
Preparing for the future by securing the Internet of Things
The Black Hat USA 2017 cybersecurity conference took place in Las Vegas this week, and over at Dark Reading, Kelly Sheridan has written a great synopsis of its evolution since its creation in 1997. The Black Hat conference started as a gathering of researchers, academics, analysts, cryptographers, and chief information officers that brought the cyber community together for an open discussion of the year’s cyber trends and most current threats. Two decades after its creation, Black Hat has become a much more commercial endeavor, but Sheridan’s history of the conference shows that the conference’s speakers have continued to make news year after year due to their willingness to demonstrate and highlight dangerous cyberthreats and exploits in information technology (IT) system code that could cause major damage if not addressed.
Early on, the conference’s keynote addresses focused on holes in the software of specific companies to demonstrate how coding errors could be used maliciously if not patched. As the years progressed, new levels of acceptance and recognition came to the hacker community when high-ranking government officials began to speak in the public forums and seek help from these hackers.
Black Hat speakers have proven to be prophetic: In 2010, Gen. Michael Hayden delivered a keynote that highlighted the security concerns of rising cyberwarfare with the community. That same year, speaker Halvar Flake highlighted flaws in ATM networks and shared reverse-engineered code that demonstrated how criminals could compromise ATM machines by stealing cash, copying card data, and learning the machines’ master passwords. Every year these presentations demonstrate that previously undiscovered or unheralded vulnerabilities could grow into much more serious problems if not immediately addressed. Among the best examples, Black Hat USA 2011 featured a demonstration of how to hack medical devices, 2012 noted a flaw in air traffic control systems, and 2015 included the infamous hacking of a Jeep, where speakers demonstrated that a hacker could remotely control the steering and braking of a car and could also remotely kill the engine and disable the accelerator — all while a person was in the driver’s seat. The hacking community at Black Hat has earned respect for continuing to demonstrate the real-world consequences of malware and the dangers of failing to patch flawed code that runs so much of the technology we have grown to depend on.
This year’s Black Hat presentations demonstrated potentially devastating attacks on the often cheaply made, portable network-connected devices that make up the Internet of Things, or IoT. Hackers at the conference have shown how simple tools and attack techniques can exploit vulnerabilities in the inexpensive and unsecure designs of many IoT items. This means that simple, internet-enabled items such as temperature gauges, smart TVs, game consoles, vacuums, or even refrigerators could give hackers access to an entire network’s operations. The cybersecurity risks of IoT devices have already been made readily apparent to the public, with the widespread internet disruption caused by a massive denial of service attack in October 2016 that turned ordinary devices (such as TV cameras and home routers) into weapons.
IoT devices are often vulnerable to attack because manufacturers want market friendly, inexpensive designs that consumers will want to adopt. Because security measures add complexity and cost to technology, they are omitted, especially as society has become accustomed to cheaper, simple-to-use devices. As the phrase “plug and play” demonstrates: You open the box and plug the device in, then it connects to a network and starts operating.
To address this problem, security needs to be part of the manufacturing process to ensure a safely designed product is available for consumers to purchase. The security community pushes to create “security by design,” or the practice of building security into the basic design of devices that will be attached to a network rather than trying to patch designs after they’ve been connected to the network.
Consumers should make clear to manufacturers that security in design is an important part of their decision to purchase and should understand that the path to more secure devices may mean the end user has to take the additional step of adding a password or enabling two-factor authentication.
As this year’s presenters at Black Hat have noted, the IoT technologies that were created to make our lives and work easier have a potential dark side as Trojan horses to many networks. For consumers and innovators, understanding the risks associated with connected devices and being aware of the dangers insecure IoT devices pose for homes or large enterprise networks will help build a safer environment for both the devices and the networks they use to operate.
We should thank the presenters at Black Hat for being so clear about their IoT security concerns. Now is the time to create devices that are safer for users by adding features such as password protection, two-factor authentication, and geo-fencing features that would prevent a device from taking commands from a remote location or an unknown user. To its credit, the US Department of Commerce has been conducting a process to address IoT security through voluntary, multistakeholder processes that would help address the need for a secure, lifecycle approach to IoT devices. The internet and the networks that run it have enriched our lives; it’s time to take responsibility for improving the security of the next generation of internet technologies to ensure many more generations of innovative technology in our future.
Πηγή: techpolicydaily.com