Endpoint

9/24/2015
02:10 PM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 IoT Cybersecurity Issues You Never Thought About

Government, industry and security professionals problem-solve the daunting challenges of the Internet of Things.

Call it a physical and cybersecurity challenge. Innovators and industry experts in Boston Tuesday for the IoT Security 2015 conference brainstormed about some of the Internet of Thing’s most daunting security challenges -- authentication, patching, smart grids, and smart homes – and how to address them.

  • Who is responsible for patching your smart home – from the cars you drive, the entertainment you watch, the food you store and prepare?
  • Is it possible to have seamless mutual authentication between users and devices and devices and devices?
  • What happens if the connections between your smart home and your smart grid stop working and turn against you?
  • What if the seller of your dream house refuses to give up the keys to the built-in smart devices inside?

These were the hypothetical problems that attendees from a broad range of IoT interests -–manufacturers, the public sector, and security professionals -- chewed on during four lunchtime breakout sessions. Participants were given a specific problem to analyze, after which they presented their solution to the full conference.

Passwords
LG Mobile Research IoT Security Engineer Harsh Kupwade Patil’s team tackled the question of whether it’s possible to have mutual authentication between users and devices and devices and devices. “Is there a solution? Yes. But it won’t be a simple solution,” Patil said. Context-aware security, new gateways, and middleware were three measures the group said could help facilitate the “chain of trust” necessary to support IoT. But Patil said “identity was the weakest link in the chain” hampered by a fragmented market and a “protocol soup” that prevents devices and users from working seamlessly together.

Smart Home For Sale
So you just bought your dream home – a smart house with all the bells and whistles you would want and expect. After you sign on the dotted line, drive up and unlock the front door, you find out that the seller is unwilling (or unable) to give you the “keys” to the smart devices inside. What’s the remedy? One possibility, said group leader Chris Rezendes, founder of INEX Advisors, requires that all smart devices are manufactured with factory wipe options and the development of “good processes” to transition smart products like cars and homes to new owners.

Smart Grids
How does a power company deal with an attacker who seizes control of a customer’s smart meter or demand-response thermometer and directs the device to consume more electricity in the home or stops the utility from  sending any power at all? How would the power company even know that the power supply was being diverted? That was the issue posed to the group led by John Miri, chief administrative officer at the Lower Colorado River Authority in Austin, Texas. One solution: Creation of a new class of performance metrics that focus on resiliency, for example, Mean Time Between Recovery versus Mean Time Between Failure.

Patch Work
A device has been shipped from the factory and is deployed in a home, workplace, or car. What are the options for updating security remotely? Johan Sys, IoT security manager at Verizon, framed the discussion, and the group bandied about solutions including manufacturer-provided security subscription services to the creation of a new class of  small business. “If I can hire a termite service to protect my house, why couldn’t there be a cybersecurity service provider to maintain the smart devices I use in my home,” Sys said.  

 

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
eaglei15
50%
50%
eaglei15,
User Rank: Strategist
2/23/2017 | 8:26:52 PM
Cybersecurity for iot
The responsibility for the security of the smart device should be on the vendor side, same as energy consumption. There are already some startup companies that suggesting to solve this problem at scale such as https://www.cybeats.com
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/25/2015 | 11:54:56 PM
Breach
Of course, in the "smart home" example, it could well be a breach of contract and/or a breach of the warranty of habitability (depending upon the situation) to not turn over the "smart keys."

But, of course, much better to have an easy technical solution at the ready than get the lawyers involved.
lynnbr2
100%
0%
lynnbr2,
User Rank: Strategist
9/24/2015 | 5:07:45 PM
More Issues
What happens when the vendor of an IoT device goes belly-up? (And how would anyone know, aren't most of these going to be made overseas?)

What happens if the vendor of an IoT device refuses to patch or upgrade a device? (or decides to charge an outrageous amount for something like Martin Shkreli)

What happens if an IoT device deliberately lies, cheats, or steals? (e.g. Volkswagon) Is this the beginning of the 'Internet of Cheating Things' - as per a New York Time editorial by Zeynep Tufekci 9/23/15

Lastly, it's not new, but bears reconsidering, will we continue to tolerate EULAs that are wholly one-sided and prohibit customers and third parties from inspecting the software/ firmware supplied with a device.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Major International Airport System Access Sold for $10 on Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  7/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3090
PUBLISHED: 2018-07-18
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compr...
CVE-2018-3091
PUBLISHED: 2018-07-18
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compr...
CVE-2018-3092
PUBLISHED: 2018-07-18
Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In T...
CVE-2018-3093
PUBLISHED: 2018-07-18
Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In T...
CVE-2018-3094
PUBLISHED: 2018-07-18
Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In T...