The Internet is a living thing; initially conceived upon an architecture able to withstand and rebuild following significant outages, it has taken on a life of its own, giving rise to “The Web,” to Web 2.0, globe-spanning social networks connecting and inspiring people in ways unimagined even 10 years ago. “The Internet” has already become the Internet of Things as more and more discrete devices become “smart devices” and that development is continuing into the “Internet of Everything,” the cornerstone of which is communication.
As more nodes are connected, from the power station to the vending machine, they will be recording and exchanging functional and factual information, and those devices will be making autonomous decisions based on the context and content of that data. Radio and other wireless technologies are an integral part of this evolution, allowing rapid exchanges of information across environments.
Unfortunately, in the same way that consumer goods designers rarely consider security at the expense of functionality, many of the technical principles underlying legacy radio technologies that are being dragged in to power the Internet of Everything were set in stone long before the commercial web was a twinkle in Tim Berners-Lee’s eye. These systems and protocols were not designed with security in mind; much like TCP/IP, they were rather designed for resilience.
While attacks on “smart” or “connected” devices are still not commonplace, criminals are already probing the possibilities for malfeasance offered by the new world of connected and often unsecured devices. We have already seen real world attacks on Digital Video Recorders attached to security monitoring cameras, attempting to use these devices to mine Bitcoins. This was no random infection; the malware in question was specifically encoded to run on ARM processors even though these low-powered processors are really not up to heavy-duty cryptography.
We have also seen several attacks aimed at compromising home routers, offering a particularly well-placed vantage point for man-in-the-middle attacks against smart devices, negating the need to infect individual devices by placing the attacker directly in the data stream of any device behind the router.
In addition, recent proof-of-concept attacks have been demonstrated against smart home solutions, car management systems and Smart TVs. Unfortunately, the majority of these rely on poor design or security practices by the manufacturer rather than any code-level vulnerability or weakness.
Just as the cornerstone of IoE is communications, the most significant target is data. The attack vector apparent to the bad guy is not simply the endpoint, rather what that endpoint represents: access to data.
Vendors, consumers and enterprises have their own responsibilities for the Security of Everything. From a consumer perspective, it’s mostly about getting savvy. Make sure you are able to assess the potential risks of any connected device or service and ask the right questions about securing them. Don’t be dazzled by the advertising promises.
Vendors and enterprises need to take a more holistic view of security. As a manufacturer or enterprise adopter of IoE technologies, you should be taking a long, hard look at the cloud and data-centre infrastructure that underpins the technology. Making sure that data is secure, that virtual infrastructure is protected and that workflows and processes of real-time data analysis are designed with security principles baked in.
It is disheartening that in the rush to market, security is still so often an afterthought for vendors in the emerging Internet of Everything space. It was 12 years ago that Bill Gates sent his celebrated “Trustworthy Computing” memo to “Microsoft & Subsidiaries.” To quote from that famous communiqué:
“Going forward, we must develop technologies and policies that help businesses better manage ever larger networks of PCs, servers and other intelligent devices, knowing that their critical business systems are safe from harm. Systems will have to become self-managing and inherently resilient. We need to prepare now for the kind of software that will make this happen.”
This has never been more true and relevant than now.
During the month of October, we’re supporting the National Cyber Security Alliance in celebration of Cyber Security Month – an effort that aims to educate organizations and individuals about how to stay safe online. Check out the helpful videos, infographics, blog posts and reports we’ve gathered for you here.