Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/24/2015
02:10 PM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 IoT Cybersecurity Issues You Never Thought About

Government, industry and security professionals problem-solve the daunting challenges of the Internet of Things.

Call it a physical and cybersecurity challenge. Innovators and industry experts in Boston Tuesday for the IoT Security 2015 conference brainstormed about some of the Internet of Thing’s most daunting security challenges -- authentication, patching, smart grids, and smart homes – and how to address them.

  • Who is responsible for patching your smart home – from the cars you drive, the entertainment you watch, the food you store and prepare?
  • Is it possible to have seamless mutual authentication between users and devices and devices and devices?
  • What happens if the connections between your smart home and your smart grid stop working and turn against you?
  • What if the seller of your dream house refuses to give up the keys to the built-in smart devices inside?

These were the hypothetical problems that attendees from a broad range of IoT interests -–manufacturers, the public sector, and security professionals -- chewed on during four lunchtime breakout sessions. Participants were given a specific problem to analyze, after which they presented their solution to the full conference.

Passwords
LG Mobile Research IoT Security Engineer Harsh Kupwade Patil’s team tackled the question of whether it’s possible to have mutual authentication between users and devices and devices and devices. “Is there a solution? Yes. But it won’t be a simple solution,” Patil said. Context-aware security, new gateways, and middleware were three measures the group said could help facilitate the “chain of trust” necessary to support IoT. But Patil said “identity was the weakest link in the chain” hampered by a fragmented market and a “protocol soup” that prevents devices and users from working seamlessly together.

Smart Home For Sale
So you just bought your dream home – a smart house with all the bells and whistles you would want and expect. After you sign on the dotted line, drive up and unlock the front door, you find out that the seller is unwilling (or unable) to give you the “keys” to the smart devices inside. What’s the remedy? One possibility, said group leader Chris Rezendes, founder of INEX Advisors, requires that all smart devices are manufactured with factory wipe options and the development of “good processes” to transition smart products like cars and homes to new owners.

Smart Grids
How does a power company deal with an attacker who seizes control of a customer’s smart meter or demand-response thermometer and directs the device to consume more electricity in the home or stops the utility from  sending any power at all? How would the power company even know that the power supply was being diverted? That was the issue posed to the group led by John Miri, chief administrative officer at the Lower Colorado River Authority in Austin, Texas. One solution: Creation of a new class of performance metrics that focus on resiliency, for example, Mean Time Between Recovery versus Mean Time Between Failure.

Patch Work
A device has been shipped from the factory and is deployed in a home, workplace, or car. What are the options for updating security remotely? Johan Sys, IoT security manager at Verizon, framed the discussion, and the group bandied about solutions including manufacturer-provided security subscription services to the creation of a new class of  small business. “If I can hire a termite service to protect my house, why couldn’t there be a cybersecurity service provider to maintain the smart devices I use in my home,” Sys said.  

 

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
eaglei15
50%
50%
eaglei15,
User Rank: Strategist
2/23/2017 | 8:26:52 PM
Cybersecurity for iot
The responsibility for the security of the smart device should be on the vendor side, same as energy consumption. There are already some startup companies that suggesting to solve this problem at scale such as https://www.cybeats.com
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/25/2015 | 11:54:56 PM
Breach
Of course, in the "smart home" example, it could well be a breach of contract and/or a breach of the warranty of habitability (depending upon the situation) to not turn over the "smart keys."

But, of course, much better to have an easy technical solution at the ready than get the lawyers involved.
lynnbr2
100%
0%
lynnbr2,
User Rank: Strategist
9/24/2015 | 5:07:45 PM
More Issues
What happens when the vendor of an IoT device goes belly-up? (And how would anyone know, aren't most of these going to be made overseas?)

What happens if the vendor of an IoT device refuses to patch or upgrade a device? (or decides to charge an outrageous amount for something like Martin Shkreli)

What happens if an IoT device deliberately lies, cheats, or steals? (e.g. Volkswagon) Is this the beginning of the 'Internet of Cheating Things' - as per a New York Time editorial by Zeynep Tufekci 9/23/15

Lastly, it's not new, but bears reconsidering, will we continue to tolerate EULAs that are wholly one-sided and prohibit customers and third parties from inspecting the software/ firmware supplied with a device.
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19230
PUBLISHED: 2019-12-09
An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.
CVE-2013-0342
PUBLISHED: 2019-12-09
The CreateID function in packet.py in pyrad before 2.1 uses sequential packet IDs, which makes it easier for remote attackers to spoof packets by predicting the next ID, a different vulnerability than CVE-2013-0294.
CVE-2014-0242
PUBLISHED: 2019-12-09
mod_wsgi module before 3.4 for Apache, when used in embedded mode, might allow remote attackers to obtain sensitive information via the Content-Type header which is generated from memory that may have been freed and then overwritten by a separate thread.
CVE-2015-3424
PUBLISHED: 2019-12-09
SQL injection vulnerability in Accentis Content Resource Management System before the October 2015 patch allows remote attackers to execute arbitrary SQL commands via the SIDX parameter.
CVE-2015-3425
PUBLISHED: 2019-12-09
Cross-site scripting (XSS) vulnerability in Accentis Content Resource Management System before October 2015 patch allows remote attackers to inject arbitrary web script or HTML via the ctl00$cph_content$_uig_formState parameter.