The Internet of Things is imbuing everyday things with major significance in terms of security. The potential of the Internet of Things can only be fully realised if the manufacturers of smart products build security into their software and hardware.
The USA is being threatened by a new kind of terrorism: A group headed by a discredited Pentagon security expert has gained control of all the country’s computer networks. They are able to change traffic lights at will, manipulate communications, and control gas pipelines. It is a horror scenario which fortunately is just a Hollywood fantasy. But is the plot of the movie “Die Hard 4.0” really so far-fetched? Anyone who attended last year’s Defcon – the world’s largest hackers’ conference – might well think differently. At the event, Dan Tentler, a freelance security consul-tant and founder of IT security specialist AtenLabs, demonstrated how many devices can already today be found on the Internet – and are entirely unprotected, open for anyone to access. They include games consoles and laptops with built-in microphones and cameras capable of intruding into private areas, -security cameras, independent power supply units, cooling systems, and many more. He was, for example, quite easily able to set the traffic lights at a crossing in a US small town to test mode, causing the lights to stop working. He was also able to access the user interface of a French hydro-electric power station, as well as a carwash. All he needed to do so was a Web browser and the Shodan search engine. This – entirely legal – Google equivalent searches the Net for connected devices. A Shodan search reveals just how many devices are today already connected to the Internet. And it also reveals the dangers lurking on the Internet of Things. “Everyday objects – once familiar-looking and completely irrelevant in security terms – are suddenly becoming repositories of sensitive data, extending from confidential financial information to detailed telemetry data revealing personal aspects of people’s private lives,” comments Marc Rogers on the Lookout blog. Rogers is Principal Security Researcher with Lookout, one of the leading security technology companies, whose security software protects smartphones and other mobile devices against online threats. Rogers advises: “Net-connected objects have to be treated like software when it comes to security.”
Patches enhance security for Net-connected devices
At present, the software of embedded systems – known as firmware – is rarely, if ever, updated once installed at the production stage. This results in security gaps which can be exploited by viruses such as the Stuxnet worm. In 2010 Stuxnet paralysed the process controls of Iranian nuclear power plants. Similar attacks would be conceivable on any other form of M2M communication. Smart Meters, which provide the basis for future Smart Grids, might likewise be attacked, potentially impacting on electricity supplies to public services, private households and industry. That is not just a theoretical scenario, as a 2010 FBI report highlights: It revealed that a power company in Puerto Rico lost hundreds of millions of dollars due to manipulation of Smart Meters which caused them to stop recording night-time consumption. According to the FBI, many Smart Meters can be manipulated even with modest computer skills.
In order to close such loopholes, Rogers recommends extending the system of patch management familiar from PCs to Net-connected devices. This would mean newly discovered security flaws could be eliminated by patches like the Service Pack updates issued by Microsoft for its Windows operating system. As a result, the firmware in the objects connected to the Internet of Things would be regularly updated, and newly discovered security gaps continually closed. “One of the key lessons learned from patch management for PCs is that device security issues should be managed as software issues, and not as product or hardware issues. That is the only way that manufacturers will be able to get a handle on the extent of the problem,” Rogers concludes.
Chips themselves are becoming more secure
Nevertheless, security on the Internet of Things does also have a hardware component. The micro- and nano–electronics industry has developed secure chip solutions without which a reliable IT infrastructure could not function. “Chips are the basis for all electronic services. The field of micro- and nano-electronics is thus the most important and fundamental key technology in today’s interconnected world,” asserts Heinz Martin Esser, President of high-tech sector network Silicon Saxony e.V. He continues: “A secure chip architecture is the foundation of secure IT. The strongest firewalls and best-protected corporate networks will be of no use whatsoever if the hardware is not secure – and that means producing the right chips.” The solution lies in the basic idea of a security system on a chip, as Esser concludes: “Without such secure chips, with embedded secure software, there will be no reliable IT infrastructure in future.” Semiconductor manufacturers have also recognised that fact, and are -already bringing out the first discrete security chips which protect computer systems against unauthorised access and attack. So hardware-based security solutions for industrial and embedded computer systems or mobile devices are already a reality today. The latest chips conform to the TPM (Trusted Platform Module) 2.0 specification issued by the Trusted Computing Group. The group, made up of leading IT companies, develops open standards to safeguard computer environments. Computer systems with such integrated trustworthy hardware and corresponding applications enable secure authentication of device and user identities and so improve secure communications in computer networks.
Wide-ranging approaches to enhancing security
There is a wide range of different approaches aimed at making the Internet of Things secure, as Professor Dr. Dirk Westhoff from the Hochschule Furtwangen technical college reports: “We are looking for easily applicable methods of secure, robust code updating, enabling functionality, confidentially merging monitored data transfers, and detecting cyber-attacks and attempted manipulation.” Westhoff is working on the UNIKOPS project, aimed at developing security solutions for embedded systems – processors working in a wide range of applications and different devices, such as in medical products, onboard aircraft, in motor vehicles or domestic appliances like washing machines, or in TVs and mobile phones.
Marc Rogers concludes: “The Internet of Things marks the beginning of a new era in technology – a future in which everything is interconnected, and we are able to interact with data more closely than ever before. If we do it right, we will open up a whole world of new possibilities. If we do it wrong, we risk destroying it before it has ever realised its potential.”