IoT Security: "The Matrix is here" Business Landscape
In the iconic 1999 movie Matrix, Morpheus reveals the truth to Neo that our lives are not what it seems but completely made believe. Our sense of leading a normal life is what is fed to us through the computers that are connected to the end of our nerves. The movie was of course set few hundred years in the future from now and therefore accounted for the advancements in artificial intelligence and machine learning. It depicted the scenario where the roles are reversed and we do not feed instructions to the machines but they do it to us. One of the conclusions of the movie was that we were living in a virtual world totally disconnected from the reality. Our sense of truth is only what the programs are telling us. In addition, the integration of man with machine made us true cyborgs and hence every vulnerability in the machine affected our own well-being. What made the subject more intriguing was humanization of the malicious code.
In more than one ways, the plot was more philosophical. However, from a security professional's viewpoint what stands out was the war between human and machines in a cyber universe. For the uninitiated, a lot of it might sound far-fetched, but for a cyber-security professional, this can't be brushed aside so easily. Well, I give it to you (at least for near future), no matter however advanced the machines become, they will still be driven by the code and hence end of the day are meant to follow the instructions. The question we need to ask ourselves is whose instructions? The creator of the machine or someone who has somehow managed to override that?
The reason I started with this movie was not to debate the perils of having intelligent machines that can turn against us but to highlight a much more fundamental issue. The issue is, we are actually turning into cyborgs like depicted in the movie. To get a sense of our well-being, we seem to be relying more and more on the machines rather than our own senses. Nothing wrong in it until it is meant to uplift ones mood by sensing the state of mind through the health band they are wearing and streaming the right content to uplift the mood. Nothing wrong when it brings light to the eyes of a blind man, inject the right amount of insulin to a diabetic person and make the heart beat at the right rate for a person with heart ailment. Wrong is when we think the machine is dumb and cannot do anything else than what it was originally programmed to.
Our journey to become a cyborg has already started through purpose built IoT devices. Considering the lack of security controls in these devices, they are making us targets for cyber-attacks. Issue is, this time the impact is directly on us - on our health, safety and privacy.
Amongst numerous articles published by Wired magazine on cybersecurity, one of them talks about how the real time hack to a pacemaker was demonstrated on a dead meat to prove a point. A hacker hacked the pacemaker and made it give out a high voltage shock to the wearer (in this case a meat) that was sufficient to stop the heart. There was a famous hacking demonstration where a hacker stopped a connected car in the middle of road on a highway.
The point being, technology innovations are happening for the betterment of our lives but in a mindless hurry to capture the market, the vendors are sometimes overlooking its vulnerabilities. Thankfully, some of the high visibility incidents have turned the focus here and the subject has turned into mainstream discussion rather than a side note. If you think about it, these devices are in billions, they are always connected and are most insecure. No wonder they are subjected to two types of attack - one where the functioning of the devices itself is altered, and another where these devices just become bot to launch further attack into your IT systems. There is another type, where the data is stolen from the devices, but that for later.
Unlike our IT systems where the play is limited to few OS vendors, the IoT segment is chaotic. There is no universal standard to lean back on. However, looks like those days of anarchy will be a thing of past. Industry seem to be taking right steps to fill in the gaps.
I am glad to note some of the key trends that are steps in right direction:
- Silicon to service - Today's chip maker are seriously considering baking the security right into the chipsets. Intel's acquisition of McAfee was a step in this direction. This is going to make the devices inherently secure and better yet still faster. Similarly, the WindRiver OS from Intel embeds some of key security features into the chip. With both Intel and ARM competing with each other to build more secure platform, it is now for the OEM vendors to utilize these features.
- Assertion of the digital Identity - Move over from identity of people only, now the identity has transcended into the IOT devices as well. Every device has a unique identity and needs to be treated as such. Most of the devices are embedded deep and work without human intervention. Hence it is imperative that the assertion of identity and authentication happens in fool proof yet in non-intrusive manner. Also, it is important that the devices follow principal of least privileges, to allow access only to a specific task or application. This helps in containing the damage when the device is compromised.
- No more default passwords in the devices - A well-known default password that exists in all the devices, make it a sitting duck. Now the enterprises are including the password resets as part of their default access governance programs. This is a welcome step, makes the life of a hacker little more difficult.
- Hardened devices - Devices keep multiple channels open for communication. Only a few are used for valid business purposes. The devices themselves run some version of unpatched OS. It is imperative that these devices are hardened and locked. Application whitelisting should be the key requirement for critical devices that impact the safety of the users.
- Secure communication - There should be no second thoughts on encrypted communications and authentication. The industry is taking a note of it and more and more relying on secure channels to communicate with the devices.
A lot still needs to be done. It is time to spread awareness among the developer community about how they can write secure applications. The enterprise IT will do well to cover the IOT environment as well, as part of their security strategy.
Till that happens, let us again turn back to Rene Descarteson on whose philosophy Matrix the movie was based on for word of wisdom - "It is only prudent never to place complete confidence in that by which we have even once been deceived.". So true.