IoT – A Nightmare in Progress, Part 1Veridium Author | February 9, 2016
Many people are embracing the Internet of Things (IoT) as an amazing way to simplify the way their live their lives. Smart devices can automate many basic tasks, freeing up time, and sometimes money. However, there is a fatal flaw in standard IoT setups that could put those people utilizing them at risk.
IoT is, essentially, a network consisting of embedded computers, sensors, electronics, and other “things” that have wireless connectivity. These devices form a network, allowing them to exchange data with each other and external systems, such as servers, mobile devices, personal computers, smart watches, and much more.
This technological boom may be just beginning, but it is arriving in force. The Internet has made information available to the masses, and smartphones have made access to that information nearly instantaneous from anywhere on the planet. Now, with the ability to create ultra-small computing devices, these technologies can be connected to the Internet to exchange data with each other in a single location, or as part of a global network.
One example of the proliferation of this technology is the emergence of the home automation sector. Manufacturers and homeowners are attempting to create a “smart home” – a completely connected living environment, where everything is digital, wireless, and controlled by an app on a smartphone.
Home automation consists of a series of connected smart thermostats, fire alarms, and CO detectors can sync a home’s environmental controls when connected with a connected camera. This way you can, for example, program your smart thermostat to automatically lower the temperature when the camera detects you leaving the house for the day, or even set your security system to automatically click on.
Furthermore, all of these devices produce data, which can be tracked and analyze. Data about what happens in people’s homes can be utilized in critical ways. Everything from average temperature, noise levels, lighting levels, and barometric pressure could be utilized to improve utility planning and cost of living.
IoT can go far beyond the home though. It also includes bioware, such as heart monitoring implants. Your home automation system could also monitor your Pacemaker or your hearing aids, allowing you to track battery life or receive alerts if your heartbeat becomes irregular. These connected devices are already starting to appear on the market, as manufacturers create any type of hardware we can imagine.
While this technology shows true promise, it isn’t without risk. The problem is that these devices are often created with limited care for security or privacy, and a hacker in a foreign country could potentially access your personal network of things and take over your entire life. They could hold your house, or even worse, your heart, hostage until you pay a ransom. Consider the possible cryptoware of the future: Hack a pacemaker and demand a payment, or you die. These scenarios are already starting to occur as more devices become connected to the IoT every day.
However, as frightening as this may sound there is at least one technology on the market today that is developing an architecture and framework to help protect connected devices. By using the BOPS standard, individuals can further connect their devices to their identities. This would make it nearly impossible for a remote hacker to gain control over their personal network.
This means that everyday usage, device modification, device enrollment, and de-enrollment would all be governed by the BOPS framework. Your personal identity using one or more biometric modalities, such as face, iris, voice, or fingerprint, ensures that only you can access your devices and their associated data.
Current Problems in the Land of IoT
Today, there are a handful of problems in IoT adoption and implementation, including:
Usernames and Passwords:
- Most IoT home automation devices rely on a username and password-based security system
- There is no two-factor authentication for most systems.
- Many people allow Oauth-type logins on mobile devices (e.g. login using Facebook)
- Oauth and Oauth2 have poor security and a large surface of attack.
- Once you are logged into the app, it generally stays logged in
- If you lose your phone, you lose your access to the system
- Hackers have already used smartphones to hack connected cars and houses
- Not all passivated data (data at rest) in some apps is encrypted. Some information is stored as plain text.
Tokens and Certificates:
- Tokens can be forged or stolen and emulated elsewhere
- Not all systems rely on TLS, and some send data using HTTP. All connections should use two-way SSL certificates.
In each of these cases, BOPS provides a stronger level of verification and critical improvement in overall security infrastructure to minimize risk and prevent unauthorized access and control.
Read part 2 of our IoT – A Nightmare in Progress here.