Last week at APNIC 38, Eric Vyncke from Cisco had an interesting presentation on the threat horizon of wide scale deployment of the Internet of Things (IoT).
Small, simple devices such as thermometers and home recorders don’t always get the security attention they deserve and can become wide-ranging distributed denial of service (DDoS) threats.
But it gets worse. Small programmable devices like insulin pumps are becoming ‘smarter’ so they can be instrumented and become more useful for medical practitioners. While this offers benefits, the risk this time isn’t misuse to attack third parties, but the lack of security protecting the device itself.
Eric observed that cities with older infrastructure depended on systems which pre-date the ubiquitous Internet, and so wind up having simple ‘air gap’ defence for their utilities and supply: it’s not online so it’s lower risk! These devices can have up to a 50+ year lifetime. Many of the buildings are very unlikely to have had a retrofit but aside from the power cost savings, have continued to function well over the lifetime.
It’s somewhat odd then that newer buildings which deploy smart systems are actually candidates to be weaker in the long term… because the cryptography assumptions about algorithms ‘burnt in’ to the devices probably won’t match the lifetime of the algorithm against brute-force attacks.
Can we be sure over a 25 or 50 year lifetime that the system is defensible? The evidence of DES and 3DES protected systems is that we make far too optimistic assumptions about future attack risks. A 20 year lifetime will be challenging, let alone 50.
Paul Vixie from Farsight Security mentioned another good example of IoT security risks later in the conference – a smart lightbulb which turned out to be not so smart. In this example, Paul said the lightbulb could be easily polled to find out the network’s wireless password. He explains more in the video below.
Clearly, for the IoT to become a reality, a lot more planning and rigour is going to need to be put into securing the many millions of new devices connecting to the Internet.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.