This article is part of a series called The Future is Smart: How the Internet of things is changing business.
Follow the series at tgam.ca/internet
When it comes to the security of the Internet of Things, technology companies are thinking about it all wrong.
"Privacy is not the main problem," Ted Harrington, executive partner with Baltimore-based Independent Security Evaluators (ISE), told a room of IT professionals at the annual SC Congress digital security conference in Toronto last week.
"Why would I care about my connected light bulb getting hacked? At worst, someone gets information about how often I turn on or off my lights. Maybe an adversary could even annoy me by turning off my lights. How bad is that?" Mr. Harrington asks.
But think of that "smart" light bulb as a chink in the armour of digital security. Mr. Harrington's research has found that makers of connected devices have failed to design strong protections against attackers: He's seen everything from unchangeable hard-coded passwords to unencrypted data connections. And there is a growing number of connected devices showing up in homes, cars, businesses and on our bodies.
"All these connected devices are connected to each other: So you compromise that light bulb as a pivot point … you pivot into the network the light bulb is a part of, and now you get the assets that are contained therein," Mr. Harrington says.
Those assets could include banking information, identity credentials or control of a system for use in a criminal botnet. He has stark advice for any potential buyer of a smart fridge or thermostat: "Connected devices enable attackers. That stuff's not safe right now. "
In 2014, Hewlett-Packard Co. released a research report that concluded 70 per cent of "Internet of Things" connected devices were vulnerable to hacks, either through weak passwords or unencrypted connections. Mr. Harrington's team, which has cracked a few "unhackable" systems in the past (immobilizing relays on cars, the iPhone), decided to test the 13 most popular home routers on the market. In any connected home, the router is the central hub that provides wireless data, and ISE thought they'd be able to break into maybe 30 per cent of the top-rated, top-selling routers on Amazon or Best Buy. They broke into 100 per cent of them.
"In 2010, the number of 'things' surpassed the number of people connected to the Internet. That curve now is exponential," says David Kleidermacher, chief security officer for Waterloo, Ont.-based BlackBerry Inc.
"If we think we have trouble securing a billion mobile devices, imagine when we have hundreds of billions and ultimately trillions of things connected to the Internet. It doesn't take a lot of convincing for people to realize that we do face a very big challenge."
For Mr. Harrington and Mr. Kleidermacher, the key weakness of most tech companies and their Internet of Things (IoT) customers is a failure to create a "threat model" and test security against that. "If they don't know what they are trying to defend, and who they are trying to defend it against," says Mr. Harrington, "any security measure and no security measure applies."
One of his bugbears is the current standard for security research, so-called black box tests: Take a device, with no prior knowledge of its function, and try to break into it. As Mr. Harrington says, that's not actually how most hacks happen. He prefers "white box" hacks, where testers have plans and know-how about how a system works, and then see if they can compromise it. It's an alien concept to many hardware and software makers.
"Whether it's IoT or not, the way that adversaries look at all systems is what's known as a stepping-stone attack. You attack the weakest device , and an IoT device usually has weak or no authentication with other devices on that same network."
That's how a hacked router can direct a connected computer to download malicious code that infects what's supposed to be a closed, safe system. And there's no anti-virus for routers.
Mr. Kleidermacher shares Mr. Harrington's distrust of traditional security research practices, and BlackBerry's security business hopes not only to help customers find vulnerabilities, but also build systems to be more secure.
BlackBerry has its own secure IoT offerings, focusing first on connected cars, shipping and smart meters, but it wants to help secure every "thing" on the Internet. In April, it unveiled the Center for High Assurance Computing Excellence (CHACE), which BlackBerry hopes can help create a common standard and certification system for Internet of Things security.
"How does the independent stakeholder know that [a new IoT system] is secure? How can they have confidence that a vendor … can come to them with some solution? There is no such standard; that's something BlackBerry is hoping to solve," says Mr. Kleidermacher.
Mr. Harrington's company was born out of the computer science PhD program at Johns Hopkins University, and he agrees there is a critical need for accountability.
"Health care is really messed up from a security perspective," Mr. Harrington says. " People who make medical devices have to get [U.S. Food and Drug Administration] approval, but no part of the FDA approval process is working with an organization like ours [that] understands how to make them more secure."