14 DAY TRIAL // Ahh... the Internet of Things. A term that in the span of two years has gone from symbolizing "a bright future where technology will make our lives better" to "what the hell have we done!" And responsible for IoT's sharp reputational decline can be attributed to one thing and one thing only: *security*.
IoT's fast start has caught everyone off guard, and especially regulators and standards administrators. Even before we could realize the impact of all those shiny new "smart" devices being churned out on a daily basis, we were all already doomed.
With billions of IoT devices spread around the world, these devices are the Achille's heel of any modern network. They're entry points for any smarty-pants hacker that wants to compromise your company or your house.
After a series of IoT-driven DDoS attacks that took place this fall, the infosec community is more aware than ever of the dangers these devices pose.
Securing the IoT landscape using TOR
But efforts to secure the Internet of Things haven't started all of a sudden after the Krebs DDoS attacks.
Even before, there were mindful experts working on ways to avoid the unavoidable. People who started looking for ways to protect IoT devices even before the rest of us fully understood the big hole they were putting in our network defenses.
The project that got the most media attention is one that aims to use Tor to secure server-client communications for IoT devices.
By using the Onion protocol, which comes with built-in encryption support, IoT vendors will have a much easier time implementing a secure communications and update delivery process for their devices.
Using Tor with IoT mitigates much of the attack surface to which smart devices are exposed when working with HTTP or vendor-implemented HTTPS (or lack of).
XMPP can be an alternative
While the Tor+IoT= <3 project is already underway and a prototype is already available, another great idea for security the Internet of Things comes from application security firm Security Compass.
Their proposal focuses on the usage of XMPP as the communications protocol for IoT devices.
The company cites the protocol's maturity, its successful implementations in all sorts of products and, of course, its support for lots and lots of security features.
"XMPP provides a solid, flexible foundation for security features," the company explains. "XMPP facilitates identity management, authentication, authorization, Off-the-Record Messaging (OTR), and encryption - including end-to-end encryption. These are essential as we develop secure IoT products."
"The security of the core XMPP protocol is essentially based on requiring use of the Transport Layer Security (TLS) and Simple Authentication and Security Layer (SASL). TLS provides confidentiality and integrity for data in transit. SASL provides an extensible framework for authenticating involved end parties and helps to protect against user spoofing, unauthorized usage, and man-in-the middle attacks," the company also adds.
The ability to deliver OTA updates is a must for securing IoT devices
Indeed, a very solid idea, but only that. It will take some more tests and prototypes before convincing manufacturers that this is a good idea.
According to Liviu Arsene, Senior E-threat Analyst at Bitdefender, there are other facets of IoT security that experts need to tackle outside authentication and client-server communications.
"Security researchers have not only found that some IoT device broadcast credentials or data in plain text, but also that they lack basic security best practices, such as hard-coded or no management passwords and even the lack of firmware updating mechanisms," Arsene says.
"While it’s great that there are initiatives that involve adding an encryption layer on top of machine-to-machine communication, there’s still much more to be done."
"For starters, removing remote SSH connections with hard-coded credentials would be considered not only good practice, but even mandatory," Arsene adds. "Having the ability to send OTA firmware updates patching critical vulnerabilities should also be mandatory."
"We’ve seen IoT devices that lack such things, meaning that once a vulnerability is found in one of them, there’s no way to fix or patch it throughout its entire lifetime," Arsene says. "This means that you’ll probably end up connecting a vulnerable smart device to your home network, without ever having the ability to secure it."
US and EU legislators slowly getting involved
Indeed, this is a troubling thought. IoT security is rotten to the bone, and it may be too late to fix it. Hardware makers, even if they don't publicly admit it, will put costs above everything else, and will change the way they build smart devices only if they have to.
A way to make these vendors invest in security is through legislation and industry standards, with the threat of financial penalties looming over their head.
The US Department of Homeland Security is currently working on a guideline for the Internet of Things, which hopefully will materialize into something more than just a "recommendation."
On the other side of the Atlantic, the EU is already way ahead of the US. The European Commission is reportedly working on a new labeling system for Internet-connected equipment, including IoT devices.
The Commission wants to use labels, or stickers, to inform the consumer of the device's safety level. The thinking behind this proposed legislation is to incentivise equipment manufacturers to strive to create safer products and be allowed to use a "higher class" sticker on their devices.
The MITRE IoT Challenge is looking for an IoT panacea
But initiatives to boost IoT security aren't coming from national agencies alone. The MITRE Corporation, a not-for-profit organization that manages the Common Vulnerabilities and Exposures (CVE) database, is also getting in on the act.
The organization is currently running a contest, called the IoT Challenge, that will award a $50,000 prize for ideas and technologies to secure the Internet of Things.
"We're looking for a simple, affordable solution to identify devices within an IoT network so rogue devices can be discovered," the contest rules read.
Akin to a bug bounty, this contest is looking for the solution, instead of the problem. Hunting for problems is easy. Finding solutions requires creativity and knowledge, not just automated testing tools, a bug hunter's favorite tools.
“The MITRE IoT Challenge is looking for the solution, not the problem”
"Events like the Mitre IoT Challenge are great for collecting new ideas on how to properly secure IoT devices, especially since there’s the remuneration incentive," Arsene explains. "However, knowing what needs to be done and actually implementing it are to separate things."
"Without manufacturers coming together - either under pressure from laws and legislation or other types of regulations - the chances of seeing these solutions broadly implemented are somewhat slim," he says.
"Security is often an optional feature in the development roadmap of IoT products and that needs to change. Since we’ve already seen what an IoT botnet can do - perform the largest DDoS attack to date - it’s probably time to do a lot more than just think of new and innovative ways of secure them, and actually get the ball rolling."