Security Sidebar: Defending The Internet of Things
Many experts predict that the number of devices connected to the Internet will top 50 billion (with a "B") by the year 2020. In fact, the following diagram shows that, on average, every person on the globe will have ~3.5 connected devices by next year. I know I'm doing my part to contribute. After all, I have several connected devices even today: Smart TV, Blu-Ray player, PlayStation, laptop, iPad, iPhone, etc. And that's just me!
You don't have to look far to find an Internet connected device. We have connected cars, eye glasses, running gear, door locks, weight scales, refrigerators, thermostats, even basketballs! Remind me again why we need an Internet connected basketball? Speaking of...I wish someone made Internet connected golf balls; then I wouldn't have to spend so much time searching for my tee shot.
In the near future we will see things like toothbrushes get connected to the net. I recently read a quote from an executive at a toothbrush company who, when asked about Internet connected toothbrushes, said "There are people who are very passionately waiting for it." I'm not sure who those people are, but I'll bet you can pick them out of a crowd with their brilliantly white smiles and minty fresh breath! Even the kids are getting involved in this. Baby monitors are already connected, but pretty soon we will connect to car seats and children's kitchen utensils. Remind me to check the upper limit of IP addresses allowed on my wireless router. I might need to upgrade pretty soon!
Clearly this is a very limited list of the many, many things that are currently or will soon be connected to the Internet. With this onslaught of connected devices, the hacking space for nefarious Internet users is getting so big that they almost can't miss when they launch their attack tools these days. The following chart (created by MIT's System Design and Management Program) shows a comparison of knowledge needed to launch an attack and the sophistication of the attack being launched.
Many times it's the simple things that allow attackers to be successful. Things like default passwords that are not changed, software patches that are not installed, firmware upgrades that are not completed, etc. Some of the devices that make up the "Internet of Things" (or the Internet of Everything as some are calling it now) are very easy to configure and update; and some are not. If my laptop or router has a recommended software patch or firmware update and I fail to install it, then bad on me...I'm just keeping the door open for the bad guys to use their tools against me. But sometimes it's not that simple. The new Internet connected refrigerator you just bought might not have an upgrade even available. In that case, I'd recommend doing whatever you possibly can to secure the device...if nothing else, see what you can do to change the default password on the thing.
In my former life, I routinely analyzed cyber attacks for a major Department of Defense organization. Many times, successful attacks would have been thwarted if the admin or user had simply updated patches, changed default passwords, etc. After an attack, we would conduct a "hotwash" where we would discuss what was done correctly and what needed improvement. In some cases, we were fortunate to have a friendly attacker who would outline exactly how the attack took place and what we could do to stop it (or slow it down) the next time. Each attack was a little different, but I noticed a pattern of unpatched systems being targeted the most. I'm not saying the attackers will never get in if you apply all patches and recommended firmware updates, but it might make them look at the next guy to see if he is an easier target! So, do the little things right.
John Wooden coached the UCLA men's basketball team to a record 10 national championships in 12 years...no one else has ever come close. When asked about how he achieved such great success, he said "It's the little details that are vital. Little things make big things happen." I would agree, and I would add that, in the case of security and keeping Internet attackers at bay, little things keep big things from happening...and that's what you want!
The Internet of Things is becoming (and has become) a tough landscape for security professionals. F5's own Lori MacVittie wrote a fantastic article where she highlights security challenges associated with the Internet of Things.
So what can you do in the face of this daunting road ahead? Should you just not buy any Internet connected devices? No, go ahead and buy them...just remember to do the little things right.