In the first part of our series on assessing and managing the cybersecurity risks associated with the Internet of Everything, we took a long look at what devices, technologies and processes underpin the IoE, as well as how they could be compromised by an attack. Stated broadly, the IoE encompasses a variety of IP-enabled endpoints that extend the Internet’s reach far beyond the traditional scope of PCs, smartphones and tablets.
Internet of Everything gets renewed support from tech giants
On the surface, the IoE can seem like a gimmick – something that is most visibly associated with cyborg-style heads-up displays, networked toothbrushes and wristbands that track the user’s every step and sleep habits. But this portrayal hides the IoE’s potential to improve the delivery of content and services. Salesforce.com’s JP Rangaswami has presented the IoE as a system for reducing waste and eliminating inefficiencies, from business supply chains to daily transportation flows.
Here are just a few of the recent IoE projects that have made headlines and underscored what increasingly networked infrastructure can do:
- At its upcoming Worldwide Developers Conference, Apple may have plans to show off a new platforms that let users control items in their homes. Essentially, the move could turn an iOS device into a universal remote for security systems, lights and other appliances.
- Google, which acquired networked thermostat and smoke detector maker Nest earlier in this year, may now be eyeing Dropcam, a service for setting up in-home cameras that can monitor activity while the resident is away.
- Samsung has already explored the IoE waters with its Galaxy Gear smartwatch and the Galaxy Fit health tracker, both of which iterate on current trends in wearable technology and fitness monitoring.
With the largest technology vendors in the world all behind the IoE, security and privacy have to take a front seat. The IoE presents new opportunities to remake and improve the Internet, but technologies such as Dropcam hint at unsettling possibilities such as hijacking a home surveillance system.
In fact, the emerging IoE has already been attacked on multiple occasions, including one exploit dubbed the Moon Worm that went after routers. It is important for stakeholders to learn from these events before infrastructure – and the efforts targeting them – become more advanced.
“Most of the devices exposed on the Internet will be vulnerable,” explained Jerry Michalski, founder of the REX think tank, according to Wired. “They will also be prone to unintended consequences: they will do things nobody designed for beforehand, most of which will be undesirable.”
Learning IoE security lessons from Moon Worm and other attacks
The cybersecurity community need look no further than Moon Worm and a few other similar malicious campaigns to see that IoE security is not over the horizon, but already here. Here’s a quick rundown of some of the most high profile incidents involving IoE security over the past few years:
- In February 2014, the Moon Worm was discovered targeting specific Linksys router models used all over the world. It took advantage of an authentication bypass vulnerability and even had self-replication capabilities. Users were encouraged to update to the latest firmware and disable remote management in order to stay safe.
- This April, a group of hackers used malware to take over DVRs that recorded video from security cameras. On top of that, they enlisted the infected endpoints into a Bitcoin-mining operation. Extracting Bitcoin is very CPU-intensive, meaning that compromised devices would run slowly. The appeal of taking over the IoE was strong enough to overcome the hassle of relying on the cameras’ low-power ARM processors to perform the demanding Bitcoin-related calculations.
- Tesla has made waves for its creation of cutting-edge electric vehicles that feature touchscreen interfaces and integrated cellular connectivity. Perhaps predictably, it has had to deal with the cybersecurity issues that naturally accompany this increased reliance on networking and software. Ars Technica reported that until recently, Tesla owners only had to set up a 6-character password with at least one letter and one number, making their accounts highly susceptible to brute force attacks. Third-party apps for Tesla may also enable data leakage of owners’ credentials.
Discussing both Moon Worm in particular and IoE security in general at a May 2014 conference, researcher and In-Q-Tel chief security office Dan Geer stated that one of the fundamental vulnerabilities in the IoE is the sheer number of devices running outdated software. Attackers can easily exploit unpatched firmware and operating systems to commandeer IoE assets from video cameras to networking equipment.
Geer also looked at how Moon Worm indicates that IoE cybersecurity is already a tangible issue. Plus, one of the underrated challenges of securing the IoE may be that attacks come to resemble technical accidents or outages – how will users know whether their endpoints, now more vital to their everyday lives, are simply malfunctioning or under siege?
“[T]he worm called [The Moon] that is now working its way through the world’s Linksys routers may be precisely what I have described,” Geer explained at the event. “It may be that. It may be not that the forest could burn, but that it is already afire. It may be that we are one event away from not being able to disambiguate hostile action from an industrial accident. That matters a lot.”
Protecting the IoE: What can be done?
In devising security strategies for the IoE, researchers can learn not only from Moon Worm and its ilk, but from the struggles over the last decade to migrate users from Microsoft Windows XP. The costs of continually fixing XP exploits were complicated by the popularity of simple devices such as netbooks, for which the aging OS was ideal, as well as XP’s closed source model that made it difficult for observers to contribute fixes.
These same obstacles need not encumber IoE security. Geer has suggested that networked endpoints have an expiration that would encourage users to, say, replace a smart refrigerator before a certain date. Alternatively, device manufacturers could open source the code of end-of-life products so that the software developer community could at least work on potential fixes, avoiding the situation that has made XP’s end of official support so difficult.