Every year, we seem to own more Internet of Things (IOT) devices. It should come as no surprise that when everyday products come online with Bluetooth or wifi, the number of attack vectors aimed at individuals and businesses is increasing at an alarming rate. We live in a trusting consumer culture that is more concerned with the functionality and ease of use than they are with privacy and security. To protect their security, IoT device users travel a few paths to arrive at this end. The first is more digitally aware and assume, possibly correctly, that nothing on the internet is private or secure, and the use of any service has a risk associated with it. The second, more trusting or naive path, is users assuming that the services they are using either have no critical data to share, or are taking lengths to secure data that is being accessed. There is a third, less trusting, group of users who may choose not to participate in systems that do not have basic information security. The primary problem that these users have is that soon, everything will be internet enabled. Your toaster will be online, your refrigerator may already be online, and baby monitors and other video and audio systems are already online and being accessed by unauthorized users. Security-conscious users may have to choose between quality of life and digital security.
This stems from the fact that appliance and device manufacturers are hardware companies rather than software security companies. Their priority is the marketability of the term ‘IOT’ in conjunction with their products or with the functionality that the internet can enable. Smart refrigerators will order your milk. They will keep track of your eggs’ expiration date. They will poke a hole in your home wifi network or access the internet directly. These are consumer products with internet functionality, not network security devices. Given that a large portion of computer users do not keep their computers up-to-date, what are the odds that these people will do it for their toasters?
These security and software maintenance issues are not limited to consumer devices, however. In season one of Mr. Robot, a Raspberry PI was used to mimic a thermostat and drive Big Evil’s data center temperatures to a temperature high enough to destroy the servers in said center. One of the entertaining aspects of this show is that most (if not all) of the technical details are accurate. A hack to replace a networked thermostat could be executed if the hacker knows the correct protocols for the thermostat in question. Security minded organizations, where it is mission critical for updates to be maintained, still end up running software with security flaws. While some of these problems are human failures, there are situations where there may not be a secure option for a needed function, such as a simple network-enabled thermostat in a data center.
Though IOT devices present a significant risk, not all risk is limited to data. Some cases can involve actual life and death risk. In 2015, Wired magazine wrote about a Jeep Grand Cherokee being hacked through its entertainment system while traveling at 70 miles per hour on the highway. Hacking is a known concern in the automotive industry. Numerous instances of hacking demonstrate the ability of a bad actor to disable brakes, control acceleration, or access most other systems in the vehicle. This Wired article sparked conversation and extensive coverage in 2015, but the problem remains and vehicles are still being hacked today.
So where do we go from here? We know that consumer devices are notoriously out of date with their software updates. The owners of those devices may not even be aware that those devices are internet enabled. Internet enabled devices that utilize a simple identity implementation (similar to the one used by the Factom Blockchain) can limit access to specific devices or entities. The allowable device identities are then accessed and maintained on the blockchain without the need for consumers to update the software on their devices. Blockchain can rewrite the story on IOTs’ security problem.