Author: FINAO Admin

Forget Back Doors – The IoT Makes it Just as Easy to Come Through the Front

The alphabet soup of acronyms describing the coming connected world is a signaling that is time get brush up on your security lingo, because the world is changing. IoT, M2M and ICS devices introduces an incomprehensible expansion of exploitable attack surfaces. Historically, information security has been defined as a perimeter of security around your most valuable IT assets. This security included different layers of protection for various areas of vulnerability.  And while there is still a very healthy and innovative market for traditional information security, the ecosystem is changing and an increasing number of new threat vectors are being established. There was a time when security only needed to consider exposed web services as an attack vector. With the IoT, the attack surface expands beyond the web into hardware, multiple operating systems, multiple protocols and the cloud. Where there was one, now there is five…or more.

There are security companies that have introduced solutions to fix some of these gaps in protection. For hardware security, the market is steadily embracing MDM technologies.  These smart operating systems with very clever agents allow organizations to secure data on mobile devices, remotely wipe them, and give individual access control to company assets.  This seemingly convenient way to allow employees to use their own preferred devices has proven helpful, however some Millennials in the workplace are beginning to object to the idea of “the man” having so much control over their personal devices. Just recently, a woman was fired for removing an app that tracked her whereabouts 24/7. The workforce management app seemed a little too “Big Brother”, which may well have corporations moving back to issuing company devices to employees. Of course, it doesn’t matter who owns the device – security at a device level still relies on an agent. As we move from a network of computer, tablets and smartphones, towards a network of billions of connected “things”, installed agents simply can’t scale. The end result will be a multitude of unprotected “things”

Protocols are also problematic…and profuse. There are more than 100 wireless protocols of the IoT that are invisible to the enterprise – even those companies using the most sophisticated security measures. The tools and technologies being used today protect environments from wired and Wi-Fi threats, in a couple of years, these will be the least of your worries. An office building with 5,000 employees, each with 20-40Mb/s LTE of connection, essentially has a 10-20GB/s of Internet connection that is completely invisible – and this is just when considering personal cell phones. Of greater concern are the smaller, more fragile protocols that exist in the enterprise and operate quietly without causing much anxiety.  An example of this would be ZigBee. I have seen an engineer brick a ZigBee light bulb within minutes of unpacking, simply by sending malformed packets. This would be the equivalent of a telnet connection to port 23 of a router, holding down CCCCCCCCCCCCCCCC, and the router being destroyed, with no chance of repair other than being sent to the factory. I’m certainly not picking on ZigBee, they are just one example protocols that exist in the enterprise that could be vulnerable to basic attacks.

In another example of IoT vulnerability, our R&D teams analyzed an IoT deadbolt lock. We were surprised to find many more doors into the product (no pun intended) than we expected. When we decompiled both the Android and iOS versions of the management software for the device, we discovered that these were clearly developed by several different teams and it appeared that the testing was done on individual pieces of the product, but a full code audit wasn’t done on the product as a whole. This meant we could use the app to access not just the hardware, but also the manufacturers’ servers. As more companies outsource development of various product layers, the attack surface will continue to expand.

In the examples I’ve talked about, it’s clear that there is still work to be done with IoT hardware, applications and protocols. But, perhaps what will be most paramount to IoT success is the cloud. I have a startup, and we don’t own a single server, no need to in 2015.  IoT devices don’t want a server, they will communicate through a gateway, or as in my prior reference through a mobile application. IoT devices will pair, provision and license through the cloud.  When credentials or other key security parameters can be extracted, wirelessly, through packet sniffing, or even the unbelievably common practice of hard coding credentials into mobile apps, the provisioning of these devices can be compromised. Just ask any of the Snappening victims how much devastation can be done by neglecting basic security encryption.

What does this mean for you? We are all in a Brave New World when it comes to security and the IoT. We are surrounded by blind spots that have the potential to be seen by the bad guys before the rest of us. For Information Security professionals, it’s imperative that you prepare for intrusions to come from multiple angles.

Top 10 Internet of Things Tweets at RSA 2015

It’s been a great two days of information sessions and expo mingling at the 2015 RSA Conference (#RSAC) in San Francisco. In conjunction with our first birthday, Bastille is debuting at RSA in booth S2426, and demo’ing our IoT security solution for the 30,000 security professionals in attendance. The trade show isn’t nearly over, but one thing is clear – IoT is hot. An RSA spokesperson acknowledged that speaking submissions for IoT-related topics were up 450% compared to last year; and Twitter has been a-buzz with IoT chatter.

Without further adieu, here are our Top 10 IoT Tweets from RSA 2015 (so far):

10.

9.

8.

7.

6.

5.

4.

3.

2.

1.

How the IoT Has Invaded My Life

It is impossible to create a usable environment that is 100% free from risk. Whether in your home or business, the cost of embracing technology is accepting some risk via new IT services. The more services in use, the more vectors are created for bad guys to exploit.

The corporate computing environment is incredibly complex. Think about what it takes to service tens of thousands of workstations and servers. It involves layer upon layer of infrastructure such as routers/switches, core services such as service directories (DNS/LDAP/Active Directory), and ingress/egress technologies such as proxies and firewalls. Each of these layers requires dedicated experts to manage and deploy, but the mitigation of risk created by these layers is the job of the lonely and often understaffed InfoSec group.

Now consider a much simpler environment, the common home. Most people do a pretty good job of locking their doors and windows to create some barrier to entry. But as they add more technology to their home, they too are increasing their risk. As I look at my own environment, I see a multitude of vectors that have been created by various Internet of Things (IoT) devices:

• A wireless security system that is powered by Bluetooth and wifi, has mobile phone control to arm/disarm, and sends alerts before the police arrive.
• Wireless cameras connected to the cloud
• Yard controls that allow me to turn my heater, lighting, and irrigation on/off via a proprietary wireless transmitter connected to the cloud
• TVs and ROKU/Chromecast-like devices that connect via Bluetooth and Wi-Fi to create their own networks in order to share content.
• Wearables have invaded my home. Three family members now monitor their vitals with FitBit, ihealth and other products, each transmitting sensitive data to the cloud.
• We are even tracking how we dribble basketballs and kick soccer balls due to Santa bringing my kids the latest IoT enabled sporting toys.
• One family member recently had a wireless heart monitor surgically installed that uploads vitals to a web site for their doctor to view.
• We have about a dozen smartphones, tablets, and laptops constantly connected and getting infected by malware.

Think for a minute how my once secure home has been opened by this new era of IoT connectivity. We already know that wireless home security is vulnerable to hacks. By connecting household controls, I’m – at minimum – opening myself up to allowing outsiders to see my daily habits, ultimately being able to profile my comings and goings.

Having been previously tasked with securing a Fortune 100 infrastructure, risk is constantly on my mind and I am waging a friendly battle with family members to walk the line of security and convenience, urging them to turn off services that are not needed, change passwords, etc. I try to put our mobile devices on a separate network so my personal files are not easily exposed. But I know the risks given my profession, many other families are oblivious to the tradeoff between the conveniences of connectivity and safety.

Companies may not have had an influx of IoT into their environment at the same pace as I have witnessed it in my own world, but it is like a freight train barreling towards them. The same technologies that have enabled my personal world to be more connected and useful are quickly being positioned for use in the enterprise. Employees are bringing new devices in en masse. Departments are looking to manage infrastructure with new sensors and controls. The major industrial control manufactures and integrators such as Honeywell, Emerson, Schneider Electric, Siemens, GE, Tyco etc. are touting how they have embraced the IoT. The time is now to start thinking about how to embrace the IoT in the environment by surrounding it with security.

FTC Report on IoT: The Debate over Opportunity, Liability, and Privacy

Over the weekend, I combed through the FTC’s recent report – all 71 pages – on the Internet of Things (IoT), entitled, The Internet of Things – Privacy and Security in a Connected World. 

Everything that I had previously read online about the report didn’t reveal anything novel about IoT that I had not already heard – or said myself. But since it took the FTC over a year to produce, I thought a close inspection of the report was warranted. Surely there would be some nuggets of substantive information lodged within six-dozen pages of bureaucratic conjecture, right?

Luckily for me, Ofcom, the communications regulator in the UK, also released a similar report just days before the FTC, which I also traversed through for comparison purposes. In the end, neither report, by and large, produced any earth shattering revelations or actionable advice. Both were not much more than a situation analysis at best.

Nonetheless, there are four key takeaways central to the report worth discussion.

Key Takeaway #1: IoT Holds Promise

In what comes as no surprise to the IoT enthusiast, both reports proclaim healthcare to be the industry that stands to benefit the most, from IoT, mainly through embedded devices. The idea of instant, data driven reporting to doctors will provide a huge leap forward in the treatment of chronic conditions, like diabetes. The idea that people will no longer have to rely solely on patient reporting means that healthcare treatments can become more timely and accurate, potentially yielding a significant improvement to patient healthcare and a cost savings for doctors, hospitals and pharmaceuticals. Both reports also speculate transportation and energy to be the secondary industries to see the most benefit from IoT. We already know this to be true, as major enterprises like GE and AT&T are steadily driving Machine-to-Machine innovations (M2M), also referred to as the “Industrial Internet of Things.”

Additionally, we’re already witnessing rapid adoption of any and all IoT by consumers. In fact, IoT is exploding so rapidly that, Gartner expects there to be a quarter billion connected cars by 2020! Other devices, such as Smart TV’s, IoT fitness bands and digital thermostats like NEST are also gaining popularity en mass.

But as the FTC appropriately states, the one barrier to IoT reaching its mass-market potential is directly correlated to the degree in which they are successful in the establishment of consumer trust. Ultimately, if people don’t feel safe with the constant communication of IoT devices, then that person is likely to impede adoption. Whether he or she is a CIO that is leery of a new industrial control system, or a consumer worried about their healthcare data being compromised, IoT vendors must continue to make strides that reinforce consumer confidence in their products.

Key Takeaway #2: Developer Liability is Minimal at Best

Both the FTC and Ofcom strongly recommend that IoT device manufacturers start producing devices with “security by design,” meaning that security must be considered at the onset of product development.

However, in somewhat of a contradiction to this recommendation, the FTC openly questions whether or not device manufacturers actually have the security experience and expertise to really ensure that products coming to market are safe. The FTC also cautions that many devices are inexpensive or “disposable,” essentially calling into question whether the threat assessment and internal productivity outweighs any reward of consistently patching new attack vectors each time one is discovered.

As you might suspect, billions of connected devices have increased the attack surface exponentially. In fact, 2014 was referred to as “the year of the hacker” by multiple news outlets. But what many people don’t know is that the Home Depot and Target breaches are actually the result of exploited IoT within the enterprise. Of course, there were also notable IoT breeches to consumer devices in 2014, German researchers, for example, were able to hack a smart meter to determine what TV shows you watch. Hackers even heckled a toddler through a baby monitor and a third party app proved to be a playground for misuse.

One of the most critical discussion points left out of the FTC paper, but highlighted in the Ofcom paper, was the IoT communication infrastructure. IoT devices are currently operating on a broad range of the RF spectrum. While the report noted that availability would not be a barrier to the success of the IoT, it did bring up the long-term viability of available bands. The same holds true to for network availability for all of the millions – potentially billions – of devices in our future.

Simply put, enterprise security and detection for devices that operate on the wireless spectrum outside of Wi-Fi is non-existent; making corporations highly susceptible to increasingly sophisticated adversaries with tangible motives.

In my opinion, both reports were void, probably intentionally so, of actionable advice; reinforcing my belief that we’re still charting new territory. The truth is simply that none of us, including the FTC, fully know or understand the extent for which the unintended consequences of IoT will shot its ugly head. That’s probably why the FTC also decided that any government regulation at this point could stifle innovation,, more than ease consumer concerns. So, Americans will still be faced with a buyer beware scenario, at least in the short term.

Key Takeaway #3: The Parable of Privacy – IoT is all about Data

The word parable is often used to describe a story intended to teach a lesson. Perhaps the greatest lesson we have yet to learn is how to truly protect our data. As the IoT ushers in modern conveniences like not having to call our doctors to report pacemaker information and provides us with the ability to access enterprise control systems remotely – the real value for adversaries will reside in the data that is being collected and if they are successful at manipulating it to meet their purpose.

In a sense, IoT devices are really just a courier for data flow, allowing us to analyze trends and, ultimately, make more informed decisions about our lives and our businesses. In order for this to happen, however, we must not only agree to give up our data, but also allow it to be transmitted to our vendors – and potentially their vendors – so that in turn, we can access actionable insights into our performance. But, how much of our data should be up for grabs?

Data privacy was one of the most contentious issues addressed in the FTC’s report.. Device manufacturers are looking to harvest as much data as they can, seeing infinite possibilities for future product enhancements and offerings. However, the FTC warns that any accumulation of data only serves to make companies and consumers more attractive to criminals that want to misuse it.

The FTC thus recommends data limitation – only collecting what is necessary and destroying data after it’s needed; in addition to plainspoken privacy statements and opt-in abilities for consumers to choose what they share. Of course, we encounter so many of these lengthy documents (averaging around 2,500 words) each year that we rarely have the time to read them. But as long as consumers are willing to give up everything in the name of convenience, which many Millennials have proven they will, IoT device manufacturers will continue to collect all available information to profit off your patterns in the future.

As the entirety of the IoT market now hinges on consumer adoption driven by trust, it’s probable that manufacturers will advance their focus on security to some extent, just like the FTC recommends.

Key Takeaway #4: Prepare for the Debate to Continue

I found it both interesting and also annoying that the FTC used the word ‘reasonable’ 32 times, calling on IoT providers to implement “reasonable security,” meet “reasonable privacy expectations,” and offer “reasonable data protection” for IoT devices. The use of this subjective adjective ensures that the conversation around what is reasonable will continue.

The FTC report, in large part, is nothing more than a starting point for a debate on IoT and the security concerns it creates. Those of us in the industry likely read the report and were disappointed or surprised by its actual content. But in hindsight, what exactly should have been expected? It’s likely that we’ll need to see more substantial breaches from the IoT before we ever get a clear definition of what’s reasonable in our connected world.. It’s something that we all must consider, individually and as businesses, what exactly constitutes reasonable risk for the rewards of technology.

Five Ways IoT Will Impact Your Business This Year

The Internet of Things has gained historic momentum and exposure since the last quarter of 2014. No longer are there differing opinions around viability – general consensus is that IoT is here to stay. Beyond staying power is the staggering amount of growth that is expected in the coming years. If you follow IoT, which you likely do if you’re reading this blog, I’ll just simply reiterate that there will be TENS OF BILLIONS of devices in a market worth TRILLIONS of dollars in the next five years.

But, what about this year? There are five ways that IoT will impact every organization before the year is over. 

Network Bandwidth – Gartner predicts that the average enterprise network will see a 28% compound annual growth to bandwidth through 2017 – a demand nearly 20 times larger than what was required in 2012. IDC predicts that by the same year, networks will go from having a surplus to being constrained, forecasting 10% of companies will be overwhelmed. Bottom line, your pipeline is already handling more than imagined with video and application demand, now imagine putting a funnel on it to bring in even more traffic from RF connected devices. This could disrupt business continuity and should be addressed and budgeted for in the short term.  Consider also, the incredible network bandwidth 4G/LTE devices bring into the enterprise.  I carry an iPad and iPhone, laptop, FitBit, and Bluetooth headset typically.  My 2 LTE devices have about 20Mb/s of bandwidth apiece.  In a building with 5,000 employees you are talking about 100Gb of potential outbound data leakage via RF.

Data Risks – Big data just got bigger. Corporations looking to connect devices from to the Internet and harvest the data will have to consider what pieces of information are really valuable. This will usher in a new need for analysis, storage, and security. For instance, if your HVAC system collects operational data, do you need to analyze all of it, or just your data centers and other high consumption areas? It remains to be seen just what the impact will be to having so much data once the enterprise looks beyond their industrial infrastructure. Wearables and BYOD devices, whether company issued or brought in by gadget junkies, will mean a steady increase of data moving on the corporate network. Some of this data will contain sensitive information that, if intercepted, could lead to embarrassment or financial loss. Bottom line, corporations must plan for data implications – storage, analysis and not becoming the next Sony.

New Threat Vectors – The news isn’t good, folks. Retail was hit the hardest in 2014, costing Target and Home Depot millions, and this year it’s predicted that healthcare should be ready to claim top spot for data breaches in 2015. With embedded devices and decentralized mobile computing transforming patient health and reducing costs, it’s not surprising that hospitals and medical devices would be prime targets for exploitation. But, the reality is that every connected device presents an opportunity for misuse. Hackers will seek to exploit insufficient security in rushed-to-market products to steal data or spread malware. Corporations and consumers alike should get used to this ‘Brave New World’ where we gladly forfeit security for convenience and efficiency. The mesh foundation of protocols and platforms will just prove to be more opportunity for the bad guys. It will be very important for organizations to know their traffic patterns and be able to quickly react to anomalies. The average breach takes months to discover – and this survey shows that it could be, in part, due to only 20% of companies continuously monitoring their traffic.

Patches – IoT sensors are small and dispersed by design, which is what allows them to spread far and wide like little data collecting honeybees. This compact nature is great for gathering lots of data and intelligence, but it also means that IoT sensor computing power (which affects battery life) must also be small. Because of this, over the air updates are challenging and patches on many IoT devices must be done manually. Unfortunately, when updates require human intervention, there is not only a drain on resources but also an additional layer to consider in patch management policies.  The enterprise struggles to keep up with patching today, but in 2020 we are talking about TRILLIONS of patches a year; entrepreneurs note, there’s probably a new startup there ‘GigaPatch’.

Dark IoT – There has been a lot of media around the dark web lately with the prosecution of the founder of Silk Road, a marketplace for just about anything illegal or immoral. The truth is that Silk Road and its variations are just people using the Internet for bad, just as hackers have used exploits for harm. With all good comes some bad, and this is true for IoT. The promise of efficiency, cost savings, and increased convenience also brings forth the prospect of harmful IoT products. For less than $100 you can get an IoT keystroke logger (cleverly disguised as a phone charger) to record the typing from wireless keyboards. This is just the beginning of embedded devices being used as vehicles for wrongdoing.

As Data Proliferates in the IoT, So Does Risk

Consumers don’t read privacy policies. While this isn’t news, a recent PEW Research survey showed that more than half of Americans don’t even know what a privacy policy really is. Many consumers cite the length of privacy policies as a reason for not being informed, but few realize the implications that could result from this negligence.

So how much do people really understand about what it is that they’re giving up when they buy an Internet connected device? Take, for instance, “smart” TVs. These televisions take home entertainment to the next level, giving owners not just amazing visuals, but also the ability to use things like voice recognition to change the channel or turn up the volume. This seems like a revolution for those of us that seem to always be misplacing the remote, but there is a down side to being able to talk to your TV.

We dug into one popular manufacturers privacy policy and we were alarmed at what we saw. According to the Samsung Smart TV Addendum in their privacy policy, Samsung may send your voice data “to a third-party service that converts speech to text”. This seems innocuous enough, after all, we are accustom to applications using our historical preferences to serve up more relevant ads and information. However, Samsung’s policy goes on to read, “please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

Wait a minute. I’m okay with Samsung knowing that I spent the weekend catching up on Homeland, but capturing personal conversations that I have in the comfort of my living room? This is a true invasion of our most intimate spaces and cannot be tolerated.

While it may seem I’m picking on Samsung, I actually applaud them for being so plain spoken (I bet they pick a sneakier law firm for their next EULA). Most of the other electronics companies make their privacy policies so complicated you need a lawyer to make sense of it. For those that don’t require you to have a JD to understand it, they’re so vague and ambiguous that it’s almost a waste of time to read. And time is another factor dissuading consumers from being informed. The average privacy policy takes 10 minutes to read. And, the average American encounters nearly 1,500 of these policies per year!

Many of us are okay with releasing some of our private habits to our technology provider; after all it’s much better to be served advertisements for things we actually want. But having our personal conversations analyzed so that corporations know about our most intimate affairs is going too far. Imagine that you’re discussing your upcoming surgery over a meal and you turn on your TV to be greeted with an ad for life insurance.

When Privacy Becomes Security

Samsung is transmitting your data through pretty normal means, the Internet, either wired or wireless, protected by your ISP. But “smart devices” are becoming a norm and many of these are designed to go with you. As such, battery life is a concern. To address that, manufacturers are relying on newer protocols such as Bluetooth LE (low energy) and ZigBee. In turn, these protocols create a personal area network (PAN), which is allows each person to use a mobile device as a networking hub. What you end up with is a lot of data transmitting across a lot of devices using a lot of different protocols.

And…lots of opportunity for that data to be intercepted.

The World Economic Forum released its Global Risk Report which states that IoT hacking is ‘very likely’ and points out that today’s Internet infrastructure was simply not created to handle this kind of flood of new devices.  CES2015 also reinforced this sentiment, with FTC chairwoman Edith Ramirez warning that attackers could “access and misuse personal information collected and transmitted by [IoT] devices.” While Smart TV’s have access to a fairly safe means of transmission via wifi or hard-wired ethernet, the market for IoT devices is growing by the day. These devices have equally loose privacy policies and are constantly sharing data between devices and apps; all of this activity is putting data at risk for exploit.

Another example of this data dragnet is Uber, the car service that has made transportation a socially connected service. No more hailing a cab, now you simply request an Uber driver from your phone. Uber made the news late last year for its questionable data collection. While, sure, it needs your geolocation to send a car, it also takes the opportunity to look at your contacts, your geolocation history, what apps you have installed – even your neighbor’s wifi information. The list is endless and has nothing to do with a car service. It’s clear that data is a secondary business for Uber. And, looking at their privacy policy – that you must agree to in order to use the service – they are able to share it. This means your data drifting around the Ethernet to third parties that may “perform other administrative services”. Whatever the hell that means.

For certain, data analytics is big business. But, this is your data that is flying around out there. As it makes it’s stops between your service provider and whatever third, fourth, or fifth parties their sending it to, this data as more opportunity than ever to intercepted and captured or for your personal area network devices to be compromised.

 Read your privacy policies. It will be up to each of us to determine what we’re willing to give up in the name of modern convenience.

Ready or Not, IoT is Coming: 2015’s IoT Report Card

The Internet of Things seems to be an unavoidable force these days – from rabid investment news to stealing the show at this year’s CES show, Internet enabled devices are emerging in 2015. Ready or not, the Internet of Things is coming, and maybe it’s arguable that it’s already here. So, in this blog, I decided to explore just that – what’s ready and what’s not when it comes to IoT.

Consumer Adoption – A+

Consumers are wild for Internet connected devices. We’ll have 75 billion internet devices connected by 2020, though some firms put that number much higher. IoT dominated this year’s CES show; everything from fitness to light bulbs and home automation. Wearable technology is predicted to be a $90B market by 2025. And, even if consumers don’t openly embrace it – improved healthcare may push them to plug in, offering embedded devices in everything from pacemakers to insulin pumps.

Device Manufacturing and Innovation – A

Massive amounts of IoT devices are coming to market at a rate we haven’t seen since the first bubble of technology in the late 90’s. Not since the flat screen TV was released have we seen manufacturers competing to come up with the newest consumer must-have. Of course, the real revolution is happening behind the scenes. Industries, like manufacturing and supply chain, are making huge leaps in operational efficiency by leveraging smart machinery and analyzing the data it produces to cut costs.

Usefulness – B

Noticeably, there are a lot of really cool things coming from the IoT. Many provide life-changing improvements; self parking cars, industrial automation, and embedded healthcare not only enhance our lives, but have the potential to fundamentally advance the way we live and communicate with our world. Of course, there are also some pretty ridiculous things that have decided to covet our bandwidth, like the EggMinder, which lets you know if you’re low on eggs. Convenient? Perhaps. But this one isn’t going to make a huge difference in your quality of life. We’ll give it a B+ when my fridge starts being able to order my meal plan ingredients for delivery via InstaCart.

By now, you might be thinking that the Internet of Things has a pretty good report card, but there’s still a lot of maturing to be had. In fact, the newness and shine of IoT devices and their cool new tricks has meant that many haven’t taken the time to really look under the hood yet. If you did, you’d discover that in some areas, IoT is still an all out fail.

Interoperability – C

Plenty of companies are coming out with platforms for IoT development, which means great innovation but more problematic integration. Combine this with the numerous communication protocols that devices are using and you can see that any hopes of standardization is still in the Dark Ages. The good news is that this tangled web of development is offering big promise for IoT data analytics, which is predicted to be a nearly $6 billion dollar market this year. IoT is riding on a half dozen protocols today, and new ‘standards’ are being proposed quarterly. Need to dial this in for any reasonable interoperability. Ever try and connect Banyan Vines, Sun NIS and Novell Netware? Ain’t happening.

Privacy – D

Many device companies are intentionally loose with their privacy policies. In a recent blog, I explored the numerous ways that device manufacturers are using your personal data – in essence, making you the product. This may seem harmless on the surface, but IoT device users are still not reading privacy policies and are sharing way too much information. And we’re not limiting our disclosure of personal information to the devices companies we buy from, we are also giving it to third party applications. This recent Gigaom article dives into the topic more in depth, but everyone is going to have to agree that privacy should be a fundamental component of IoT and consumers will need to demand that device manufacturers and app developers treat their data as critical and personal information. Consumers will demand an option for micropayments to keep their data to themselves; they will happily pay for whole grain bread at Whole Foods vs a loaf of white Wonder bread at the local super market.

Security – F

Big. Fat. Fail. Looks like security of the Internet, in 1994. The rush to market has definitely shown that security in IoT devices is an afterthought at best. The 2014 Snapchat hack illustrated that application providers are just careless with your sensitive information. Minimal encryption and generic liability waivers are dangerous for users and irresponsible of developers. What we’re left with is a pervasive landscape of Internet enabled devices entering our personal and corporate networks. The numerous protocols mean that they can operate virtually undetected. The potential for malicious activity via IoT devices is just now being explored, but the fear is that it will take a massive attack before IoT security gets the attention it needs and devices start being developed with security first of mind.

There is always a good, bad and ugly to emerging technology and the Internet of Things is certainly in its infancy. The struggle is in the speed to which these things grow in today’s world and what corners are cut to satisfy a seemingly insatiable market. Since adoption is strong, it’s likely going to take the user community to push for improvements in areas where IoT is still falling short.

There is a silver lining; IoT manufacturers are building, deploying and selling. We are consuming things that would have been considered science fiction 20 years ago. In parallel with this enormous trend, there are immense opportunities for security innovators to invent new technologies to keep our corporations, and our intimate spaces including our homes, car and bodies, safe and secure.

Insecurity Looms for One Billion Android Users

Nearly a billion Android users are more vulnerable today then they were yesterday. Google has casually discontinued support for their WebView tool to Android users that haven’t yet upgraded to KitKat version 4.4. According to Google, nearly 60% of Android users will be left in the lurch when it comes to safety on their Android devices.

In lieu of support, Google will consider releasing patches that are discovered – and fixed – by the user community. This move by Google only adds to the growing conversation on exactly where Google stands on vulnerability assessment. Over the weekend, Google decided to release details of a Microsoft vulnerability that was scheduled to be patched just a few days later, bringing into question Google’s interest in the technology user community as a whole. So, Google is paying researchers to find vulnerabilities in competitive products, but doesn’t want to pay researchers to find and fix problems in it’s own operating system.

While we can speculate as to the reason for Google’s recent laissez faire security posture, the answer may be in the hardware sales. The discontinuation of support of pre-KitKat devices may mean that Android users will be forced to adopt Android’s poorly received Lollipop OS. This could require a hefty price tag, since so many devices haven’t been part of the rollout…yet.

In contrast to Google, Windows 8 was released in 2012 and will have extended support through 2023, and Ubuntu recently sunset v12 while offering extended support for five years. It comes down to lifecycle management and customer service. Frankly a 2-3 year support lifecycle is dangerous for consumers, app vendors and IT staff that support infrastructure that communicates with these devices.

Of course, having nearly a billion vulnerable devices roaming around the world isn’t just dangerous for device owners. These exposed and defenseless phones are connecting to networks as part of the growing Internet of Things. Recently, InfoWorld was so bold as to make the statement that “Android will power the IoT”.  And perhaps that’s true, since the Android marketplace already boasts nearly a million applications in the GooglePlay store and developers are always willing to embrace open source for it’s flexibility and agility.

With non-linear growth expected over the next several years in the IoT, and multiple vendors vying to be the embedded operating system driving that growth long term support and security are paramount.  Google will need a more friendly strategy to users and partners than leaving then in the dust every few years.

2015 CES International Review – Where’s the Security?

This year’s Consumer Electronics Show (CES), surely didn’t disappoint. And while the car stereo systems and massage chairs lurked in the cheap seats, front and center were over 900 companies demonstrating thousands of new Internet connected devices that will be flooding the market this year. Quite honestly, CES was all about the Internet of Things. Lots, and lots, and lots of things.

The bulk of the things were part of the “connected” or “smart” home. There were impressive displays from ADT, Honeywell, Kwikset and even Lowe’s hardware (we’re guessing that Home Depot’s absence was for security perfection). And while these companies had lots of shiny new toys to show off, the IoT sessions at CES were all about 2015 being ‘The Year of the Smart Home Hack’. These sessions elevated the questions around how these smarter homes will be maintained. Who is going to manage and patch your 12 smart locks, 42 light controls, 8 video cameras, and 3 thermostats? Since the average netizen can’t manage to come up with a secure password, it’s unlikely they’ll keep up with all of these firmware updates. Result? Vulnerable homes. While I don’t see the smart-home being hacked per-se, I can see PC based malware collecting or compromising IoT sensors in the home and workplace, as well as self-propagating malcode. A 100Gbps DDOS launched from IoT devices was observed on 12/31.

CES definitely confirmed that security is an afterthought not just for device owners, but for their manufacturers as well.  In fact, there was only one dedicated security and privacy session led by FTC Chairwoman Ramirez, but across many IoT sessions security concerns were top of mind. Q&A sessions were dominated by security concerns. Encryption and security in product design was encouraged to avoid the recent breaches experienced by apps like SnapChat and Yik Yak, though there was a clear absence of security assessment or mitigation in IoT. 

Also on display at CES were new wireless protocols. While the old faithfuls like Wi-Fi and Bluetooth remained the Belles of the Ball, ZigBee, Z-Wave, and EnOcean made their debut as key IoT protocols. This is foreign territory to the majority of IT staff and it will be critical for them to get up to speed, or at a minimum, come up with a way to see these protocols when they are trying to access the networks. Of interest, is the amount of security and automation riding on these protocols, it remains to be seen who keeps Z-Wave and ZigBee secure.

And finally, and least impressive, consumers love electronic knockoffs.  As I dug into the little Chinese manufacturer booths, I found many little devices that looked identical to Fitbits, smart watches, etc just waiting to jump on a market looking for a good deal. And just like the cheap, vulnerable, Android tablets that hit the market in 2014, I expect 2015 will be the year of the knockoff wearable. Just as you can buy a cheap Rolex in Chinatown or a Louis Vuitton bag for $100 in Times Square, you get what you pay for and these devices will have more security vulnerabilities than their pricier counterparts. I predict a huge market for counterfeit wearables over the next few years.

So, to summarize. Lots of gadgets. Lots of walking (just ask my FitBit). Lots of room for both the good and the bad guys to get in the Internet of Things game.

The Platform Pandemic

This week we saw two new platforms for the Internet of Things emerge, the most notable from microchip heavy hitter, Intel. Of course, this is just this week. There have probably been a dozen or more new IoT platform announcements in the last month and the number coming to market is steadily increasing. Postscapes offers a fairly comprehensive list here. While the battle is on to see who will win the title of Supreme IoT Platform Provider, one thing is certain – this plethora of platforms is a security nightmare.

Much like the early days of the networking, multiple protocols (think IPX, IP, Banyan Vines) and platforms usually spell mayhem for users and security professionals alike. Instead of leveraging a common language or foundation, everyone is building their IoT devices with their own future in mind. While some of the larger players are coming out swinging with solutions on the device and the platform side, for the most part there hasn’t been much interest in playing nicely with each other.

Printers are a great example, the lowest common denominator workhouse of the office has to speak up to a dozen protocols, and whenever someone bothers to look they tend to find vulnerabilities quite easily. Good story about them here.

One of the reasons that IoT has become such a big deal this year is due to the overwhelming ease at which sensor technology can collect and transmit data. Companies seem to be focused more on how to collect and profit from this data than how to secure it. Of course, right now, it doesn’t seem like to many people are worried about security or standardization. In fact, the only folks that seem to be concerned with IoT data breaches are in the government…and maybe Sony.

Of course, most of the platforms coming to market are offering all kinds of promises, middleware for edge management, fancy consoles for traffic monitoring and APIs for integration. So, the race is on for best in breed. My bet is on the vendors that focus on functionality, low power consumption, and ignore security.