IoT meets cyber security
Paul Ritchie, Senior Penetration Tester at Secarma talks about his experience at the CENSIS and SICSA Cyber Security workshop in Edinburgh.
CENSIS and SICSA (the Scottish Informatics and Computer Science Alliance) organised an ‘IoT meets Cyber Security’ workshop in April 2017. In the room were a mix of academics, industry experts, and curious minds.
What I got from the talks can be summarised as:
- The legal and moral issues of the impact of IoT are not fully understood. Do the current laws: DPA, Human Rights Act, and Computer Misuse Act offer enough protection?
- The basics of Cyber Security are not being applied to each IoT device. Hard coded passwords, plain-text transmission of data, and inadequate means of patching flaws lead to a fertile ground for exploitation.
- IoT is going to need Cyber Security assessment during the development stage rather than deployment.
- Stephen Milne (CENSIS) explained how CENSIS supports innovation. IoT is being driven on newer low power wide area networks (LPWAN) such as LoRaTM which allows devices to operate in situ for around 10 years without changing batteries. It is also less expensive to connect to LPWAN rather than to traditional mobile networks
- Chris Speed (Design Informatics, University of Edinburgh) talked about how IoT devices will increasingly have wallets. Devices will have spending power – your washing machine might get you a better deal on washing powder! Our future relationship with money is going to change, possibly with GPS or Geofencing-based deals. Imagine a train ticket that will automatically cost you less if your train is delayed.
- Chris Johnson (School of Computing Science, University of Glasgow) explained how enabling industrial control systems to communicate could be dangerous. Chris gave a serious talk about how nation states can and do attack each other by exploiting the security of control systems. Despite having two opportunities to reference the Die Hard series, he didn’t do so. Making him a better man than me.
- Angela Sasse (Human-Centred Systems Research Group, University College London) started her talk with: “Data is the new oil!”. Users are unaware of the sensors that their devices have and don’t understand the abstract permission models of apps being installed on those devices. The core of the talk was “The Biggest Lie!”. The biggest lie in this gold rush is that users a) read and b) understand the terms and conditions. It is simply not possible to understand the terms for most humans. We need to make IoT systems with security that is usable and out of the box.
- Rob Graham (Microchip) stated that “all IoT security problems discussed today have been discovered AFTER release”. Put simply this means that products are being put on shelves without security assessment. Hardware manufacturers need to provide a secure firmware update mechanism to enable after release patching.
- Bill Buchanan (Centre for Distributed Computing, Networking and Security, Edinburgh Napier University) then gave an engaging and interesting talk, ending on a tech demo of how to attack a WPA2 with Pre-Shared Key (which is the ‘wireless password’ you freely give to visitors to your home). The IoT angle was how insecure web cams with default credentials were used to crash the DYN service.
What I get from all of this is that there is a brilliant opportunity for IoT to enable and empower people. But people are too busy dreaming up and prototyping devices. They are not taking time to pause in the development life-cycle to consider the security of the device. Instead, terms and conditions are sometimes used to foist responsibility on the end user in ways that the user is ill equipped to deal with.
It also has the challenge that the vendor is not able to simply patch in the way that traditional products in a client-server model have been. It is easy to supply a code fix to an application when it is hosted on your server – but IoT devices will be in various locations and may not be able to dial home.
The answer is that security assessment must take place during the development life-cycle. IoT developers would benefit from engagement with security and legal experts at the development stage of their products.
Thanks to Paul Ritchie of Secarma for this article.