Interest in internet of things (IoT) security has soared recently, reflecting fast-growing appreciation of the risks, as well as indications that a regime that can offer effective protection is already well understood. Indeed, one gratifying development from Verimatrix’s point of view is that the wider recognition of proven security technology, particularly in the pay-TV revenue protection area, can be adapted for IoT applications. This was a key theme that emerged from a recent briefing at the Connected TV World Summit in London on Security for IoT Services, even though it was also acknowledged that IoT threats themselves can be very different in nature and scale.
One panel member, Ken Munro, partner at Pen Test Partners, provider of penetration testing and security services, highlighted how over the 20-30 years of its existence, pay TV has evolved security techniques very similarly to those now required to protect IoT-based revenue generating services. He noted the IoT requires much the same technical hardware and software architecture, as well as the long-term support relationships to secure its revenue streams.
Furthermore, lessons can be learned from pay TV about wider measures beyond technology to combat threats over the longer term. These include education of users and providers, as well as regulation and litigation.
Adapting existing security for IoT requires clearly identifying the differing nature of the threats and vulnerabilities. These can be distinguished broadly between threats to the things themselves, their users and the infrastructure connecting them. There is also a distinction between threats to data or privacy and direct damage to individuals as could be achieved by remote takeover of a connected car, for example.
While many of these threats have so far come to light chiefly through the efforts of security researchers, there have been some proven examples of real damage being caused both to individuals and national infrastructures. A widely reported case was the second attack launched in December 2016 against the Ukrainian power grid, involving malware and Distributed Denial of Service (DDoS.)
Then, when it comes to data privacy, one case raised at the Connected TV Summit event was the hack of toy internet-connected stuffed animals manufactured by CloudPets, which exposed recorded messages involving 800,000 customers. Hackers had targeted this range of smart toys, which can be paired with a mobile app designed to allow communication with remote parents.
There is also scope to launch coordinated attacks from large botnets of compromised consumer IoT devices for various objectives. Botnets can be used to launch DDoS attacks or, as Munro pointed out, worms capable of taking over devices, such as CCTV cameras or even domestic appliances like toasters that could generate damaging power spikes by turning them on simultaneously. Given their high-power consumption, switching on large numbers of such devices at once could push electricity consumption high enough to bring the grid down. This could cause not just inconvenience or short-term economic loss to businesses, but also disrupt say a national election if launched on the day of polling, or even soften up a state in preparation for an attack.
In this context, it is important to identify the systems most vulnerable to attack and clearly this embraces all IP-enabled devices that are routable and internet connected, whether they are wireless or wired. But, as was noted on the panel by Parveen Kumar Gahlyan, principal engineer for Security and Conditional Access Systems at Broadcom, the final interface is immaterial, with any device capable of being manipulated if it can receive data remotely over an IP network.
Two other points emerged at the summit IoT security event, which again have echoes with pay TV. Sten Lawaetz, head of System Architecture, Platform and TV CPE at Danish telecommunications group TDC, reiterated the virtues of taking the pessimistic line, assuming the worst-case scenario, when both implementing and reviewing security. This led to the second point that security should always be baked in early on rather than retrofitted afterwards. This has almost become a cliché across the data security industry in general, but is truer than ever for the IoT, with the additional requirement that it should be flexible and above all renewable. Even more than for pay TV, the evolving IoT threat landscape is unpredictable.
Below is a recording of the panel session - I encourage you to watch and share your take in the comments section.