The Internet of Things (IoT) is beginning to have a huge impact on our daily lives, and it will grow by orders of magnitude. However, the multitude of IoT devices with zero, limited or outdated security could produce disastrous results. It will be a formidable task to secure every small IoT device or toy. Security solutions that watch device behavior and identify anomalies might be our only hope.
The IoT is on the rise...
The genesis of IoT goes back to the early ’90s when PARC chief scientist Mark Weiser came up with the vision of Ubiquitous Computing and Calm Technology. In this vision, computing becomes “your quiet, invisible servant” and disappears from conscious actions and the environment of the user.
In recent years, smartphones, smartwatches, smart home appliances and more have brought us closer to that vision. The Internet of Things stresses the technology-focused aspect of this vision — the idea of autonomous intercommunication of small Internet-enabled devices with the aim of learning and anticipating observable user behavior.
While the IoT acronym has come into vogue recently, it is no new thing inside enterprise networks. IoT includes printers, phones, alarm systems, thermostats, CCTV cameras, etc. and thus has been around for a while now.
However, when hitting the consumer market, according to the National Intelligence Council, IoT will be a disruptive technology by 2025. And by 2020, there will be tens of billions of Internet-enabled devices that generate global revenue of more than $8 trillion.
A good example for an IoT device that has hit the mass market is the Nest thermostat, transforming a traditional user-operated thermostat into an intelligent sensing device that adjusts the temperature based on observed user behavior.
While IoT shows amazing promise, it comes with serious security implications that accompany wide-scale IoT deployment. According to the National Security Telecommunications Advisory Committee (NSTAC), “There is a small — and rapidly — closing window to ensure that IoT is adopted in a way that maximizes security and minimizes risk. If the country fails to do so, it will be coping with the consequences for generations.”
Is it safe?
Can IoT ever be safe? And what threats are lurking in IoT? Is it even possible to create an IoT infrastructure that is protected from intrusions and internal misuse? The multitude of IoT devices, all with unique software stacks, will expand traditional attack surfaces used by hackers in two directions.
What cyber threats are lurking about in your network? Read more>>
First, there will be many more devices in the network and these devices are likely to be more vulnerable because they have limited, outdated, or no security software running on them. And besides being an easy entry point into the internal network, the limited software stack of miniature devices represents a perfect hiding place for malicious code and thus a permanent backdoor into the network.
Second, increased device density also generates more key assets that are susceptible to theft. More behavior data is tracked and visible through miniature devices, such as presence and absence patterns. With IoT, it’s not so much about credit card numbers but rather stealing rich data records and behavior information.
This is aligned with major privacy issues that arise when dealing with IoT. An infinite number of small devices can observe the user from every possible angle, and almost any information can be derived from this.
For example, as mentioned above, the Nest hack will not only enable the manipulation of the room temperature settings, but more importantly, Nest derives future patterns of absence of inhabitants that can easily be used for criminal activity such as burglary.
In addition to external threats, as we have seen for BYOD policies, increased device density creates opportunities for data theft and even sabotage from the inside. Disgruntled employees that turn against their employers can destroy and steal data that they have direct access to, as well as download confidential data about user behavior and manipulate the IoT infrastructure to do harm.
Considerations for practicing safe IoT
Practicing safe IoT is not a panacea and there are no guarantees it will protect everything. It might be unrealistic to use classic on-device security (think antivirus software on your laptop) to protect a multitude of miniature devices. There are only a few other options.
One could run the whole IoT network in a controlled and secured environment, with no or very limited access to the Internet — this is effectively the best practice for networked Industrial Control Systems (ICS) such as nuclear power plants and factory floors. But this approach won’t work with most IoT devices because they require access to data from the Internet to deliver their designed value. It also runs the risk of hostile intrusions that can cause serious damage.
Consequently, most security specialists opt for a behavior monitoring solution. Instead of securing the network and any IoT device on it by restrictive policies, the communication paths are kept open, but all behavior is closely monitored. “The system watches all devices, learns what’s the norm, and flags abnormal behavior,” noted Symantec’s Jeffrey Green in a PC Magazine article.
Recent advances in data science will enable the construction of narratives from behavior anomalies and indicators and thus keep false positives under control. Let’s hope that this will help create the secure and privacy-preserving network infrastructures while still allowing the promise of IoT to flourish.
The Vectra Networks™ June 2015 Post-Intrusion Report (PIR) provides a first-hand analysis of active and persistent network threats inside an organization. This study takes a multidisciplinary approach that spans all strategic phases of a cyber attack, and as a result reveals trends related to malware behavior, attacker communication techniques, internal reconnaissance, lateral movement, and data exfiltration.
Oliver Brdiczka is an AI Architect at Adobe. He has led R&D teams and designed/build AI systems that understand and respond to human behavior, relying on data from various sensors and deployments. Before joining Adobe, he was an advisor at Quantiply Corporation and Yobs. Previously he was a co-founder and VP of AI research at Stella.ai and principal data scientist at Vectra. He received a masters in computer vision, robotics, and imagery and a PhD in computer science and artificial intelligence from Institut polytechnique de Grenoble.