Picture this: It’s 8 a.m., and instead of waking up to the smell of your smart coffeemaker brewing a nice pot of coffee to start the day, your morning begins with an email from a hacker demanding $20 in bitcoin otherwise they’ll keep your coffee pot hostage until you do.
It may sound a bit farfetched, but all you have to do is read the papers to realize that hackers are, literally, taking any connected device and turning it into a bot for their malicious botnet attacks — or holding them hostage until they are paid.
The Internet of Things (IoT) offers a new and powerful backdoor for cybercriminals to sneak in to launch massive attacks and hold the connectivity of devices for ransom.
From hijacked security cameras and video recorders to vulnerable car systems and smart locks, a growing number of connected devices are now at risk of being used as part of a botnet that allows hackers to perpetrate malicious activities.
Lorie Wigle, GM of IoT Security Solutions for Intel, explained that, because connectivity is being brought to devices that have never been enabled with access to the internet before, the impact of something going wrong with these devices is no longer isolated.
The thing is: Hackers aren’t interested in taking over a DVR to erase your favorite program or change up your recording schedule. As we’ve seen, they’re using them as entry points to launch bigger, and possibly more damaging, activities.
The Easy Way In
The most surprising revelation with IoT security is that it actually isn’t that hard for cybercriminals to find their way into connected devices to do harm.
Wigle said it can be as simple as identifying the large-volume shippers and manufacturers of the devices they want to target, tracking down the manual and counting on the fact that most people don’t update their username and password from the default credentials.
And the security researchers at Intel have seen hackers take advantage of a wide range of IoT vulnerabilities recently.
In helping one manufacturer to address its IoT security needs, researchers discovered vulnerabilities across an entire product line of the company’s devices — from smart plugs to smart coffeemakers.
Another example was found in a vehicle entertainment system used by aftermarket installers, which was running on an old version of Android and could easily be taken over by hackers if the consumer navigated innocently to a malicious website.
In both instances, another major motivator for hackers was identified: ransomware.
“Ransomware is an interesting motivator from an attack perspective,” Wigle explained, because it enables hackers to take control of a device’s connectivity (and functionality) until a consumer pays up.
This runs the gamut of locking someone out of their own house or turning up the volume of a car system until it’s unbearable —with the only remedy being paying up the ransom.
It may be nefarious, but even we have to admit it’s clever.
Inside The Mind Of A Hacker
Which makes outsmarting hackers tough, but Wigle said one of the best approaches to beating them at their own game when it comes to IoT security is to try to think about potential attacks from their perspective.
Whether it’s a connected wearable or an internet-ready appliance, it’s about determining who would want to get to that particular device and what could they do once they have the access they are looking for.
That means understanding the threat model and then going through the process of designing appropriate security measures into the device so that those sort of attacks can’t happen, Wigle explained.
Protecting smart devices from the threat of hackers comes down to safeguarding the connectivity of that device to the internet, which is a pretty big job.
Intel has found that a lot of the security solutions that have been developed over the last two to three decades for information or IT security actually have applicability when it comes to IoT.
But with IoT, which has different considerations since there is interaction with both physical and digital touchpoints, Intel keeps three things top of mind in building solutions: integrity, identity and functionality.
By building certain capabilities directly into its processors, Wigle said Intel strives to provide a foundation for security that a device maker can easily take advantage of.
This includes planning for integrity by ensuring a device or system hasn’t been tampered with from the moment a consumer turns it on.
Since most IoT communication is machine to machine, hardware-based identity is used to make sure that a device is getting data from a legitimate machine. And in the case of when sensitive data has to be manipulated, Wigle pointed out that this can be done in a trusted execution environment where data is only unencrypted in a very safe and secure place on the device.
“That’s one level of activity we think is really important — getting that baseline hardware-based security in place — and we think it’s probably more important for IoT than a lot of other markets,” she explained.
The IoT Security Long Game
Though it’s important for connected device manufacturers to take advantage of the best security available to them today, Wigle noted that it’s even more important to make sure that security is operationalized for the future.
This is most relevant in markets where devices have a long lifespan.
Think about a smart car that a consumer may have for five to 10 years. The cyberattacks are going to change over the period of time for that device, and the manufacturer needs to have a process in place to keep that device safe.
“There’s designing the security in, but there’s also how do you operationalize that and make sure that you keep it current during the life of the device,” Wigle explained.
Though there’s still much excitement in thinking about what’s possible with IoT and connected devices, the increasing threat of hackers has caused many to stop and think about how cybercriminals may perceive an opportunity before making it available in a device for a consumer or a business.
Wigle said it’s the notion of trying to futureproof these smart devices.
“You’re never going to have perfect insight,” she admitted, but explained that, in knowing that perfect insight is unattainable, the industry can work to accommodate the things that do come up and react to them in the right way.