June 04, 2014

Securing the Internet of Things

In today’s Whiteboard Wednesday, Nick Percoco, VP of Strategic Services at Rapid7 will discuss the Internet of Things and how it affects security.

Nick gives a brief, high level, explanation around how the Internet of Things is developing and also explains a large problem: Internet of Things devices are being developed and released faster than our ability to secure them.

Watch this week’s video to learn more about this topic.

Read Video Transcript

Hi, I'm Nick Percoco, vice president of strategic services at Rapid7. Welcome to this week's Whiteboard Wednesday. This week's topic is Internet of Things.

I'd like for you to imagine a bit about 15 or 20 years into the future where your home is well-connected, your body is connected, and your cars are connected; and within those connectivity, they're able to communicate with each other and with the devices around them to better anticipate our needs within our home, maybe even defend against physical attacks.

Our bodies will be connected, maybe with embedded medical devices and other devices that will keep track of us and make us healthier. We also have self-driving cars that’ll be on the roads, that’ll be able to navigate much more safer than they can today. With all that technology in our lives, there's one thing that will be certain; the threat against maybe illness, or bad drivers, or even a burglar targeting our homes will be less than possibly a software flaw that may be in one of these devices.

Now, if these devices were just isolated, living on islands on their own, that may not be as big of a deal. But, these devices are all interconnected. They're able to talk to each other. They're connected up to the global internet. And, when that takes place, they open themselves up to attacks. So, the problem we're seeing is that the internet of things, and the devices that are within the internet of things, are being developed faster and being released faster than our ability to secure them.

Now, if you think about all of the research that's going on today, these are science fiction types stories that I was talking about early on; but today, there's active research going on, there's active development going on. And in fact, some of these devices are even being kickstarted into existence, just because they're great, they're popular, and people want to give plenty of money towards creating those types of devices.

So, to sort of illustrate the threat that can go on with one of these devices, we're taking a fictitious example. Imagine about 15, 20 years from now, maybe 25 years from now, when someone who has a fatal illness is able to be cured by just a small embedded device. In this example, we have a politician. This is a well-known politician who's very active publicly. Turns out he has a rare kidney disease and some other medical issues which requires him to be hooked up to a dialysis machine, maybe 24/7.

Now, for a politician to cart a dialysis machine with him wherever he goes isn't really feasible, and so he's really stuck in that situation. But, a medical device manufacturer comes up with a device that's about the size of the palm of his hand that's able to be attached to him and makes him more mobile. It changes his life, and he's so grateful of this device that he basically goes out and becomes the public face for this medical manufacturer and for the device that's being sold to the public.

It's a very expensive device; not everybody can afford it, but it has changed his life. And so, he becomes the face of the company and basically, is well-known that he's wearing this device. Now, any politician is going to go on either side of a certain topic or political debate, and he's basically one of those politicians that is not so friendly with a certain group of people within his country. That group decides to fund some research to try to target him as an individual, and they find a flaw in his medical device.

Fortunately for the manufacturer, they decided this device needs to communicate up to its doctors and up to its medical manufacture systems for diagnostic information; and once a day, this device phones home. When it phones home, it not only submits information but receives configuration information back from its doctors to make minor tweaks and minor changes to that device to better his life. Well, the criminal groups actually found that flaw, and they found that there's a flaw in that device that's no longer doing certificate validation over SSL, which opens up a chance that there can be some man-in-the-middle attack.

The criminal group, because he's a well-known politician, is able to follow him and know where he's going to be basically every single day, and they follow him to a hotel. They follow him to a hotel where he's going to be giving a speech the next morning, and when he goes to bed at night, he plugs in his device. It starts communicating over the hotel's network to receive diagnostic information and receive new configuration information. They happen to be sitting on that same network and man-in-the-middle of that communication, and they modify the configuration and that downloads a fatal change to that device which then creates a medical emergency for him and puts him in the hospital.

Now, this is just one example of what we can see in the world of the internet of things. This is a device that's really sustaining someone's life, and if there's even a minor software flaw, it can be life-threatening. The problem for the consumers of these devices is that while they may be internet-savvy, they may have some security knowledge in their hands, and maybe security-savvy about doing things in their lives to secure themselves, secure their email accounts and other things, it's very difficult for them to defend against an attack against one of these devices; because as a person, and in my personal life and anyone else, when we're travelling around in our world, and most consumers, we don't take an arsenal of security controls with us.

We don't take wireless intrusion detection appliances, carry those on our back. We don't have personal firewalls that really defend against these attacks for internet of things-types devices. So, the other piece of that, they're difficult to detect. Even in the situation here with the politician where he was man-in-the-middled and a fatal configuration change was dropped on his device, where's the evidence of that attack? Do the devices have robust logging that a forensic analyst can go and churn through as from a post-mortem to discover the problem? Maybe not; especially small, little, tiny embedded devices. They don't have a lot of disk space. They don't have a lot of space to store months and years of logs for someone to look back and try to understand what was actually happening with that device.

So, with that, this topic was really just meant to be an introduction to the security risks around internet of things, but this is not the last time we're going to be talking about this on Whiteboard Wednesday. Myself and other colleagues at Rapid7 are going to be diving deeper into these topics, and even giving live demonstrations for you in front of the camera of some of the threats to various devices that we've seen through our research. So, I'm Nick Percoco. Thanks for watching, and hope to see you next time on another Whiteboard Wednesday.

Free UserInsight Download

Start detecting attacks targeted at your users

Get Started