Who doesn’t associate the word IoT with security issues in 2022? Apart from those who do the IoT maybe? Like all emerging domains, shortcuts are easy, because they are poorly understood. I will try to give you some elements on what cannot be denied: security, in the IoT, as in other technologies, is an essential element. I will especially take care to explain to you why it is very essential in IoT, why this subject is poorly understood and also, why many times we talk too much on this subject.
There is not a single category of IoT
Before giving a broader dimension to the IoT, let’s start with the common and reductive vision of a communicating object. There is no homogeneous family that can be described as IoT and for which rules and risks would be the same whole. In reality, there are three kinds of IoT that can be differentiated from a security standpoint. They are differentiable because their characteristics totally change their surface of exposure to attacks.
- The first category represents the most exposed objects and those known to be the source of the biggest problems: these are connected objects, usually connected via WiFi, but can be connected via Ethernet or 3/4/5G (3GPP). They have the particularity of being potentially directly accessible from anywhere on the planet. By design they are generally vulnerable (we’ll see why a bit later) and therefore an easy target for an attack.
- The second category represents objects relayed to a central service through a gateway. They can use different communication technologies between the objects and the gateway. The gateway itself is connected to the Internet of the company or the house. This category is widespread in the smart home, especially in Zibee, Bluethooth, Wirepas technologies and some WiFi implementations. The devices themselves have two particularities: they do not provide a large bandwidth and they are not directly addressable from the Internet. The gateway is more directly exposed, while ensuring, despite everything, a better level of security than the first category, as we will see.
- The last category concerns objects that are both autonomous and not accessible from the Internet, these are in the pure sense, IoT devices (the first two categories falling more under what has been called since the beginning of the 2000s M2M (Machine to machine)). When IoT becomes popular around 2014. These devices use LPWAN communication technologies, including Sigfox, LoRaWan, NB-IoT, etc. From a macro-architectural point of view, this category is close to the second category : devices communicate to Internet thanks a gateway. But this one is network server controlling many radio receivers and relaying radio communication received from devices over distances of several kilometers. Devices are not addressable from the internet and cannot directly send message on internet (other than with some SCHC gateways)
From architecture many different surface of attack
If we think about the attack surface, the potential attacker volume and the attacker’s exposure during his misdeed, it is obvious that we have here three very different levels of risk. The object directly accessible on the Internet, generally via a web page, that of the first category, will wait for the whole planet with open arms, the result should quickly be what is commonly called a butcher’s shop. The second which for a fleet of objects only exposes a gateway usually communicating with a dedicated service will reduce the risk accordingly, the last which is exposed through a professionally operated core network is very weakly exposed.
Before continuing, is the IoT just a thing?
Before going to technical arguments that delight security consultants but do not bring anything very interesting to understanding the problem and these solutions, we must take a step back on this point. I like to say that when we translate IoT by “Connected Things” it means that we have missed the point. The Internet of Things (IoT) makes much more sense because it translates the interconnection of a mass of devices with the aim of creating additional value to what the single object produces. The IoT is not a product but a service, the thing in an IoT solution is only a means to access (digital) data from the physical world.
This has a consequence that is that an IoT solution is, at first, a centralized solution that aggregates data. To illustrate this concept in a simple way, your voice assistant is just a device that sends the voice to a server that will translate it into action then coming back to your assistant and to you at the end.
This central component, which has everyone’s data, is made up of computer software, accessible from anywhere on the Internet. It therefore becomes clear that the widest exposure to attacks of an IoT solution (categories 2 and 3) is not the device itself but this centralizing service. Service that is, between us, just classic IT. Everything we know about web services applies in the same way in IoT as elsewhere.
This point should always be kept in mind, because it is not a bankable argument for security experts: the main risk of the IoT is in its classic IT component.
To understand the security issues in the IoT, however, it is necessary to leave the technological dimension to enter the economic component, I imagine that this may put off the developer who is reading me at this moment, but let’s be clear, we are talking about your pay check at this moment… IT is a world of service, maintenance subscription… things are a world of boxes that we push. If I schematize when the consumer buys a television, he buys a piece of furniture. For the manufacturer it is a set of electronic and plastic parts assembled together and for the intermediaries it is only a box that is moved. During the last 50 years, when we have manufactured a television or sold it, we will have done everything to never hear about it again, nor from the customer, other than to push him a new box. At no time is there any question of service, at no time does the manufacturer or the seller wish to create additional value on the product and at no time does the consumer plan to establish an additional contract with these people.
What happens when the TV becomes connected? Everything then becomes complicated: the consumer is no more inclined to contract with the manufacturer, he already pays enough to access video or other platforms which are the reason for his demand for connectivity. However, the manufacturer is facing a new challenge: it must maintain the software since its connected television is now exposed to vulnerabilities. And that’s where we talk about developer pay check! Who will pay them over time? As a reminder, a television has a lifespan of 10 to 15 years. The consumer does not want to hear about it, the distributor will not be able to value security in a sales pitch… For lack of an appropriate business model, the IoT is by construction exposed to a major security risk due to lack of updating. It must be understood that a category 1 IoT, such as a television, is nothing other than a conventional computer, more or less exposed on the Internet and on which security patches are very rarely applied, then, after a few years, no longer applied at all. From the point of view of category 2 and category 3, the objects themselves not being exposed, if the risk remains present, the occurrence is drastically lower.
Category 2 gateways are quite similar to category 1 but have some security advantages, including the fact that their development can be shared and reused, which works for a while.
What are the impacts of the poor structural security of IoT?
Let’s assume that it’s not possible to trust IoT category 1 and 2 – I’m going to rule out category 3 on this question where the risks are lower – not technically, but from a the effort in regard of the result obtained – let’s see the impacts.
First of all from a privacy point of view, the supplier of product will not wishing to expose himself to the consequences of a vulnerability affecting his customers, he will have to finance his developers. He has two options:
- The first one consisting in practicing planned obsolescence, it will thus control its costs by reducing the duration of employment of the developers for a given product.
- The second one consisting in making its developers remunerated by the sale of related services that the consumer will be ready to pay (the VOD button on the remote control) but most often or in addition, by selling personal data of its customers, simply because this income is directly associated with usage.
As usually says: “if it’s free, you’re the product”. If you doubt, I could lead you to think about examples much more intrusive than what I have just described here. My only advice is to tell you: if it’s free for you, ask to yourself how developers get paid, personally, I almost prefer when the answer is that there are no more developers: I know, at least, that it will be up to me to ensure the security of my IoT and it is often doable.
In addition to this first consequence, we must consider the IoT as a Trojan horse, our IT security is very often on the perimeter, whether it is company firewalls or the gateway we have at home, they isolate us, in a way, from the brutal world of the Internet. But once a device is infected behind those walls, there is nothing more protecting you. What I’m saying is anxiety-provoking, perhaps, but if I may panic you a little more, before you worry about IoTs, it’s time to panic about cell phones and in particular your child’s, a second-hand Android whose last update dates back 3 years and on which a hundred free games are installed… It must be understood that your personal network, for practical reasons, allows access to your box (therefore the administration of your firewall), to all your other IoTs, your computers, your shared disks which contain your invoices, your accounts, your photos… In business, your overall know-how.
Once we have understood these structural and economic principles, we can start to act and then we can talk about the technical specificities that the security experts provide us with.
Is there then only the solution of burning our IoT to survive the end of the world?
Faced with this, some would be of the opinion to refuse technology, it was better before, telephones without WiFi, a house without WiFi moreover and why put the Internet there, 6 channels, not 3 TV channels? was enough. I can’t imagine the reader of this text taking pleasure in this orientation, so I’m going to offer you different approaches to manage IoT risk.
Once again I will remind you that the main risk is at the level of the central web service on which your levers are minimal. However, as a customer you have a lever, I know it unpleasant, but it is fair: you want security, you have to pay the developers who provide it to you over time. Never forget it.
After this reminder, let’s see our technical levers. First of all, you have to segment and monitor. Personally, I practice this for the 50 or so IoTs that are on my network. As a reminder, if I am an IoT enthusiast I am for category 3 which is not on my network. I think you will be as surprised as me when you draw up your inventory of IoT in your home (or company). Isolate different networks is something usually done on corporate network by the network administrator. This is a good direction to follow but it will quickly come up against the technical capacities of IoT users… But the principle is simple, IoTs have their dedicated network, a network that does not access personal and critical resources. Personally, I do not understand that a dedicated solution for securing personal networks against mobiles and IoT does not exist in 2022, but that is another topic.
To go further, I recommend filtering IoT communications to what is necessary, blocking communication between them, which they generally do not need. I also advise, of course, never to open a port from an IoT to the Internet, moreover I strongly advise to check the outgoing connections of IoT: it turns out that some, for maintenance reasons, will open ports at the through an outgoing tunnel, practical, but at what risk? This separation can be physical or logical, the use of several WiFi networks, VLANs, is now accessible to the majority of (rather) geek audiences, I particularly appreciated Unify solution for this as you can manage a lot of different WiFi networks in a single access point.
There would probably be more to do, but you have either let go (and we will not blame you), or realized that you will have to expend a lot of energy while still living in fear.
The choice of your devices is a primary factor in risk management, I mentioned the price in relation to maintenance, I also mentioned the categories: the second reduces the risk and allows you to diversify the devices without increasing the risk. When using a gateway where low-risk devices can be added. The third category is at very low risk since disconnected from your network, at least on the local aspect.
What to do to design secure IoTs?
The problem of security in the IoT would not be so remarkable if there had not been so many flaws highlighted. This remains to be relativized in regard of the quantity of flaws in the classical computing world, but nevertheless, it is necessary to note that in addition to the major structural principles mentioned in the preceding paragraphs, the world of IoT has shown remarkable amateurism in terms of security.
It must be understood that the world of embedded computing is quite separate from the world of computing. I tend to think that this difference hasn’t really made sense for 20 years, but habits in the training courses die hard and it seems that students, like professionals then, tend to take pleasure in this. In short, in the embedded world, the problem is the bugs (we are not going to allow ourselves to release 10,000 products that will crash or break down) but not too much security. It must be said that large-scale connected systems and the spotlight on their security are only recent. In short, without wanting to throw stones at this world of which I am a part but not from and where there are security leaders also, it is clear that the consideration of security issues is weak.
Now it is necessary to remember that a problem only finds a solution if it is raised and financed. The security problem of many IoTs is simply that this consideration has never been part of the specifications. There has never been any requirement. When we look at most of the hacks, we see major shortcomings: accessible keys, identical passwords or using “password” word, “hidden” administration, unverified signatures… This is only possible by a total absence of requirement on this aspect.
The key to IoT security can thus be summed up in two very simple and non-technical aspects:
- At design, have requirements and finance them
- At run, ensure that the user will finance the maintenance over the entire life of the product
These two considerations allow a viable economic model, should also lead you to potentially very different technological changes from those initially planned, but that is another story I will let you discover …