Tread carefully in the uncharted Internet of Things

A gold rush mentality threatens to undermine security in the emerging IoT, and it will be up to business to demand more from manufacturers as standards evolve.

We're in the middle of a gold rush, according to BlackBerry's Dan Dodge -- a connected device gold rush that looks set to encompass almost all aspects of our lives. Dodge has a pretty good idea of what he's talking about given his role as the founding developer of BlackBerry's QNX Software Systems, which powers many connected devices.

And, while the Internet of Things (IoT) might be the hottest thing in the tech right now, it's not without risks.

"The danger is that right now there are no clear standards," Dodge recently said at a media event in New York. "In the absence of standards, people make their own -- especially consumer companies, where their only goal is to rush to market. People are putting operating systems down, they're sending data over clear text and they don't actually have proper device identification or secure communications."

That's why Dodge reckons the prospect of hackers taking control of appliances and objects within our homes isn't as far-fetched as it sounds.  

Dodge's concerns highlight the risks to business as industrial and commercial devices that were never intended to connect to public networks are plugged into the Internet of Things.

Hacking the hotel room

A good example of IoT vulnerabilities was demonstrated at last week's Black Hat Conference in Las Vegas. In one demonstration, Australian researcher Silvio Cesare showed how keyless cars and home security systems could be compromised by a determined hacker.

In another presentation, security consultant Jesus Molina described the flaws he found in a hotel's building automation system that allowed him to control almost every appliance in the property.

Last year Google's Sydney office was shown to be subject to a similar security problem when researchers from the Cylance security firm were able to access the building's management systems due to an out-of-date software package. Cylance warned there were possibly 25,000 other buildings vulnerable to the same problem.

Insecure devices are only part of the Internet of Things' looming security problem as the industry is as much about Big Data and cloud computing as it is about intelligent sensors.

As businesses start to collect customer data from wearable technologies, smartphones, cars and connected homes, the scope of risks from insecure devices within the office becomes immense.

Risks in the machines

The risks to businesses were illustrated last year by the massive credit-card hack on the US Target department store chain. Thieves found their way into Target's network through an air conditioning contractor's insecure systems.

Once in, the gang was able to access the store's Point Of Sale systems and hijack customers' credit card details.

Among other things, the Target hack showed just how vulnerable businesses themselves are to IT security lapses from unexpected vectors. The saga also exposed the payment industry's PCI-DSS standards as being little more than a box-ticking exercise.

Clearly, the Internet of Unsafe Things jibe is largely deserved and the industry's vendors have to win the market's trust by ensuring devices and the cloud services they depend upon are secure.

For companies like Cisco and BlackBerry, which see the Internet of Things as being a key part of their business plans, addressing customers' security concerns is critical.

"The Internet of Everything is not only turning every company into a technology company but it's going to force every company to truly become a company that delivers security," Christopher Young, senior vice president of Cisco's Security Business Group told a company conference in Melbourne earlier this year.

"If I'm using technology or I'm delivering a service that's leveraging technologies like cloud or connected devices and creating information about individuals or organisations through these connected devices then a consumer or enterprise is going to expect a level of security."

A problem of complexity

Young sees three major ways in which security is becoming more challenging for organisations: changing business models; a dynamic threat landscape; and increasing complexity.

Part of that complexity is increasing fragmentation in the sector as vendors like Apple and Google create their own systems while industry groups launch competing standards. A problem highlighted by Young's colleague and Cisco Chief Security Officer, John Stewart.

"They get so many products and so many devices and so many tools and so much complexity they really don't know, in so many cases, where to focus their efforts," Stewart said in releasing the company's 2014 security report earlier this year. "Even the most sophisticated and well funded security teams are struggling to keep on top of what's happening."

This problem is coupled with what security researchers describe as the 'industrialisation' of the malware world.

"It used to be some high-school kid in his room trying to infect a bunch of machines with viruses, or some guy from Nigeria sending you an email asking you for $100 and he'll give you $1000 later," says Young.

"The world we live in today has nation states and criminal syndicates and very well funded, very sophisticated attackers, so hacking has become an industrialised activity. There's supply chains involved, there's support agreements written; the bad guys will even sell each other a contract."

Young's views echo those of Sophos Labs vice president Simon Reed, who told Technology Spectator last year, "Now there's money involved, there's serious effort -- the quality of malware has gone up."

Geeks with broken minds

The quality of the online criminals is higher as well as Eugene Kasperski, founder of Russia's most successful computer security company warned the National Press Club last year.

"Traditional criminals are stupid," Kasperski said. "Computer criminals are different. They are geeks; geeks with broken minds."

Along with super intelligent criminals, another concern raised by Sophos' Reed is that older equipment isn't being patched to address security issues.The risk of unpatched devices is something starkly illustrated by the Heartbleed bug uncovered earlier this year. Addressing how legacy equipment is updated will be one of the challenges for the industry.

In some ways the Internet of Things sector is similar to the PC industry 20 years ago at the beginning of the web -- millions of computer systems that were never intended to be connected to public networks were suddenly thrown onto the internet. The result was a massive outbreak of viruses and the foundations of today's professional malware industry being created.

Standards as the solution

BlackBerry's Dodge sees the proliferation of industry standards as being the solution to the problem facing the Internet of Things.

"We're joining multiple organisations that all think they are going to define IoT standards," says Dodge.

"Again, it will be like the early days of the internet. If you go back and look at all the protocols and things that were looked at before the internet, ultimately IP won and a set of standards rose out of that, but it was first de facto standards."

Dodge sees a similar pattern playing out in IoT, with the de facto standards over time turning into official standards.

"At the end of the day, if the device and the back end can agree on the encoding of this data and how they index it, then we will be in good shape."

In the meantime, both businesses and consumers are going to have demand high standards of vendors to ensure their data is safe in the Internet of Things.

Paul Wallbank travelled to New York as a guest of Blackberry and to the 2013 Internet of Things World Forum as a guest of Cisco.