There isn’t a day that goes by now without another Internet of Things (IoT) security story. The details are lurid, the attacks look new and the tech is well, woeful. You would be forgiven for thinking that nobody is doing anything about security and that nothing can be done, it’s all broken.
What doesn’t usually reach the press is what has been happening in the background from a defensive security perspective. Some industries have been doing security increasingly well for a long time. The mobile industry has been under constant attack since the late 1990s. As mobile technology and its uses have advanced, so has the necessity of security invention and innovation. Some really useful techniques and methods have been developed which could and should be transferred into the IoT world to help defend against known and future attacks. My own company is running an Introduction to IoT Security training course for those of you who are interested. There is of course a lot of crossover between mobile and the rest of IoT. Much of the world’s IoT communications will transit mobile networks and many mobile applications and devices will interact with IoT networks, end-point devices and hubs. The devices themselves often have chips designed by the same companies and software which is often very similar.
The Internet of Things is developing at an incredible rate and there are many competing proprietary standards in different elements of systems and in different industries. It is extremely unlikely there is going to be one winner or one unified standard – and why should there be? It is perfectly possible for connected devices to communicate using the network and equipment that is right for that solution. It is true that as the market settles down some solutions will fall by the wayside and others will consolidate, but we’re really not at that stage yet and won’t be for some time. Quite honestly, many industries are still trying to work out what is actually meant by the Internet of Things and whether it is going to be beneficial to them or not.
What does good look like?
What we do know is what we don’t want. We have many lessons from near computing history that we ignore and neglect security at our peril. The combined efforts and experiences of technology companies that spend time defending their product security, as well as those of the security research community, so often painted as the bad guys; “the hackers” have also significantly informed what good looks like. It is down to implementers to actually listen to this advice and make sure they follow it.
We know that opening the door to reports about vulnerabilities in technology products leads to fixes which bring about overall industry improvements in security. Respect on both sides has been gained through the use of Coordinated Vulnerability Disclosure (CVD) schemes by companies and now even across whole industries.
We know that regular software updates, whilst a pain to establish and maintain are one of the best preventative and protective measures we can take against attackers, shutting the door on potential avenues for exploitation whilst closing down the window of exposure time to a point where it is worthless for an attacker to even begin the research process of creating an attack.
Industry-driven recommendations and standards on IoT security have begun to emerge in the past five years. Not only that, the various bodies are interacting with one another and acting pragmatically; where a standard exists there appears to be a willingness to endorse it and move onto areas that need fixing.
Spanning the verticals
There is a huge challenge which is particularly unique to IoT and that is the diversity of uses for the various technologies and the huge number of disparate industries they span. The car industry has its own standards bodies and has to carefully consider safety aspects, as does the healthcare industry. These industries and also the government regulatory bodies related to them all differ in their own ways. One unifying topic is security and it is now so critically important that we get it right across all industries. With every person in the world connected, the alternative of sitting back and hoping for the best is to risk the future of humanity.
Links to recommendations on IoT security
To pick some highlights – (full disclosure – I’m involved in the first two) the following bodies have created some excellent recommendations around IoT security and continue to do so:
• IoT Security Foundation Best Practice Guidelines
• GSMA IoT Security Guidelines
• Industrial Internet Consortium
The whole space is absolutely huge, but I should also mention the incredible work of the IETF (Internet Engineering Task Force) and 3GPP (the mobile standards body for 5G) to bring detailed bit-level standards to reality and ensure they are secure. Organisations like the NTIA (the US National Telecommunications and Information Administration), the DHS (US Department for Homeland Security) and AIOTI (The EU Alliance for Internet of Things Innovation) have all been doing a great job helping to drive leadership on different elements of th
ese topics.
I maintain a list of IoT security resources and recommendations on this post.
3GPP
UMA – Unsafe Mobile Access?
I’ve been following Mobile Monday’s London chapter for a few years now and I know a few of the guys there, but I’ve never been able to get down to one of their events. I finally made it down to the April 2010 demo night and was suitably impressed by the number of attendees and the quality of the short 3 minute lightning presentations. I thought that I’d put a security spin on what I witnessed but ended up writing this blog on one particular presentation about ‘Smart Wi-Fi’.
Mark Powell from kineto.com talked about offloading data to wifi from the mobile. Increases in data traffic have caused some big headaches for operators, so this is clearly an attractive proposition for them. It is pre-loaded on some devices, partly because there are some custom APIs involved. It uses 3GPP GAN (Generic Access Network) as the underlying technology to get access to the mobile network and is also known under UMA (Unlicensed Mobile Access). Kind of like a ‘soft’ femtocell (I might even go as far as to say a potential femtocell killer). This is being marketed by T-Mobile as ‘Wi-Fi calling’ and Orange as ‘signal boost’. You’re going to get charged for your normal call on top of your broadband fee, but in general the benefits of having a better signal in the house is probably going to be quite attractive to people and may become a standard offering in the future. Kineto also explained that it helps avoid international roaming because once going Wi-Fi it will be just as if you’re in your home country.
As a paranoid security person, I always get a bit concerned when operators rush to a new technology to solve their problems (in this case network load). Converged technologies bring completely new threat scenarios which can re-enable old attacks with new vectors for achieving them. From a security point of view – there are some pretty obvious initial questions that spring to mind:
- What if you’re connected to a rogue router? Is any of my data going to be compromised?
- Is a man-in-the-middle (MITM) attack possible on the access point?
- Can fraud take place?
I searched around and found an interesting whitepaper from Motorola, produced back in 2006 which describes some high level threat scenarios: UMA Security – Beyond Technology . I also found Martin Eriksson’s thesis Security in Unlicensed Mobile Access . This states that the IMSI (International Mobile Subscriber Identity) is not secured well enough, leading to exposure of the subscriber who is attached to the router and therefore their physical location. Note that the thesis was written in 2005 and very much plays this issue down – in 2011 most readers would take a different view on this privacy breach. Issues with authentication and the potential for a MITM attack via the router allowing (fraudulent) free calls for other users of the access point all also seem to be areas of concern as the router would be open to data sniffing (particularly if it is a rogue access point in the first place). The problem here lies in the fact that the user is connecting to a less-trusted component than the normal mobile network, leaving them open to all sorts of potential attacks and manipulation.
Putting expensive hardware security into routers is not something I’ve seen and is difficult to protect – the problems with mobile device security often stem from the fact that you’re putting the device in the hands of your attacker to tamper and play with. There is already a healthy community for router hacking and modification around too such as DD-WRT .
UMA applications on phones need to use shared secrets which are stored on the UICC. It would be interesting to analyse how well protected this data is on the device and whether it would be possible to snatch that data or even whether other attacks could be created on the UICC.
Although some of the issues here may have been addressed by the mobile industry, it seems that UMA could be a bit of a risk for users. (I’d welcome any comments or updates by the way from those in the know). The technology is probably safe at the moment as it is in its infancy and hasn’t crossed the radar of most of the hacking community. However, I for one, will be steering clear for now.