But it’s Just a Light Bulb, Does it Need All This Security?
A version of this blog was published by S&P Global Market Intelligence.
In IoT security, one of the common arguments is about “how much security” a given device needs (as if we could measure that in grams). The typical example is usually a light bulb. The objective in asking the question this way is usually to vacate some or all of the security requirements for that class of device; the real question we care about, however, is the security available to protect the network, not the just the device.
The light bulb question tricks us into thinking in the wrong frame, it focuses on the device and not the network.
- Why would anyone attack this?
- What would they do if they compromised it, turn my light on and off?
If an attacker were able to compromise the light bulb, they may initially try to test the compromise with a change in command from on to off and back again, but then they would likely not do anything else that would signal the fact that they’ve gained control over that device. The likely target was never the light bulb, this is just a means to an end and part of a larger attack vector.
The light bulb is an interesting initial attack target for several reasons. One of the most pertinent aspects is the fact that the bulb has constant power. The light may be off, but the “smart” element of the bulb is awake and listening to network traffic. The bulb also has a network stack, this is how it communicates with the smart light switch, the rules engine, the family hub, or the owner's phone; this bulb isn’t just listening, it’s also transmitting on that network.
To do this work, the bulb also has a processor; since custom hardware is expensive, that processor can likely perform many functions (so that it can be included in other IoT devices) if not address them all generally. The light bulb also has storage for maintaining state, auditing, and communication, memory to run the operating system and the network stack. Additionally, the bulb also includes drivers for the filament, LEDs, coloration, and dimming aspects of the bulb. Most importantly, when we onboard the light bulb into a network that allows us to control the bulb, we provision that device with networking credentials.
The combination of the above aspects of the smart bulb, combined with either the extremely unlikely chance of discovery or the potentially less likely chance that the firmware or operating system will be updated by the user, make this an excellent first attack point for a network. Once compromised, the attacker can cautiously watch the network, potentially interact with other devices on the same network (including cameras and sensors), spoof other devices, and even perform some physical actions that could compromise the safety of the inhabitants of the home (e.g. by advising the front door to unlock or turning the oven on).
It’s unlikely that anyone - other than a prankster or the neighbor whose house you insist on parking in front of - wants to turn your light off and on. That said, the likelihood of other malicious attacks, the ability to gain access to your network and to the other devices in your home make the light bulb a perfect first step in an attack. A well-known cybersecurity attack principle is lateral movement. An adversary compromises a less protected target on a network and then uses that device or system as a pivot point to perform reconnaissance, move laterally in the network, escalate privileges, and finally reach their objectives.
The ability to find devices such as a light bulb and attack them has never been easier; adversaries can use device identification tools (e.g. shodan.io) to find these light bulbs (both online and as a pin on a map) and then attack them. Some of these light bulbs provide discovery and introspection information that may make for easy interactions within the home but also allow attackers to look up specific attacks based on known vulnerabilities in that bulb’s device and firmware version. These attacks are carried out either locally from a radio within the attacker’s car, or from across the globe, if they’re internet-connected.
Once the light bulb is compromised, they can horizontally attack the rest of the network, attempt to escalate privilege, interact with the other devices, and even use other legitimate devices to spoof interactions with outside equipment, other internet connected services, or other bridged devices within the home. Underestimating the importance of the security for all devices leads to holes in network security and is a path to risk exposure (financial, privacy, safety, litigation, and well-being). It’s not just a light bulb, it’s the network, and that network needs to have strong security.
At CableLabs, we are partnering with manufacturers and working to protect consumers and their networks; to do this, we are contributing device security expertise to IoT standards bodies like OCF and to open-source initiatives like IoTivity. Please join us in these initiatives, either as part of the creation and engineering process or by leveraging this work in your devices.
IoT Security – Insight on Trends, Challenges and the Road Ahead
The Internet of Things (IoT) industry isn’t part of the “Near Future” - it’s already here and growing rapidly. The Wall Street Journal hails IoT as the next Industrial Revolution and, according to Cisco, there are currently 4.9 billion connected devices today with an expected 12 billion by 2020. The fully matured result of this rapid growth is a $6 trillion industry.
AT&T's Cybersecurity Insights Report surveyed more than 5,000 enterprises around the world and found that 85% of enterprises are in the process of or intend to deploy IoT devices. Yet a mere 10% of those surveyed feel confident that they could secure those devices against cyber attacks.
The big question that emerges as individuals think deeper about the the implications of almost every device being connected is: “How do we keep our devices secure?”
To further our discussion on IoT Security from our Insight paper, we talked to Kyrio’s Director of Business Development, Security Services, Ron Ih, to get expert insight into one of the most pressing questions in tech today...
What is the most important IoT security trend we are seeing this year?
As consumers and businesses adopt more IoT devices and threats continue to multiply, securing those devices easily and at scale has become a daunting task. We are seeing more specialized security tools and processes specifically for IoT devices this year, specifically the use of digital certificates and public key infrastructure (PKI’s) to enable a more secure onboarding process.
“‘Onboarding’ is the process by which a new device is connected and added to the network and the local IoT ecosystem. Onboarding includes the process for authentication, authorization, and accountability of that new device.” -- A Vision for Secure IoT
Digital certificates are issued and signed by a reputable source, often referred to as a Certificate Authority or Root of Trust. Like a digital identity card, devices exchange digital certificates to cryptographically authenticate each other’s identity and origin. In other words, authentication credentials allow you to prove you are what you say you are. As the IoT Security Informed Insight explains, “not only do digital certificates increase security, they enable a better customer experience (e.g. no PIN to enter.)”
The cryptographic signatures within the certificates cannot feasibly be forged or re-created unless you have the proper private key at the source. You can read more about the authentication process, digital certificates and PKI’s here.
What are the main challenges facing the IoT industry today?
The challenges are multifaceted, but the three most common I see are:
- While many companies are beginning to explore solutions, most device makers do not have security experts and are unprepared to manage security complexities
Device manufacturers and security companies have traditionally operated in two quite separate worlds.
Device manufacturers operate in a world of physical devices, often on the scale of hundreds of thousands, even millions of devices the manufactured each year. Tightly managing inventory, bill of material costs, and just in time delivery are essential to remaining competitive. Device manufacturers work with firmware and small footprint applications, often with limited compute power and storage. Security can be limited to that which is only essential, in order to keep costs down and delivery times short. This market is generally characterized by tens of thousands of small to medium sized companies that individually might not drive very high volumes, but in aggregate ship billions of devices.
Security companies have traditionally operated in the world of enterprise computing, networking, and web servers and web applications. These accounts are typically characterized by large corporations with IT groups and staff or consultants that specializes in security. Generally, these are large companies, banks, data centers, health care providers, etc. where there may not be a physical product, but valuable data that is stored in vast database servers. The data enables services and usually involves personal and/or financial information that must be protected.
As you can see, this can result in a large mismatch between what a device maker needs, and what a security company is equipped to provide, resulting in the two parties talking past each other. As a result, device security often doesn’t get implemented properly. This is not because the device maker doesn’t want to do it, but because they are not effectively guided on HOW to do it.
- In the pressure to meet product schedules and quarterly earnings, device security is often omitted or left as an afterthought because it currently takes too much effort and cost to understand and implement it
People often hear that cost is the reason for not implementing security, but misinterpret where that cost lies. There is indeed strong pressure to lower BOM costs, but the larger cost is often in the staff a company needs just to understand security itself. Whether it is allocating brain cycles from existing staff or new hires, headcount is generally one of the largest costs a company incurs. Understanding takes brain cycles. Brain cycles = time. Time = money, big money.
If we are to address the IoT security issue effectively, we need to address the time aspect of implementing security.
- Although IoT has existed for some time now, the market pressure to go wireless leaves devices more vulnerable to attacks
Autonomous networked devices have existed for quite some time already, but have primarily been implemented on wired networks on a relatively limited scale, using general purpose computers. However, with the relentless march of Moore’s Law, microcontrollers have advanced to the point where even a very small, inexpensive chip can operate a full TCP/UDP network stack in addition to managing a wireless radio. This high integration and lower cost have driven the market towards the adoption of small, wirelessly connected autonomous devices. In addition, the convenience of wireless connectivity has increased the scale of adoption to levels that are orders of magnitude greater than we have ever seen before.
Every device that is connected to your network is effectively a user on that network. Would you let a human user onto your network without verifying their identity? If you wouldn’t do that, why would you let a “device” do it? I put “device” in quotes because, in a network environment, you can’t always be sure if something claiming to be a device actually is what it says it is.
The justification for omitting security I often hear is “there is nothing important on that device”. That is the data center way of thinking about it where you are protecting what is directly on the system where security is implemented. My response is usually this, “You are absolutely correct. No one cares about what’s on the device. They care about the network it’s connected to.” That usually gets them to rethink their position. Insecure devices provide a foothold on the network to attack higher value devices or capture sensitive data.
How can companies work to ensure better security in their IoT products?
- Businesses need to stop looking at security as a burden
Instead, businesses should leverage security as an opportunity to improve customer experience and revenues. Consumers don’t buy security for security's sake, they buy products that make their lives easier and more convenient. If a product is secure, it improves the customer experience.
- A holistic approach to security must be addressed at the design stage of a device
To bring products to market faster, it’s easy to fall into the trap of a “sell now and we’ll patch it later” mentality. It’s nearly impossible to predict every security issue that may arise, so manufacturers need to consistently ask themselves: “How would this feature play out over time?” and “How do we do this in a way that’s scalable and secure over time”. Retrofitting security midway through the product lifecycle generally doesn’t work nearly as well and often sets you up for failure.
- Businesses must understand what “security” actually means and look for solutions that are easily digestible if they don’t employ security experts
Device makers need to understand what security actually means and what it is. Just because you use encryption, doesn’t mean your device is secure. The biggest element of security is not encryption, but authentication: identify who you are communicating with and be able to verify it.
As IoT devices gather more information about us and our daily lives, consumers and businesses must pay more attention to the security risks and vulnerabilities. As Chris Connors, the General Manager of Internet of Things Offerings at IBM, states: “This means that device manufacturers, application developers, consumers, operators, integrators and enterprise businesses all have their part to play to follow best practices.”
You can find more information on IoT security here. Don’t forget to subscribe to our blog for more information on IoT in future blog posts.
The Benefits and Challenges of a Connected World
On April 12, CableLabs hosted an Inform[ED] conference in NYC focused on the emerging IoT security landscape. This open event brought together business leaders, key technologists, and security experts from multiple industry sectors, academia, and government. They shared in-depth views of IoT's evolution and the increasing security, privacy and policy challenges arising from the ongoing and rapidly accelerating deployment of connected devices.
Billions of new devices lead to an increased threatspace
Shawn Henry of Crowdstrike, a retired executive assistant director of the FBI, set the stage for our experts for the rest of the day. His focus and ideas were repeated and supported throughout the event by speakers and panelists. Security threats pose significant challenges to IoT, with real risk to individuals, businesses, and national security. The threats come from terrorist and organized crime groups along with other nation states. New extremist groups such as the Cyber Califate extend activities of terrorists into a cyber Jihad. Organized crime groups focus on theft of personal identifying information they can monetize, targeting capabilities critical to businesses as they evolve extortion.
Criminals target IoT, losing essential data or the ability to use critical devices unless asset owners pay financial compensation to retrieve. A major example is the rash of ransomware targeting hospitals. And, of course, there have been attacks by nation states, notably attributed to North Korea and Iran. All three types of adversaries steal data, change data, and destroy data to achieve their own ends. However, the IoT benefits are worth investment in effort and resources to protect, and IoT security needs to assess the risks posted by bad actors, mitigating vulnerabilities appropriately.
Collaborating on standards and public policy
IoT risk management is also a concern among policymakers, who take notice when insecure devices impact networks and services. Matt Tooley of NCTA discussed with Allan Friedman of the NTIA the agencies' efforts to galvanize all relevant parties toward solutions through a multi-stakeholder process. Gerald Faulhaber of the Wharton School, Chaz Lever of Georgia Tech, and Jason Livingood of Comcast agreed on the need for broadly shared responsibility for IoT security, and Professor Faulhaber noted some form of government oversight may be forthcoming, though the model is unclear. While certification of devices may provide some key elements we need, it's important we understand policy will likely be slow to evolve. This means businesses, including service providers, device manufacturers and others must evolve their security strategies as adversaries evolve their methods of attacking IoT. Industry-driven solutions will continue to provide the most agile responses to new threats.
The team of security experts that came together at CableLabs’ Inform[ed] event are working hard to manage risks and mitigate threats. We heard great insights from Dylan Davis of RiskSense, Terry Dunlap of Tactical Network Solutions, James Plouffe of MobileIron and technical consultant to the popular Mr. Robot series, Dan Massey of the DHS Security & Technology directorate, Tobin Richardson from the Zigbee Alliance, and Matt Perry from Microsoft also the OCF Board of Directors President. Service provider experts includes Brian Rexroad of AT&T, Clarke Stevens of Shaw Communications, and Rich Compton of Charter Communications. This fantastic body of experts provided substantive insight into the IoT security challenge and what needs to be done to protect our infrastructure, data, and user experiences. One of the common themes of the conference — how to secure IoT devices and the infrastructures that connect them – kept resonating throughout the day. We just need to do it. There aren’t that many surprises here — as Brian Scriber of CableLabs provocatively summed up in the final key.
- Encouraging manufacturers to implement well designed and securable code, and enabling the security capabilities and features we know to use in other technology areas.
- It is critical to protect people and devices during onboarding, the process of joining networks and configuring devices and services properly as they are first installed. We need strong device and personal identity methods, enabled through public key infrastructure solutions.
- Our communications and device operations need to ensure confidentiality and integrity while also ensuring appropriate levels of availability.
- Finally, devices must be fully supported throughout their life cycle, and this must include upgradable security and dynamic patching of vulnerabilities.
Our industry knows how to do these things — we've got over 30 years of experience securing our networks and IT systems. The lessons learned are still relevant and should be applied to the broader IoT ecosystem. But, we still see common errors like use of known insecure protocols and use of devices that don't require strong authentication, or even include default credentials so anybody knowledgeable of the device can log on. And people can find those devices through services such as Shodan — a very common theme through the day. There are opportunities for improvement such as better measurement and monitoring capabilities. Applying the benefits of data science and big data practices will help detect vulnerabilities and anomalies faster. Further, highly automated strategies to patch and reconfigure devices and networks will enable us to address threats quickly. Security's goal is to make attacking IoT sufficiently expensive so adversaries lose interest. Make it too hard or too expensive for bad actors to exploit IoT for nefarious gains.
These business, technology and policy experts provided actionable guidance, making this a unique event – and the audience and panelists left positive and confident that IoT security can be meaningfully improved if all parties share responsibility. Working collaboratively, we can ensure our customers have great experiences that enrich their lives. And we know what needs to be done. We just need to get working together to make it happen.
Join us for Innovation Bootcamp
CableLabs CEO Phil McKinney and the CableLabs team will host Innovation Boot Camp in Silicon Valley and provide a highly-focused, hands-on experience to give you the tools needed to identify, develop and pitch an innovation project.
How The Dark Web Affects Security Readiness in the Cable Industry
The darknet, dark web, deep web, dark internet – exciting catch-phrases often referred to by analysts and reporters. But what are they? What is the dark web?
The dark web is a network of networks that overlays the Internet. One of the most common dark web networks is The Onion Routing Network, or Tor. Used properly, Tor provides anonymity and privacy to users. Anonymity is achieved when users’ identity is never revealed to others and their traffic cannot be traced back to their actual access accounts and associated Internet addresses. Privacy is achieved when users’ communications cannot be read by anybody other than the intended recipients. Anonymity and privacy are closely related but distinct ideas – privacy can be achieved without anonymity and vice versa.
CableLabs recently hosted a panel about the dark web at its Winter Conference. The panel brought in subject matter experts from across the industry including Andrew Lewman of OWL Cybersecurity. Andrew was previously the Executive Director for Tor from 2009 to 2015. The panel investigated the technology and social impacts of the dark web, and particularly highlighted why cable operators care about this technology area. The dark web is used by adversaries to sell and exchange malware and information used to attack networks, and also account information about employees and customers of companies. Cable operators monitor the dark web to see what is being sold and get indications and warnings of threats against them. This information is used to improve and augment the layers of security used to protect networks and customers.
The evening after the panel, Phil McKinney had the opportunity to talk with Andrew Lewman about the dark web – we are pleased to share that video.
How Does the Dark Web Work?
Tor provides an interesting case study. As stated above, Tor stands for “The Onion Routing.” The inspiration of the name is how The Onion Router protocol wraps packets of information in layers of security that must be successively peeled to reveal the underlying information. The method is, of course, a bit more convoluted in reality. Routes are defined by a proxy which makes an “onion” using layers of cryptography to encode packets. The packets from the initiator are forward packets. As a forward packet is moved through the network of Onion Routers, layers of the onion are successively removed. These layers can only be removed by routers with the correct private key to read that layer of the onion. To those that are router savvy, what is really happening is that the proxy creates a circuit using tunnels of tunnels until the endpoint is reached. If an intermediary device attempts to decrypt a layer of the onion with an incorrect key, all the other interior layers of the “onion” will be garbled.
Tor is, however, just one example technology. What other means do people use to achieve private and anonymous communications? The chat channels provided on popular console games are reportedly used by terrorists and criminals. An alternative technology solution that overlays the Internet is I2P. And there are many others.
Beyond the Dark Web
In addition to being aware of the dark web, CableLabs leads other security initiatives as they relate to device security and protecting the cable network. CableLabs participates in the Open Connectivity Foundation (OCF) which is spearheading network security and interoperability standards for IoT devices. CableLabs has a board position at OCF and chairs the OCF Security Working group. By ensuring that all IoT devices that join the cable network are secure, risks to both the network as well as the privacy of subscribers are taken into consideration.
CableLabs recognizes the importance that the cable industry will contribute to the larger ecosystem of IoT device manufacturers, security providers and system integrators. We are producing a two-day Inform[ED] Conference to bring together cable industry technologists with these stakeholders. April 12 will focus on IoT Security and April 13 will cover Connected Healthcare. Please join us in New York City and we look forward to having you join us in this important conversation.
Wednesday, April 12, 2017
8:00am to 6:00pm
InterContinental Times Square New York
300 W 44th St.
New York, NY 10036
2017 Innovation Predictions
It’s that time of year for me to give my innovation predictions.
My top three predictions for 2017 are:
- Mixed Reality
- IoT Security
- Flexible Displays
Please take a look at the video where I elaborate on these three predictions.
Best wishes for a great year.
It's that time of year for me to give the predictions of the top three innovations coming in 2017. Now, I've been doing these predictions for many many years and actually have a pretty good track record. I've made most, I've missed a few. But also, I like to go out on a limb and give some predictions that kind of, maybe, push the envelope a little bit.
What's the number one prediction for 2017? It's around augmented reality, virtual reality, but more importantly, mixed reality. Mixed reality is really this combination of AR and VR where you actually see data and information that you can act upon. This kind of an experience is going to be really mind-blowing for people. It's really a great opportunity for content creators to think differently about the content they produce but also about the storytelling, the way of telling stories, and the way of making information interesting and actionable. So stay tuned, this is going to be a very exciting area. The first part of the year we're going to see more work in the hardware technologies. As we get into the latter half of the year, it's really going to be exciting to see some of this new content that is going to become available.
What's the second prediction? Second prediction is IoT: the Internet of Things is going to continue to be the hot area for 2017. Now, we've seen this introduction of IoT devices really explode in 2016. But one of the concerns that's really come out is security. The ability for hackers or people who are not friendly to be able to access IoT devices in consumers' homes has really become front-page news. So the question I have is, the technology is there, it's going to continue to expand, it's continued to be interesting. But as an industry, the security area has to be addressed before I predict broad consumer adoption of IoT devices. We're going to see IoT in everything from home security, home monitoring, heating, air conditioning, home appliances. We're also going to see some IoT devices and interesting areas like home health: healthcare devices that allow your doctors to monitor your healthcare, maybe after procedures or whatever, in your home and that just reinforces this one critical area which is around security to make this technology broadly available.
The third area is around display devices. Now, if you go back and you look at my predictions in previous years, I've talked about 3D the year it became a hot issue at some of the trade shows. We've talked about 4K. 4K high dynamic range (HDR) which is broadly going to be just a boon area for this year. In fact in 2016, in going into the holiday season, it became really very prevalent for people to buy these new kinds of TVs. What is left to be done in display technologies? What's left to be done is around flexible displays. Flexible displays being built on new kinds of materials such as this mylar, which is the backing material that's being used in some of the flexible displays that you'll see come available in the first part of 2017. This allows for displays to be manufactured that are one millimeter thick that literally you can attach to your wall as if it were wallpaper. What does this mean for the broad marketplace? When you have that kind of technology -- very low-cost but very flexible -- from the standpoint of how it gets used, we will see flexible displays on TVs as obvious, but also transforming things like whiteboards, collaboration technologies, technologies used in the classroom, advertising displays in retail and billboards. You'll be able to get these kinds of displays at such a low cost that you can literally transform every flat surface you see and turn that into a new kind of display for use of all kinds of ways.
So those are the three predictions for 2017. We have everything from the AR/VR/mixed reality, the Internet of Things, and these new kinds of displays.