News & Updates

Securing the Internet of Things: I-Oh-No-T!

By Josée / May 20, 2015

Internet security has been an integral part of our history and our culture at AppHelp, so it was a real treat for me to attend the RSA Conference last month, the world’s largest info security event.

With horror stories like Target getting hacked through its air conditioning system, the Internet of Things, aka I–Oh no!-T, was under this year’s security scrutiny. One presentation after another exposed the extreme vulnerabilities in IoT devices, and stressed the importance for IoT device manufacturers, app builders and broadband internet service providers (ISPs) to establish common ethics, rules and standards to better equip us for what’s coming.

As Bitdefender notes in their coverage of the RSA conference:

It’s safe to say that the Internet of things can become a nightmare for everyone, unless security becomes a forethought and manufacturers rely on industry expertise to design security into their products.

Benjamin Jun, Chief Technology Officer at Chosen Plaintext, was one of the RSA speakers, and discussed the security implications of endpoints with us in an email interview:

Jun adds,

The IoT adds actuators and sensors to connected devices, essentially adding a muscular and nervous system to the Internet. Internet connectivity gives our physical world both unique addressability and global accessibility.

See Jun’s presentation slides: Endpoints in the New Age: Apps, Mobility and the Internet of Things

SMART HOME / NOT-SO-SMART SECURITY

The Cryptographers’ Panel was of particular interest for me, as we’ve been tackling security issues related to the connected home for years now.

Professor Adi Shamir, co-inventor of the RSA algorithm, shared his thoughts on the future of security, beginning with his 3 laws of security, a reality-check that threats will always exist and manifest themselves in new ways.

He then shared a story about how his team was able to hack one the most popular automated lighting systems on the market through a light dimmer app that they built as an experiment.

The first weakness was found right in the installation process:

The user sets up a temporary, unsecured Wi-Fi system and then the password is passed on to the light controllers, totally un-encrypted. We did a small experiment […] and built a small app that allows us to very rapidly change the amount of light from 100% to 95% . The human eye doesn’t notice it at all. […] You can leak any information which is available within this perimeter by rapidly flickering and changing the amount of light.

Most end-users that have an issue with their IoT device, will turn to their Internet Service Provider (ISP) and support teams need to be equipped with the knowledge and technology to help safely install, configure and fix their IoT devices.

OWASP TOP 10 PROJECT AND THE STANDARDIZATION OF IoT

There are many initiatives trying to push for better security standards for the IoT industry such as OWASP (Open Web App Security Project) Top 10 Project – a non-profit community that judges the security of the web app landscape and how much is open to an external attack.

Unfortunately, IoT devices are not designed with security in mind and adding to the security weaknesses of connected devices, are the vulnerabilities in the local area networks they’ll be installed on.

Research over the past several years [has shown] that if there’s anything worse than the security of IoT devices, it’s the security of consumer routers. – Lucian Constantin, InfoWorld

IoT puts user-experience first to get people to adopt quickly, but security for these devices is being overlooked. Though adopting best practices and standardization is necessary now, many like HP’s Daniel Miessler, project leader on the OWASP IoT and OWASP Mobile Top Ten projects, also a RSA speaker whom we interviewed, told us that measures will likely come into effect after it’s too late:

See Miessler’s presentation slides: Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project

HOW CAN ISPS PROVIDE BETTER IOT SECURITY TO THEIR CUSTOMERS?

Internet service providers now have an opportunity to become their customers’ trusted IoT advisor. With the amount of connected devices multiplying every day, ISPs are going to be handling more connectivity and interoperability problems. The industry has a lot to catch up on but what we can do today is guide new device owners through a secure flow.

A tech support agent can’t make the device inherently secure, but they can help the user avoid the pitfalls.

Miessler sees the role of providers as instrumental in ensuring new devices people bring home have a secure configuration,

I think one thing that providers can do is be ready to monitor and prevent abuse against IoT systems that enter and leave their networks. There will likely be millions of vulnerable devices before long, but the attacks may have distinct signatures that can enable them to be observed and stopped.

THE ROLE OF IOT ADVISOR IS UP FOR GRABS

According to a Parks & Associates report, approximately 39% of connected home device owners reported issues with their devices in 2014 and the top problems encountered by device owners were connectivity and interoperability.

As consumers’ digital lives become more complex, a trusted IoT advisor can bring them value and peace of mind. For example, our PTS agents can assess the security level on a customer’s home device and provide recommendations to ensure their endpoints are minimally protected.

AppHelp can help you provide customers with greater value and peace of mind, and become their trusted IoT advisor. We offer all the call center resources, technology, tools and operational expertise you need to quickly and cost-effectively solve your customers’ IoT problems through our award-winning Tech Support Services program.

LEARN MORE ABOUT SUPPORTING THE INTERNET OF THINGS

Download our eBook How to Support the Internet of Things to learn how to cost-effectively provide tech support for the Internet of Things and become your customers’ trusted IoT advisor.