We’re running out of time with IoT security — here are some ways to fix it
The world is reeling from the large-scale WannaCry ransomware attack. Over 350,000 machines in 150 countries were hit in a single weekend: the UK national health service, French car maker Renault, Portugal Telecom, FedEx, Deutsche Bahn rail, Russian rail, the National Bank of China, and many others were forced to cancel services as the attack froze computers across their sites, encrypted their data and demanded bitcoin as ransom.
Wannacry is believed to be the biggest ransomware attack in history, but it’s only the beginning. Expect to see a lot more of this in the future. Expect to be one of the victims. Cyberattacks against hospitals and public transportation are extremely serious, but the growing “Internet of Things” is making everything much worse. “IoT” means simply, “runs on software” and “connected to the internet.” And that, as any security expert will tell you, means vulnerable to a remote attack. If not now, then at some time in the future.
There is a lot of finger pointing for the massive disruption WannaCry has caused. Toward the NSA for originally creating the exploit on which it is based, and for not telling Microsoft about the vulnerability (possibly for years, since it affects Windows XP and 2003), toward the Shadow Brokers for publicly releasing it and toward the victims for not patching quickly enough or using end-of-life (obsolete) software. There is even debate going on to decide whether the software developer or the purchaser is responsible for the security of computer software.
Ultimately, who is to blame doesn’t matter, who is responsible does. Figuring that out is going to take time we may not have.
According to Gartner, an estimated 21 billion to 50 billion IoT devices are expected to come online by 2020. In fact, it’s already becoming hard to find high-quality dumb devices. Look at TVs, where the biggest screens and best image quality is offered on only the “smart” versions (i.e., containing software and requiring an internet connection).
The problem is, software needs frequent upgrading and patching. The world of cyberattacks and defense is constantly evolving. Oftentimes, the older the software, the more likely it is that attackers can find vulnerabilities, the more frequently it needs to change and the less likely a patch is going be available, especially if it has reached the end of its supported lifetime. It’s scary to realize that software is in our cars, durable goods and medical devices.
What is particularly frightening is the fact that with ubiquitous IoT, the equipment that used to run for years with little or no maintenance now contains software that needs constant attention. None of our procedures, habits, or expectations are equipped to handle this. Worse, as WannaCry has demonstrated, these attacks can come at anytime from anywhere in the world.
So, what can be done to ensure the security of our organizations, infrastructure and our homes against the upcoming IoT apocalypse? Since we can’t predict the future, and we can’t shut all IoT devices down, our best defense is to minimize the extent of damage a successful attack can do. To do this, all IoT products need to be able to be easily, cheaply and regularly upgraded with the most up-to-date security patches.
In other words, IoT needs some sort of expiration date. This does not mean a “kill switch” after which devices cease to function, If WannaCry is bad, just think of the chaos if millions (or billions) of furnaces, HVAC systems, cars, or worse, medical devices, suddenly stopped working.
And we can’t just require everyone to throw out IoT devices every year or so. Refrigerators, boilers and cars are expected to last for decades. Frighteningly, the software on them has a much shorter lifetime. This dichotomy has resulted in so many organizations still using old software (presumably on perfectly good old hardware), that to try to stop WannaCry, Microsoft actually broke its own rule and issued patches for end-of-life products.
One solution might be found in our relationship with our cars. We expect a certain level of security in a new car, but also recognize that to stay safe, it will need regular inspections, maintenance and repairs throughout its lifetime. Moreover, we’ve standardized who is responsible for what: e.g., manufacturer recalls, DOT highway maintenance, owner tire inspections, etc.
In a similar vein, an IoT expiration date would need things like:
- A requirement that all IoT software be upgradable throughout the expected lifetime of the product. Many IoT devices on the market right now contain software (firmware) that cannot be patched even against known vulnerabilities.
- A minimum time limit by which manufacturers must issue patches or software upgrades to fix known vulnerabilities.
- A minimum time limit for users to install patches or upgrades, perhaps this could be facilitated by insurance providers (perhaps discounts for automated patching, and different price points for different levels of risk).
The above list is in no way conclusive. Securing the IoT ecosystem is an extremely complex problem. There needs to be new research to discover the most beneficial timeframes, the least expensive upgrade paths, certification, insurance and even how to securely design adaptable software. Before any responsibility can be assigned, there needs to be discussion and debate to determine what the various cybersecurity responsibilities for IoT even are.
WannaCry has shown us that when discovered, we have only a very short time to patch the software on IoT devices against a new attack. But, WannaCry has also shown us that we have only a very short time to develop effective strategies and policies to address the potentially catastrophic damage we can expect from future new attacks on billions of vulnerable IoT devices.
Today, it’s computers affecting hospitals and trains. Tomorrow, it’s your kid’s sneakers, your insulin pump or your home entertainment system holding your entire household hostage. We’re running out of time.
Sandy Clark is a researcher at the University of Pennsylvania who studies the computer security ecosystem. She is currently co-authoring a book on technology and journalism, due out in late summer.
