Securing the new Internet
by Simon Bisson
Expanding the Internet to cover things as well as people opens up a whole new range of security issues, as Simon Bisson explains.
HardCopy Issue: 68 | Published: February 26, 2016
There’s a whole new Internet out there, one where we’re deploying a myriad new devices. These are lightbulbs, switches, door locks and any one of a hundred thousand sensors and actuators, all connected to services running on our phones, our PCs and in the cloud. It’s the Internet of Things, where we’re finally delivering on the age-old vision of a ubiquitous computing platform where everything is smart and everything is connected.
What we’re really building with the Internet of Things is a massive distributed computing project made up of hundreds of thousands of compute nodes, each with different capabilities, different operating systems, and different ways of communicating with the world. Our relatively simple Internet is becoming vastly more complex, opening it up to new risks and to new challenges.
You only have to look at a site like shodan.io to see just what an unsecured Internet of Things (IoT) looks like. A search engine for open networks of sensors and control systems, it exposes many of the systems that have been connected to the Internet without any thought for the ramifications. You can see what people are printing, watch their security cameras, talk to their children through baby monitors, and much more scarily, get inside factories and machines, looking at the pumps that stop cities from flooding.
It’s a scary world out there if we forget about security. But sites like shodan.io exist to remind us of the risks of an unsecured Internet of Things, encouraging us to build security into our devices and into our services. There’s no silver bullet for securing the devices we’re connecting to networks; we just need to remember that all of them, no matter how simple and how small, are computers.
Building a secure Internet
That’s actually a good thing, as much of what we do to secure large scale Internet applications and distributed systems works well for IoT implementations: we can use encrypted connections to ensure that data in motion isn’t hijacked, and standard data management techniques to secure the resulting data warehouses and data lakes. Much of the Internet of Things is as smart as the rest of the Internet, using the same processors, the same networking protocols, and even the same programming languages.
Where we do have problems is at the edges, in the devices and sensors that make up the vast bulk of the new network we’re building. How do you secure a device that doesn’t have a user interface? Setting up a secure connection to a wireless network can be a complex thing, even for something as simple as an alarm. Connecting a Nest smoke alarm to our home network was a multi-stage process involving connecting the Nest app to a local service running on the device in order to bridge its Wi-Fi to a secured network, before completing configuration once the device was connected.
That’s not a process you want to use if you’re rolling out thousands of devices to monitor a fleet of trucks. But you also don’t want to have devices just connecting to a network without any control. What’s needed is a way of balancing those two extremes: managing and controlling access, while making connection as easy as possible. It turns out that we’ve actually solved many of these problems in the consumer Internet.
Setting up secure connections
You can get a feel for how things might work using Wi-Fi-based platforms for prototyping devices such as Particle’s Photon. Here it’s easy to configure new Wi-Fi settings using a management app on a smartphone. You can easily imagine a configuration station on a small PC delivering network and software configurations to devices using a default wireless network, rebooting them when done so they are ready for deployment.
Similarly, the Electric Imp is able to quickly configure networking, using a smartphone app to deliver settings to devices by flashing the screen. A simple, low-cost, optical sensor can detect those flashes and use the data they encode to configure a Wi-Fi connection. There’s an additional layer of security in that Electric Imp also has boot protection, ensuring the firmware is unchanged from boot to boot.
Both Particle’s solutions and Electric Imp are full stack IoT platforms. Using solutions that scale from Arduino-like prototyping hardware to chipsets that you can include in your own hardware, they’re tools that can simplify connecting and securing consumer hardware, especially relatively low cost devices that offer basic functionality.
That approach to configuration is fine for custom and specialised hardware, where you’re configuring a relatively small number of devices. But how can we configure consumer hardware at any sort of scale simply, or set up more complex devices? One example comes from networking vendor Netgear, which uses a similar approach to the popular Wi-Fi Protected Setup feature of many home routers to configure its Arlo wireless cameras. During set up, pressing a sync button on both the Arlo base station and a camera configures a secured low-power Wi-Fi connection between the two, with the base station handling encrypted connections to an associated cloud service account.
The Arlo architecture is an effective exemplar of the type of architecture we’re likely to standardise on for the consumer and small-scale business IoT. Using the cloud to handle and display information collected from endpoints makes a lot of sense, as it lets us process and store information at scale. You can build your own services, or take advantage of services like AWS Lambda or Azure’s IoT analytics tooling.
Gateway devices handle the connections between sensor endpoints – in this case Arlo cameras – and the service. They can be designed to use short range wireless connections to link devices to the gateway, setting up device-to-device encryption as part of the connection process.
Using the cloud also means we can use familiar security models, allowing us to quickly implement services that can work with data that’s encrypted in motion and at rest. Similarly, we can use standard techniques to set up secure connections between local gateways and cloud services, either configuring them manually or by using unique device IDs to configure device encryption. At scale, where we’re using M2M (machine to machine) systems and cellular networks to connect tens of thousands of devices, we have a very good set of authentication tools in the shape of the numbers we get from mobile providers, and the device IMEI codes that are baked into their radios.
In the cloud we’re able to take advantage of existing service platforms that are designed to give us secure APIs and secure application platforms. Taking advantage of platforms like Azure’s IoT Suite mean we can build on tooling that’s designed to give us secure information flows, and information flows that work with the information processing and machine learning tooling that’s used by banks, health services, and governments; all organisations with a need for strong and secure information management. We’re also able to use modern networking equipment, such as next-generation firewalls, to detect intrusions and block threats. By operating as transparent proxies, modern security appliances can work with high volumes of data while appearing invisible to attackers.
Perhaps one of the more important aspects of IoT security is the programming models we use to handle concurrency and scalability. It’s important to understand that many of the programming models we use for traditional Internet applications don’t work well at the scale of the Internet of Things. Instead of having one or two services, we’re using arrays of micro-services, deployed on the fly as they’re needed, operating as actors in a message-passing architecture.
Actor/message is an old design pattern, and one that’s relatively easy to secure, using the familiar publish and subscribe model to manage connections between information sources and sinks. Sensors publish information while micro-services subscribe to those services, connecting our endpoints to big data services running on cloud platforms. Well-designed message queues like the open-source MQTT will only route messages from registered sources, reducing the risk of unwanted devices delivering messages to an application, as well as ensuring that unregistered listeners don’t receive messages.
Getting on top of risk
Services such as shodan.io make it clear that there is still a lot of complacency out there. With the Internet of Things we’re not just plugging in another appliance; what we’re doing is putting another computer on the Internet. That means you need to consider your trust model, making sure that you have the right level of trust for each of your devices.
A million simple temperature sensors are easy to trust: there’s so much information being delivered that anyone trying to spoof your service will be swamped by valid data. But the control system for a fridge that’s storing vaccines is something you need to protect, making sure that its APIs can only be used by trusted systems.
It’s never easy to accurately quantify risk; and that’s why, when it comes to IoT devices, applications and services, it’s best to assume that we need to have the best security possible. That means choosing chipsets and platforms on the device side that bake security into their operations, while at the same time choosing services that offer the same level of security we expect from ecommerce and financial services.