Don’t give them any water: How the IOT is like The Gremlins

The Internet of Things represents a dramatic change in life as we know it. As everything around us is brought “online” through the inclusion of sensors, computing power and network connectivity, we will be provided with a much different life experience from what we have today. But if you think today’s cyber attacks on corporate networks are a cause for concern, think of a world where everything around you – on a national, city, street, home and office, or personal level – senses its environment and interacts with other things. Can this magical world be protected from cybercrime – or is it already too late?

Gizmos and Gremlins

Security researchers already point to an alarmingly high number of vulnerabilities in Internet of Things appliances – everything from smart homes to cars to wearables have been hacked by white hatters, and some devices – such as smart refrigerators – have actually been, compromised and used to spread spam, very much like a home computer.

Experts have already prescribed several basic remedies that, if applied today, can save us a great deal of trouble when the IoT era fully sets in upon us:

1. Don’t save security for later – bake the necessary security stack into the infrastructure right now
2. Don’t let the applications run without standardization
3. And whatever you do, never, EVER, release an IoT device without the ability to patch itself

These three simple, well-defined rules make a lot of sense, and if we just follow them, we’ll be safe and sound. But those of you with a nagging feeling that you’ve seen similar rules before are absolutely right. Here, let me refresh your memory….

1. Keep them out of the light
2. Don’t give them any water
3. And whatever you do, never, EVER, feed them after midnight

Yep. These were the rules that the owner of Gizmo, a cute, furry, fuzzy creature was given in the 1984 cult classic movie Gremlins. And even if you haven’t seen the film, it’s not too difficult to guess what happened. Clearly the rules were somehow broken – and the adorable Gizmo – spoiler alert in case you haven’t seen the movie – turned into a hoard of vicious monsters, setting off a chain reaction of chaos and destruction across the entire hometown.

Just like in Gremlins, IoT appliances should follow three basic rules. And just as in Gremlins, we know that there is no real chance that they will be followed.

Rules Made to be Broken

Let’s take a closer look at each one of the security pillars need for a safe future, to better understand why they are so devilish to follow.

1. Don’t Save Security for Later: If we look at the current state of IoT infrastructure and the glut of commercial IoT-ready appliances, we’re essentially discussing a “Kickstarter Economy” that is focused on rolling out catchy, hip and useful products to users. The infrastructure on which IoT appliances are built is more focused on agility, connectivity and adaptability than security. Baking security inside is at best not a priority for these developers, most of whom lack the discipline, resources and know-how required to effectively equip their new Kickstarter-ready device with the right level of security.
2.  Standardize the applications: The BYOD industry is essentially based on two platforms – Android and iOS. IoT on the other hand is the Wild West of development. The two main hardware stacks on which IoT developers build products – Raspberry Pi and Arduino – are both open source and free-wheeling. If you Google “Arduino security,” you’ll find plenty of web pages talking about building home security systems using that platform, while if you Google “Android security,” you will find many articles discussing security on the Android platform. In fact, the way the IoT stack develops seems very similar to the first days of the Internet in which quick access and open functionality, not security, were the primary focus for developers. While there are a number of initiatives currently being undertaken to help standardize IoT product development, they are quite disconnected from what is actually happening on the ground.
3.  IoT devices must be patchable. Out of the three rules, this one actually has a better chance of being complied with – not because of security, but because manufacturers will offer firmware or software upgrades to the consumer. This means that many IoT devices are in fact patchable. There is, however, a catch. Allowing remote upgrades also means an opening for hackers who might exploit weak security around the upgrade process to push malicious code. They may also use the patching as a platform for social engineering, duping users to download “patches” that are in fact Trojans and malware – which is bound to happen when it comes to wearables..

The Fallout

All of this means that we’re probably heading into a Swiss-Cheese-like IoT wave with easy-to-exploit security holes. And so, sooner or late, the attacks on IoT infrastructure are bound to come, and will be harsh when they do. Cars are already hackable – but think of autonomous transportation networks. National grids. Regional utilities. Offices. Homes. Personal wearables remotely controlled en-masse by evildoers.

What can be done to get ready? For individuals at home and at work, you will be able to set up a “cyber-security camera” for your smart home or office. Knowledge is power and if you understand what is under your control, and what symptoms might signal an attack is about to take place, you will put yourself in a position of strength to properly prepare and fend off attacks.

Then there’s a general guideline: trust no one. If you’re a corporation, a utility or just someone who works with suppliers, don’t make any assumptions about IoT vendors and make yourself knowledgeable about security updates and what it takes to remain “sustainable” in the face of threats.

Finally, take a deep, clear look at your personal risk and threat assessments. Does your insurance cover home-based smart networks that are compromised? What risks are you opening yourself up to when installing a smart fire detector or thermostat? Make sure you can confidently answer these questions, and if you are not satisfied with the answers, don’t be afraid to reconsider.

The Takeaway

The IoT reality, like many other technological revolutions, will change our lives. Just check out this video. Let’s just do our best to make sure it’s safe as well.

(Note: this is an article I wrote for Geektime.com)