufacturing will lack some of the basic knowledge about how to handle security. After all, who ever tried to hack a coffee machine before?
Either way, since open source components are such a big part of IoT development, companies need to make sure they invest in open source security practices to reduce their own risk, as well as the risk to others if hackers take control of their poorly secured devices. This concern could become more important as vendors are likely to be expected to take greater responsibility for their product’s security by the increasingly security-conscious public.
Especially in the consumer space, the rollout of IoT has remained fairly restrained, with the industry still looking for ways to overcome their justifiable security concerns. If the sector is to meet the grand expectations set forth by Gartner and Cisco, then they will need to seek out scalable and effective solutions to deal with open source security vulnerabilities and make sure IoT lives up to expectations without putting consumers at risk.