Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/24/2015
02:10 PM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 IoT Cybersecurity Issues You Never Thought About

Government, industry and security professionals problem-solve the daunting challenges of the Internet of Things.

Call it a physical and cybersecurity challenge. Innovators and industry experts in Boston Tuesday for the IoT Security 2015 conference brainstormed about some of the Internet of Thing’s most daunting security challenges -- authentication, patching, smart grids, and smart homes – and how to address them.

  • Who is responsible for patching your smart home – from the cars you drive, the entertainment you watch, the food you store and prepare?
  • Is it possible to have seamless mutual authentication between users and devices and devices and devices?
  • What happens if the connections between your smart home and your smart grid stop working and turn against you?
  • What if the seller of your dream house refuses to give up the keys to the built-in smart devices inside?

These were the hypothetical problems that attendees from a broad range of IoT interests -–manufacturers, the public sector, and security professionals -- chewed on during four lunchtime breakout sessions. Participants were given a specific problem to analyze, after which they presented their solution to the full conference.

Passwords
LG Mobile Research IoT Security Engineer Harsh Kupwade Patil’s team tackled the question of whether it’s possible to have mutual authentication between users and devices and devices and devices. “Is there a solution? Yes. But it won’t be a simple solution,” Patil said. Context-aware security, new gateways, and middleware were three measures the group said could help facilitate the “chain of trust” necessary to support IoT. But Patil said “identity was the weakest link in the chain” hampered by a fragmented market and a “protocol soup” that prevents devices and users from working seamlessly together.

Smart Home For Sale
So you just bought your dream home – a smart house with all the bells and whistles you would want and expect. After you sign on the dotted line, drive up and unlock the front door, you find out that the seller is unwilling (or unable) to give you the “keys” to the smart devices inside. What’s the remedy? One possibility, said group leader Chris Rezendes, founder of INEX Advisors, requires that all smart devices are manufactured with factory wipe options and the development of “good processes” to transition smart products like cars and homes to new owners.

Smart Grids
How does a power company deal with an attacker who seizes control of a customer’s smart meter or demand-response thermometer and directs the device to consume more electricity in the home or stops the utility from  sending any power at all? How would the power company even know that the power supply was being diverted? That was the issue posed to the group led by John Miri, chief administrative officer at the Lower Colorado River Authority in Austin, Texas. One solution: Creation of a new class of performance metrics that focus on resiliency, for example, Mean Time Between Recovery versus Mean Time Between Failure.

Patch Work
A device has been shipped from the factory and is deployed in a home, workplace, or car. What are the options for updating security remotely? Johan Sys, IoT security manager at Verizon, framed the discussion, and the group bandied about solutions including manufacturer-provided security subscription services to the creation of a new class of  small business. “If I can hire a termite service to protect my house, why couldn’t there be a cybersecurity service provider to maintain the smart devices I use in my home,” Sys said.  

 

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
eaglei15
50%
50%
eaglei15,
User Rank: Strategist
2/23/2017 | 8:26:52 PM
Cybersecurity for iot
The responsibility for the security of the smart device should be on the vendor side, same as energy consumption. There are already some startup companies that suggesting to solve this problem at scale such as https://www.cybeats.com
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/25/2015 | 11:54:56 PM
Breach
Of course, in the "smart home" example, it could well be a breach of contract and/or a breach of the warranty of habitability (depending upon the situation) to not turn over the "smart keys."

But, of course, much better to have an easy technical solution at the ready than get the lawyers involved.
lynnbr2
100%
0%
lynnbr2,
User Rank: Strategist
9/24/2015 | 5:07:45 PM
More Issues
What happens when the vendor of an IoT device goes belly-up? (And how would anyone know, aren't most of these going to be made overseas?)

What happens if the vendor of an IoT device refuses to patch or upgrade a device? (or decides to charge an outrageous amount for something like Martin Shkreli)

What happens if an IoT device deliberately lies, cheats, or steals? (e.g. Volkswagon) Is this the beginning of the 'Internet of Cheating Things' - as per a New York Time editorial by Zeynep Tufekci 9/23/15

Lastly, it's not new, but bears reconsidering, will we continue to tolerate EULAs that are wholly one-sided and prohibit customers and third parties from inspecting the software/ firmware supplied with a device.
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17223
PUBLISHED: 2019-10-15
There is HTML Injection in the Note field in Dolibarr ERP/CRM 10.0.2 via user/note.php.
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...