Security in the IoT

12th March 2014

With more and more embedded computing capability, networking and Internet connectivity inside everyday systems such as household appliances, security systems, home heating and lighting systems and even cars, information security has become a potentially important consideration in devices where it wouldn’t previously be considered important – potential security threats may be lurking in embedded systems in a growing number of everyday devices.

Nowadays it isn’t just familiar personal computers that are connected to the Internet – embedded computers are more ubiquitous and are also increasingly connected, and with that connectivity and computational power comes new security threats hiding in new places.

Internet-of-Things networks, smart home automation and persuasive connectivity and embedded computing bring with them exciting new opportunities – a connected home can allow you to log in to your home network before you leave work in the evening to turn on your central heating and your oven, or allow you to log in to your home security system from your smart phone in response to an alarm notification, check your security cameras and reset your alarm if there isn’t a problem.

Unfortunately, these new opportunities do potentially bring with them a new set of security threats. Whilst most consumers are now aware that their personal computers and smart phones are potentially vulnerable to malicious software or network attack, few are aware of the potential threat to other electronic devices.

The Internet of Things may be in its infancy, but threats already exist. For example, computer worms are known to exist that are designed to target embedded devices such as cable and DSL modems and other low-power embedded devices based on architectures such as ARM and MIPS – platforms that are associated not with personal computers, but with the Internet of Things and embedded devices such as modems, routers, industrial control systems and set-top boxes.

Malware exists that adds infected modems and routers to botnets that can be used to support attacks, such as distributed denial of service attacks, on other networks and systems.

What is particularly worrisome about these kinds of threat is that in many instances, the consumer may have no idea that these types of embedded computers are vulnerable to this kind of malicious attack. Devices such as modems or routers may “hide in plain sight” containing malware, and spread it back to personal computers on the same local network.

Once these PCs have been disinfected – or being “trusted” to remain online all the time, directly connected to the Internet in many cases, without being disconnected or decoupled from the Internet as other computers may be to prevent malicious attack or infection in a security-conscious environment.

Many users may think about hardware upgrades to devices such as network routers rarely, if ever, and they may never bother with firmware upgrades and patches – or even with ever changing passwords and login details for configuration of these devices away from their default settings.

In one prominent incident, Trendnet, an organisation that markets Internet-enabled security cameras and baby monitors, shipped some of their cameras with faulty software that left them open to online viewing, and in some cases listening, by anyone on the Internet who was able to discover a camera’s IP address.

The private camera feeds of hundreds of consumers were made public on the Internet. When this vulnerability became public, people published links to the live feeds of hundreds of the cameras, displaying children sleeping and people going about their daily lives. But these devices were not infected with any malware – they were simply designed and sold with negligible security measures in place, relying only on “security through obscurity” and allowing anyone to simply access them if they knew how.

Within the last few years, we have seen a huge range of new Internet-connected and networked embedded devices emerge, from household thermostats to light bulbs to TVs to cars. Although the Internet of Things is still immature, the number of Internet-enabled devices is beginning to explode. According to Cisco Systems, there are more than 10 billion connected devices on the planet – more devices than there are people – and they predict that the world will reach a population of 50 billion connected devices by 2020.

This huge population of connected devices obviously brings with it an increased potential for security vulnerabilities, and an increased need for security awareness, both by consumers and by device manufacturers. Consumers should be aware that just because an electronic device doesn’t possess a display or a keyboard, that doesn’t mean it is not potentially vulnerable to attack. All devices that are connected to the Internet – via Ethernet or Wi-Fi, and perhaps even indirectly – via Bluetooth or 802.15.4 wireless networks, looking into the future – need to be secured.

IOT Security 2

Consumers should pay attention to the security settings on any device they purchase, and disable capabilities such as remote access if they aren’t needed. Default passwords should be changed to unique, strong passwords that don’t use common, easily guessable numbers or dictionary words.

Furthermore end users should also regularly check manufacturer’s websites to see if there are any updates to software for their devices, since manufacturers will often patch security vulnerabilities with software updates if they are identified. And since network routers and modems are essentially the gateway between the Internet and other devices on the network, keeping these up-to-date and secure is very important.

However almost all security threats and possible incidents can be neutralised before the product reaches the end user. By designing appropriate levels of security into products – including various fail-safes such as mandatory passwords, firmware updates and better documentation and user education, a safer and more reliable IoT can be possible.

If you have a new product idea or an existing version that needs updating, we can take care of all facets of design and prodiucting – including the right security and user-interface to negate as much risk as possible.

To get started, join us for an obligation-free and confidential discussion about your ideas and how we can help bring them to life – click here to contact us, or telephone 1800 810 124.

LX is an award-winning electronics design company based in Sydney, Australia. LX services include full turnkey design, electronics, hardware, software and firmware design. LX specialises in embedded systems and wireless technologies design.

Published by LX Pty Ltd for itself and the LX Group of companies, including LX Design House, LX Solutions and LX Consulting, LX Innovations.

Muhammad AwaisSecurity in the IoT

Have a project you’d like to discuss? Speak to someone today.

Add your email and we’ll keep you in the loop with our future developments.