This blog post is now offered as a free audio version:
Let's say the most honest salesman in the world would like to sell IoT solutions to a medium-sized company. Maybe something in the field of Smart Maintenance, or maybe isolated IIoT devices. Whatever it is, the price is king and of course the CEO of the company will be happy if this deal can be handled particularly cost-efficiently. But first of all, the salesman, because of his pleasant honesty, sends out the warning that these IoT solutions will become part of the company’s network, are virtually impossible to protect, are a ridiculously open gate for various types of attacks, and a compromised network will seriously mess up the CEO’s day. What are the odds that the deal will be closed? And why are IoT devices of all kinds still a huge business? Because they are sold without warning.
What makes a Trojan horse so interesting is its “wow” effect. After ten years of fighting against the Greeks, the Trojans thought that the horse was a sign of their victory and took it into their city, which backfired quite a bit. According to current statistics, Trojans as malware are still very widespread, but most Internet users know what Trojans are and what can be done to avoid possible dangers. IoT devides (on our IoT World you will find a detailed definition), still have this charming surprise effect of the good old days and therefore really deserve to be called Trojan horses. IoT attacks were up 600 percent in 2017! They are the Trojan horses of our time. So, why aren't IoT devices just made safer? This question deserves a headline.
In a nutshell, because of these 3 reasons:
We do not buy an IoT device because it is a comprehensively well-thought-out piece of technology, but because it amazes us with futuristic features and makes certain things smart. The intelligent refrigerator or the IoT lamp do not reinvent the refrigerator or the lamp, but they radiate the fascination of innovation. That's why they are built and that's why they are bought. This does not of course mean the same for industrial solutions, but many parallels can be drawn. User studies, as part of the design process, will always come to the conclusion that IoT is a new, fascinating market and the typical IoT users of the first hour seek novelty or usefulness, not security.
IoT devices became attractive to the mass market by becoming increasingly cheaper and in this competition the price makes all the difference in the world. The average cost of IoT sensors is falling and by 2020 it will be around $0.38. Even manufacturers of specialized IIoT equipment are in fierce competition with one another. Spending a lot of money on the development of better security features does not make sense for manufacturers. The industry wants to achieve favorable prices through mass purchasing. And for consumers, from 2013 onwards, it took a few euros less and a couple of beautiful pictures on Amazon product pages to make IoT devices successful. We humans are a cheap audience.
In part, this also relates to the design process and user studies. But it's a two-way attitude, both from users and manufacturers. And because it seems business-damaging to slow down a growing market with security concerns, nobody talks about it.
So:
IoT devices cannot be completely monitored; no matter what you do, a residual uncertainty remains. Even if the devices have been specifically deployed by a company's IT department, traditional corporate security measures, such as firewalls, do not work. IoT devices can only be controlled to a limited extent by the IT team because they operate beyond their own closed systems.
However, now comes a three-part list of considerations that don't provide complete security, but come as close to “peace of mind” as you can get with IoT devices.
It makes a lot more sense to pay attention to the most important data, i.e. the data stored on the device and used by apps, than to protect the whole device. To secure this data, you do not need to back up the entire IoT device. It is sufficient to have a separate area or container in which this data is stored. Many companies first look at the cloud to secure data from IoT devices. But as soon as a mobile IoT device contains sensitive data (for example the device ID or pay tokens), it becomes a worthwhile target for hackers. If IoT systems are managed by a central administration portal and this is deactivated, it can no longer report attacks to individual devices.
Because IoT devices are predominantly mobile, it is very difficult to avert malicious applications from communicating with them. One way to prevent this is to store the device ID in a trusted area. Here you can define who is allowed to communicate with the device at all by linking access to the device ID to secure credentials (such as biometric identifiers or a PIN). The credentials can be assigned to both individuals and organizations and can be secured locally in a secure area such as a secure element.
Monitoring, no matter how sophisticated, cannot directly detect whether an IoT device has become the gateway to certain attacks. But there are radiation effects that can be identified. As mentioned above, an IoT device usually becomes part of the network. Via the network distributor, a monitoring tool can recognize when an unusually high amount of data traffic occurs on a specific port. It can also be detected via pattern recognition if unusual traffic takes place in the network, for example if two devices suddenly communicate with each other, although this has never been the case before. A warning would then be sent to the sysadmin and the discovery of the device in question should proceed quite quickly.
Let’s internalize the image of the Trojan horse. It sucks to lead a battle for ten years without winning. But then to finally lose because you don't give a second thought to the inside of a wooden horse sucks even more. We're still at the beginning of IoT security. But it will probably not be a ten-year odyssey until the importance of security in the IoT environment has become firmly established in people's minds everywhere.