Sep 11, 2015This brave new world of the Internet of Things has sparked, amongst other things, a discussion about security. A lot of the chatter tends to focus on device security—in particular, the security of a Bluetooth Low Energy (BLE) connection. A recent CBC article refers to this specifically, although it does touch tangentially on a larger security issue: the server.
Is device security important? It most certainly is. The device is the thing that is out there, in the wild, usually in a place many people can see or reasonably reach via a radio. The communication between any device and a smartphone or smart home router (also known as a hub or base station) needs to be strong. You don't want a flaw in the device to leave it vulnerable to attack, particularly a security device such as a door lock. However, the IoT device is not the real target.
The real targets are the servers behind the devices. By themselves, the devices are interesting, but not always useful. They will generally need to communicate with some kind of server-side system. In most cases, devices won't, by themselves, send push notifications or even SMS text messages. Do you want users to be able to set up sophisticated rules for who to call, and when, automatically, in response to a given event? You'll be doing that on the server, not on the device or a nearby supporting device, such as a smartphone.
It's All About Scalability
Consider two ways to take advantage of security flaws. The first is to attack the devices directly. This means that I, as the attacker, would have to be within wireless (and possibly visual) range of the device, and ultimately that I would have to actually find its physical location, or hopefully identify it via its radio transmissions. Either way, I would need to have boots on the ground, searching for these devices.
The weakness of this method is that it may require that the device owner use his or her device while I have equipment listening. Either way, to attack thousands of devices in a useful way may require dozens or even hundreds of people. To get at hundreds of thousands devices, I would need thousands of people out there, gathering data and attacking them directly.
If I were to attack the server, on the other hand, I could compromise all of the devices. I could accomplish this either by allowing myself (and anyone who pays me) access to every device, or by injecting malware into individual devices to create a back door that would let me attack the server. But, more importantly, I could access a server and obtain a copy of the registered customer database—since many firms do very little to protect consumer data on their servers. This might not give me all known devices (not everyone registers his device, and some customers use fake information), but it would likely grant me access to the majority of registered users of a particular device. Now, not only would I have access to any devices I wanted, but I would also know where in the world they were located.
The IoT world had its first real attack of that kind when hackers turned Samsung smart TVs and refrigerators into e-mail spambots (automated computer programs).
Those types of bots could be used to send out phishing spam to elicit credit or bank card information from people. Those cards and associated PINs or passwords could then be sold in bulk to buyers who would use them to purchase goods online or fence them for cash. The Samsung attack could not have been made on the devices directly because there were hundreds of thousands of e-mails sent by those devices, from around the world. They were attacked either via the Internet, or more likely, via Samsung's servers.
Borrowing from a scene in the film Skyfall (in which James Bond meets a young, bookish Q for the first time), attacking the device is like sending an agent into the field. By attacking the server, a hacker could, like Q, "do more damage on my laptop sitting in my pajamas before my first cup of Earl Grey than you can do in a year in the field." Yes, ultimately, you want to be in the field to take advantage of the compromised device. But doing them all at once scales more effectively.
Secure Everything
Securing the servers and the infrastructure is critical for any IoT implementation. But 'you must also pay attention to the devices, or intervening components like smartphone apps. They still need to be secure as well.
Securing the devices is like locking the front door. Making your apps secure is like locking the back door. They are the most obvious points of entry, and both must be made secure. But not securing your servers is like leaving the garage door open and the inside door unlocked. Sure, the regular doors are locked. But there is still a way in (and a very large way in), and now the whole system is compromised.
Ultimately, you need to secure everything: the devices, the apps and the servers. Doing only one or two of those isn't enough. You have to address all of them. But losing control of the server means losing control of everything.
Geoff Kratz is the lead technologist and co-founder of bbotx inc., a startup in the Internet of Things space. Kratz previously worked for Bell-Northern Research, Microsoft and IBM, and has designed and developed secure transaction-processing systems for the financial industry, as well as iOS- and Android-based applications.
