‘Internet of Things’ (IoT), Convenience or Calamity?

Fertile ground is the musing of men, and no less so a recent splendid evening exercising thoughts on the Internet of Things (IoT) as the technology wave sweeping across our digital landscape. The inter-networking, connecting and digitisation of everything around us, the automating, remoting, outsourcing and self-managing of things as diverse as:

• Refrigerators ordering product when it gets empty
• Nappy (‘diaper’ for my American readers) that announces it needs changing before it goes ‘toxic’!
• Tarmac on our roads warning us of ice
• Smart sensors automatically monitor and predicting gas pipeline or electric generator failures
• Autonomous systems that prevent us from speeding in our cars and slow us down in response to traffic conditions
• Nano-tech machines that police our very blood stream.

Most excitingly and little focused on the potential IoT has for reinventing many traditional lines of business where value returns may have flat lined and to evolve or extend these into richer annuity based service opportunities.

The potential is without doubt mind-boggling and the investment organisations are making developing their slice of the IoT pie is booming. The maturity of Cloud Computing being one of the big enablers and a co-driving forces in this nascent revolution. All very progressive and exciting on the face of it with big convenience upsides and huge social benefit arguments abound, all with little risk, we are told and great ‘shareholder value’ upsides.

Bundled free with the IoT comes the prospect of greater identity and access management dependency and even more passwords and usernames to remember, as we are asked to extend our trust to unknown third parties and their trusted networks who ultimately will run and possibly own the attached devices we will grow to rely on, and depend on and trust potentially with our lives. Worried? If your not, even a little, you should be.

How the tone of a missive can change so suddenly 😉

The threat to the IoT is in plain view and not unique either, they are not some new ‘thing’ that miraculously stands aside of the persistent threats to conventional IT systems. The IoT leverages cloud computing, many of the same protocols of the Internet and hardware and standards familiar to any conventional WiFi vendor. Worst of all are legacy systems that once were secure closed systems are now being networked, SCADA systems (Supervisory Control and Data Acquisition) for example. Don’t tell me that these are low risk due to the PLC (Programmable Logic Controller) specialisation needed, there are plenty who know how to hack Internet Protocol (IP) and that is the weakest link. The merging of all these means that by its nature the IoT almost certainly involves greater risk due to its pervasive and interconnected mash up of technologies, protocols and networks that are proven to be imperfect and or ill suited already. The IoT is by its very DNA a victim in play to its weakest link.

It would be one thing if we had a robust track record in the security of current IT components that form the IoT, but we do not. In fact quiet the opposite, not an hour goes by without a new hack being reported on some part of this technology landscape. The IoT mash up of systems further complicates and confuses. Ask any engineer, the risks of failure and compromise are at the interfaces, where one devices is dependent on another, where interconnected devices come from disparate vendors, where interfaces are employed to ‘standards’, standards that are subject by their nature to laborious change processes rendering them inevitably behind the technology curve. Take one compromised technology for example. SSL (Secure Socket layer), the former Gold Standard for secure communications, rendered obsolete. Its successor TLS (Transport Layer Security) v1.1 similarly now compromised yet still the stated and recommended ‘standard’ for secure communications. If IoT communications are sharing their conversations in what equates to an open session, anyone who has the modest technical capabilities to eavesdrop on that session can interfere with the commands being transmitted, let the games begin!

The challenge for organisations producing product and services in this space is getting it right so we don’t end up with a first and second-generation wave of offerings blighting the market with failures in security and integrity. With the enthusiasm and commercial motivation to get to market the worry for many in the security industry is price and speed to deliver will drive corner cutting. Security is not an option or factor to compromise on. At this point less haste and more diligence will win the day. But I fear this is already a lost argument and we will see a lot of finger pointing as vendors slope shoulders in accountability blaming other parties components as the litany of security breaches in the popular press is fuelled by the IoT.

A reality check scenario I give when confronted with vendors who state the inertness of IoT devices to cause real physical harm is in the fertile home automation market. Consider a hacker who is able to compromise the management system of a not too distant house of the future, switching on its oven and delaying the pilot light till the room is filled with gas. No special effects needed, I am sure even the most dormant imagination can take over from here. An extreme case? Certainly one that strikes home, excuse the pun. Whilst we have not seen this exact scenario it illustrates the conundrum how the domestic automation system vendor may not be directly at fault. The compromise to the automation management could have come from a number of sources:

1. The cheap WiFi hardware chip used in the WiFi router to which the automation system relies to provide connectivity.
2. The firmware on the home router, a favourite in the media today read ‘More than 60 undisclosed vulnerabilities affect 22 SOHO routers’ 
3. Another household device that has poor security that can divulge the WiFi logon keys and allow a hacker to logon to the WiFi network legitimately!
4. The 3^rd party website hosted in a Cloud service the automation system management console uses.
5. The mobile app used to provide a convenient interface to the user.
6. The SmartPhone OS that the mobile app is installed on.
7. The Mobile app vendor store.
8. The encryption protocol used to encrypt the communication between the components.
9. The WiFi router using a default access key (many default access keys are not strong, limited to 8 or 10 numerical characters, easily broken using a brute force attack).
10. The weak WiFi key or password chosen by the householder.

So who is to blame, and where does the responsibility and accountability lie? Caveat Emptor perhaps you would say, but that does little for peace of mind and confidence in the industry, or the real duty of care vendors should be adopting in the brave new IoT world.

Scaremonger you cry; well industry already echo’s the realities. It has been witnessed in no less deadly a manner in cases relating to industry if not Military Defence critical infrastructure:

• Navy Marine Corps
• Energy utilities, Oil & Gas and Chemical industry.
• Airlines
• Transport infrastructure

For the full chilling facts, and list of GLOABL victims, read the Cylance report o the Iranian capabilities in their ‘Operation Cleaver‘ Critical Infrastructure attack report.

100% physical impact from a digital attack or simple human error, the outcome is the same. The targeted industries are very quiet on the matter, and whilst the evidence indicates malicious agent intervention they are often referred to as human error. Not because the truth is being hidden, but the fact that many of these industrial control systems are so inadequately supported with access control systems or monitoring logging that it is impossible to conduct detailed meaningful forensic analysis. Take for example the new smart meters proliferating our water supplies. The first wave of these adopted a wireless technology that was not secure and a shared maintenance access code! So any 2 bit hacker could spin up your water meter bill or cut houses off without even getting out of their car.

The Internet and media is abound with stories and InforSec (Information Security) professionals who are dialling this up or down to their own agendas. My personal perspective is less a middle line on the extremes in this debate but a reflection that this is no longer a case of what is possible or probable but inevitable and the focus must be on the preventable.

Pailloux, who heads the French national security agency ANSSI, compared the state of cyber security to 19th century medicine. “We are still progressing; it’s exactly the same situation.” Reflecting on which it would appear that instead of preventative medicine, ie: eliminating the surface area of exposure to attack, the IoT vendor hordes are force marching business, critical infrastructure and consumers into a war they simply cannot win, dressing up their own private battles as victories and progress. When in reality we are still struggling at a fundamental level with Identity integrity and Access accountability management, the building blocks in computer security.

My earlier blog (A Modern Moral Dilemma – Government Cyber Friend or Foe?) qualifies the argument as to the possibility of IoT security risks. It confirms the possible impact crystal clearly in the precision guidance capability and sheer complexity that a targeted cyber-attack comprising a mere few thousand lines of code can have. As for the probability of IoT critical fallout, after the bold display of 9/11, nothing can be considered out of bounds. So that leave us confronting a stark reality which means IoT critical failure is inevitable and just a matter of time in a myriad of creative ways. The fact is the IoT commercial bandwagon is steaming full ahead on a collision course with reality.

Leaving aside the intimacy of the consumer relationship with the IoT. Looking simply at the landscape of industrial control systems and recognised threat actors. In the face of a veritable shopping list of state sponsored actors it therefore begs the question as to when the next headline example of IoT compromise will occur in full public view. I state full public view because this IS happening now, in real time, you are just not seeing it or the outcomes largely due to the high levels of state sponsorship driving a frightening level of professionalism in the threat actor’s active today. Namely:

• Deadeye Jackal: commonly known as the Syrian Electronic Army (SEA)
• Emissary Panda: a China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors
• Energetic Bear: a Russian group that collects intelligence on the energy industry
• Magic Kitten: an established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition
• Numbered Panda: a group of China-based attackers, who conducted a number of spear phishing attacks in 2013
• RBN – Russian Business Network (Russia and the Cyber Threat)

Not to forget the known Nation State Agencies:

• Israel’s Unit 8200 
• America’s National Security Agency (NSA’s) Tailored Access Operations Division (TAO)
• Equation Group – US ‘God’s of Cyber Espionage’

Current research supports the case that we will witness something in the short term. Reference the ’Ponemon Institute’ report which stated 70% of critical infrastructure was compromised last year and projects that in the next 24 months we are likely to see more significant successful attacks.

The biggest threat to IoT is through conventional cyber and hardware security hacking, a well know threat vector, and as noted the heightened risk from the chaotic state of the Identity and access management (IAM) environments that abound. Anyone in the industry who says otherwise should be shown the door, or to do them and the rest of us a favour, a window. IAM is a Pandora’s Box, yet the corner stone of security, that few enterprises or vendors truly know what they are doing with outside their own product scope, and consumers take on blind faith largely based simply on the strength of brand recognition. Yet the service layers of even the largest and most trusted brands are made up of a myriad of sub-contracted interrelationships and interconnected services all of which rely on layers and degrees of IAM maturity, stepped down often to the lowest common denominator. And that was BEFORE the phrase IoT was even coined. It has not got any better. The consumer world of IoT is built on an IAM house of cards founded on quicksand and commercial industry not much better.

Commercialism and consumer convenience + vendor blind faith in their own solutions, risks seeing the true value of the IoT being cast into a wasteland of regulation and compliance through failures to live up to a duty of care.

Moving on from the IoT risk and fallout potential on industrial control systems, a less physical but just as damaging risk factor is the compromise of data. Data breaches are reported on such a frequent basis it is becoming the norm and the recent report from the Data Commissioner would indicate that there is still a sub-class of organisations actively supressing such breaches. Reflecting back on our state sponsored threat actors, IoT is a veritable smorgasbord for covert data compromise operations, be they legitimate national defence or the more invidious snooping on citizens of all classifications or that of blatant criminal intent.

What is required is for the digital citizen to wake up to the reality of their positon in this puzzle. To step back and reflect on the ‘digital enslavement’ the majority of online users and smartphone owners voluntarily submit to already. The IoT for all its industry heralded benefits represents a chilling extension to this invasion of privacy. The need for a legitimate open debate followed up by action on this issue has never been more important, for the future of the IoT as much as the need for a ‘New Culture of Respect’ for Personal Identifiable Information (including meta data). This calls for an end to the open season on harvesting of user data and the cavalier attitude towards its reuse, re-sale and merging of datasets that goes to the heart of privacy and security. Google, Amazon and Facebook just some of the headline names in the industry, and amongst the worst perpetrators and obfuscators of this ‘data exposed’ state of reality. A reality these multinationals continue to spend millions on exercising their ‘Soft Power’ plays to establish their practices as the accepted norm in the social and political psyche.

We need some industry level accountability for citizens to draw down on vendors who play fast and loose with their privacy and security before IoT goes broad-spectrum in our lives. Unilateral actions that start the correction process could include:

1. Multi-Country agreement on the control of Cyber Warfare, in a similar way that the world has tiptoed away from nuclear conflict. The challenge is it is harder to police and almost impossible to monitor effectively. Unlike Nuclear waste and fuels which are highly visible both in the sense that they can be easily detected as well as the infrastructure needed to handle and work them, digital ordnance is almost invisible.
2. Transfer of ownership and control over individual’s data back into the hands of the individual or their nominated agent. NOT some pseudo transfer of ownership and vesting of legitimacy in some headless corporate entity as a result of a click through page referencing reams of legalese that do nothing to check for age thresholds or user legitimacy.
3. Licensing – Deployment in containment through licensing of interconnected systems, and through that licensing the visibility and guarantee of an accountable vendor or managed service provider.
4. Vendor Guarantees – Back licensing of IoT with mandatory Insurance and to obligate insurance companies to withhold any such cover if they had grounds to believe it could not be drawn down. In that power to withhold, Insurance companies need to have demonstrated clear guidance. Thus forming a 2 way flow of responsibility providing a check and balance.

Harsh on vendors who hide behind the fact that they could not reasonably have foreseen the failure of one of their systems? Wake up and smell the roses, it is this class of controls needed to temper the haste into this new technological. The alternative is the industry will be treating consumer audiences as little more than willing guinea pigs. There is a growing need to place the same level of due diligence on IoT vendors as we would a new pharmaceutical company drug. A long shot I know, but just reflect on the scope and potential for unintended consequences that exists if you compare the parallel of our Cyber Security capabilities with the 19^th Century medicine statement from Pailloux (head of French national security agency ANSSI). Sobering….

It is a stark reality that the most advanced societies are the most at risk from the age of IoT. The simple truth is you don’t need a multi-million pound commitment to develop a cyber-weapon. Cyber weapons are being invented, and compromises to deliver them, from bedrooms, on trains and planes during commuter journeys, by hobbyists, hackers, nation states, terrorists and criminal organisations a I write this very article. There is even a booming grey market in commercial software exploits majority fed by government buyers with deep pockets full of taxpayer’s money. There is a hidden workforce comprising of conventional IT companies, or employees within companies, on the payroll of rogue entities paid to build into software at source compromising backdoors. After all when was the last time you checked the credentials of any software developer you were paying to write your businesses software? At best you would get a vendor-based certification, but no institute backed credentials underpinned by strict governance and accountability and blacklist you can reference.

For now the message is clear, as long as the rewards remain significant vendors will pedal their wares regardless. As for the criminals they will always find a way, and the path of the criminal is one easily followed by the terrorist and freedom fighter alike and abused by nation states. Sadly it is not even that challenging in many cases, as all software and hardware has some weak link, if not in an isolated state, as soon as you hook them up to something they will. And finally there is NO governing body to validate software and hardware producers and hold them accountable, a vacuum of true Professionalism in IT.

Oh yes, and one shot in the arm for the bad guys. The digital weapons our governments are using and software exploits they maintain are proving to be the fastest ways of empowering and educating the protagonists. A perverse but real state of affairs that raises the stakes, spelt out by the US Bureau of Industry and Security when they published how it plans to implement the sections on hacking technologies in a global weapons trade pact called the Wassenaar Arrangement. This force march pushing the boundaries of weaponising software code, and undermining citizens rights to privacy, goes to the very heart of the impact the IoT could have.