Originally running in our 6th Edition Report, ex-Editor, reporter and contributor to WhichPLM, Ben Hanson, discusses cyber security. This piece accompanies a dedicated IoT series from Ben, all of which you can find in our 6th Edition.
The Internet of Things has unequivocally changed the world. Over the course of the past two decades, it has been the centre of many of the world’s most exciting inspirations and innovations, changes entire infrastructures, redefined the way we think about geographical and personal boundaries, and even powered political revolutions.
But for all its power and ongoing potential, the excitement of the Internet has rather rubbed off. The Internet has suffused our lives to the extent that, for much of the world, it’s considered a utility in the same sense as water, electricity, gas, and transportation. And nobody I know gets particularly excited about their electric supply.
From a security perspective, though, this is cause for concern. Now that the technical wizardry behind the Internet has faded into the background, we – as individuals and as representatives of businesses – place it on a unique, unacknowledged pedestal; the trust we have in the Internet far outweighs our acknowledgement and understanding of its risks.
To compare it with something similarly ubiquitous and convenient, we should no more consider the Internet “safe” than we do the road network of whatever country we live in. As luck would have it, I bought a new car while I was researching and writing these features, and, as a father, my choice of make and model was influenced fairly strongly by safety ratings. And although I don’t mean to draw any kind of equivalence between a car crash and an incident of identity theft, the way I thought about that purchase compared to the priorities that govern my choice of smartphone or laptop or wearable is, I think, emblematic of the cursory glance we give to cyber security.
Generally speaking, we tend towards extreme complacency when it comes to entrusting our identities to technology. Which is why smartphone manufacturers, to use a common example, push cloud backups, GPS tracking, and biometric user identification – fingerprints – as the opt-out defaults for setting up a new device. These actions prompt some people to cry “nanny state,” and to assume that companies like Apple and Samsung are intruding on our privacy and selling our data to the highest bidder. In reality, this is one of only a few occasions where I believe big corporations actually have our best interests at heart – ignoring the inconvenient fact that fingerprints are fundamentally less secure than proper passwords (your authentication key is now on every surface you touched today). We’re so comfortable with the concept of smartphones – everyone has one, after all, and our favourite apps are right there if we can just dismiss this pesky request for two-factor authentication – that it takes serious urging to prompt us to look past the utility and at least recognise the unknowns.
It’s important to note, though, that there is nothing inherently insecure about the Internet or, by extension, the Internet of Things. But what they both share is a degree of blind faith in the unknown that simply isn’t mirrored in other areas of our lives where a comparable level of risk – abstract or definite – exists. Or to put it more harshly: both the Internet and the IoT are proof positive that the average user’s comfort with technology is not commensurate with their understanding of how it works and how it might go wrong.
The purpose of this feature is therefore to encourage readers, in both their personal and professional interactions with technology, to consider addressing that kind of knowledge gap before blindly embracing anything new. And this requires us to look beyond value – which the next feature in this publication examines in depth – and to weigh up a longer list of variables than we might be expecting.
Angles of Attack
I’m writing from something of a privileged position; I’m a technology commentator, speaking to an audience that, broadly speaking, is well-versed in technology. The average shopper, though, is going to make up the bulk of the consumer market for IoT-enabled products – and that goes for smart running shoes as much as it does for home automation. So, as product owners and potential platform holders, we owe it to our customers to consider the IoT from their point of view as well as ours.
That average shopper will soon walk into Best Buy (or your country’s equivalent, which, frustratingly, the UK does not have) and purchase an Internet-connected doorbell. Equipped with a camera and microphone, the doorbell will feed, via standard TCP/IP, to an app on their smartphone, allowing them to see who’s calling from anywhere in the house or, indeed, world. This kind of functionality has been achievable for a long time by privacy proponents and paranoiacs, but it is now penetrating the mainstream to become cool rather than borderline creepy.
The difference, of course, is that the DIY security expert of yesterday understood what he or she was doing and could limit their exposure accordingly. For today’s mainstream audience, that IoT doorbell is a convenience and nothing more. For someone with malicious intent, it’s what is called an attack vector, which is not coincidentally the same term we use to track the progression of particularly virulent physiological viruses.
What matters, for the purposes of this thought experiment, is not that the doorbell itself might be insecure (although a popular model was recently found to be storing WiFi access keys in unencrypted plaintext), but rather that it represents another attack vector towards its owner. And given predictions – documented earlier in this publication – about the volume of connected devices per person in the near future, this heightens the pitch of IoT security discussions because such attack vectors will soon surround people who have little, if any, idea that this is happening. People who are unlikely to take appropriate steps to guard against its potentially negative consequences.
Also contributing to the urgency of this discussion is the fact that connected devices will eventually become the only choice in certain categories. We may always be able to buy a “dumb” doorbell, for instance, but will our children ever have the option of buying a dumb car?
The latter category has already been stung by cybersecurity multiple times: last summer, Fiat Chrysler was forced to recall 1.4 million vehicles when it emerged that a hacker could remotely gain control of both non-essential systems (infotainment) and vital ones like brakes and steering . Is it fair to assume that the average Fiat owner knew that this level of compromise was possible? Did they even consciously choose an IoT-enabled vehicle?
To borrow another – albeit extreme – example of how IoT security flies under our radar, you may be wearing a fitness tracker of some kind on your wrist as you read this feature. If you also wore it when you typed your laptop login details or online banking credentials earlier today, it would be possible for me to intercept the log of its gyroscopes and other sensors the next time they are transmitted to your phone, and from there to interpret your passwords from the motions of your hand.
This is not terribly likely for two reasons. One, it would require me to study and model your typing patterns over time in order to have a chance of interpreting the information I stole. Two, it would not be very efficient; I’d be better served just looking over your shoulder. But it does call forth the spectre of the “hacker,” who we’re conditioned to think of as a master criminal, but who is more than likely a young man or woman parked down the street with a little radio antenna and a $40 Raspberry Pi – which is all the Fiat exploit required, and possibly all it would take to interfere with an IoT application in a retail environment.
Worldwide Wide Web
As our homes, cars, clothes, and computers become nodes in the same vast network, we expose each of those things to the Internet at large – a community that we know, whether we like to admit it or not, is not entirely benevolent.
Luckily, the expensive items on that list generally have a great deal of thought and R&D put into their security. And as we have seen, they get recalled when the reputation of their parent brand is at stake. As consumers, though, can we reasonably expect the same from an IoT doorbell, lightbulb, or smart training shoe? And as brand owners, can we promise the same from comparatively cheap, high volume goods? Or, in both instances, are we guilty of occasionally neglecting common sense when we’re presented with uncommon opportunities?
Which side of the IoT equation you fall on will depend on your reaction to the previous features in this publication. You may be satisfied to leave the innovation to others, or you may be fervently making notes for your own imminent IoT strategy. What you cannot be however, is apart from it entirely. Whether you’re buying or selling, the IoT will inevitably transform the way you live and work, and the remainder of this feature will provide some initial guidelines and thinking points for making sure your role in the future of your identity and your products’ identities is not a passive, intrusion-prone one.
As we have already established, individuals and industries tend to adopt technologies before they truly understand their impacts, concerned that they will be left behind otherwise. This has been true of many PLM implementations – particularly the earliest ones, where budgets and timescales overran dramatically, and project teams were airlifted out of their day jobs for years – and it will doubtless become true of an equal number of IoT strategies.
As any PLM project team member or manager will know, our attitudes are also extremely portable. We bring over our biases and bad habits from one generation of technology to another very easily, which is why the IoT Security Foundation recommends a clean sheet approach, with three principles that they feel (and I agree) should govern any IoT strategy or product:
- Security first – inbuilt from the start.
- Fit for purpose – security that is appropriate for the application.
- Resilience – security that lasts through the operating life of the product or application.
Interpretations of the second pillar will vary greatly depending on the individual application: an RFID authenticity programme, for instance, will be dramatically different in scope, scale, and cost than a multi-media marketing initiative or an industrial transformation through connected, automated machinery. But provided these and everything in between are built with appropriate security considerations in mind from the outset, they should be safe in a live environment – at least at the time they launch.
The third principle, however, raises some difficult questions because of the differences in disposability between garments and footwear themselves, and the IoT platforms they might interact with. Or, to put it another way, the consequences of a security breach at the product level and the platform level could be significantly different in terms of severity.
Once we, as an industry, roll out a technology like RFID or a new equivalent, it is likely to stay current for some time. The investment required in chips, readers, beacons and other infrastructure across retail stores, logistics hubs, warehouses and so on will not be recouped quickly. Which, by necessity, means that even if that technology is compromised, potential vulnerabilities may remain in the market for years or even decades if the identified holes cannot be cost-effectively plugged or patched.
In a market accustomed to short seasons and fast fashion, at the individual garment level the impact of these attack vectors is likely to be minimal. But in a structural sense, when entire retail intelligence, warehousing, inventory management, and authenticity systems are built on a common footing, a crack in that foundation could have devastating effects.
Take a further cautionary example from the automotive industry – one that became public knowledge just weeks before this publication went to press. Computer science researchers, who are luckily not hackers in the criminal sense, recently discovered that eavesdropping on the radio communication between a single Volkswagen vehicle and its owner’s key fob allowed them to reverse-engineer the handshake the two perform and then clone the fob, enabling them to unlock the car remotely at any time. This does not sound particularly major, I realise, but that’s because I haven’t told you the same cryptographic key that secured the car – and that was stolen – was also used in an estimated 100 million different Volkswagen-owned vehicles. And that same key is stored in various internal components of the car, so it cannot be remotely patched by the manufacturer.
While older cars – some dating back to 1995 are affected by the hack – are not IoT devices in the traditional sense, the same underlying technology is employed in a huge number of connected devices that do meet the criteria. So we now have a single security hole that suddenly affects huge numbers of existing customers and may prompt tens of millions in lost revenues if a recall is required – all because of a $40 radio device .
This is also only the tip of the iceberg. The Volkswagen group sued, in 2012, to keep a similar vulnerability – this time in the RFID transponder chip used in immobilisers across some VW, Audi, Porsche, Bentley, Fiat, Honda, Volvo, and Maserati models – out of the media. That gag order expired in the summer of 2015, and it was subsequently shown that the hack allowed a criminal – a “bad actor” in hacker parlance – to override keyless ignition systems and start these models of car without the owner being present .
Newer models – produced since the discoveries – will not have these vulnerabilities, but the two combined nevertheless serve as a case study for the kind of perfect storm that might conceivably affect the fashion and retail industry. These were single platforms, rolled out across multiple group brands, deployed in huge numbers of products owned by loyal customers, that, when compromised, affected millions and could not easily be fixed.
And this is without addressing the far more frightening prospect of industrial espionage. This may sound farfetched given that we’re talking about fashion rather than foreign policy, but as cost-effective manual manufacturing disappears from countries like China, large brands have already begun to move to robotic assembly lines to make footwear. And, like any connected device, the Programmable Logic Controllers (PLCs) that power these robots have proved vulnerable to intrusion.
This kind of cyber security breach reached the news several years ago, when the Stuxnet virus – widely theorised to have been the work of a Western government – emerged in the PLCs of Iranian nuclear facilities, destroying at least a fifth of the centrifuge machinery involved. Stuxnet is notable for our purposes because it also went beyond its original target and spread uncontrollably to other automated facilities involved in manufacture of entirely unrelated products.
So while it isn’t likely that your brand will be the target of state-sponsored subterfuge, it is conceivable that automated, IoT-enabled manufacturing facilities in less-than-stable regions may be compromised as collateral damage in non-traditional warfare.
Push and Pull
Security, of course, is never static. As the old adage goes, we build bigger walls; they build bigger ladders. As the IoT evolves and its value – examined in the next and final feature on the subject in this publication – becomes more apparent, the world’s biggest platform holders will establish new safety paradigms for their customers, and penetration testers will attempt to break them, in an ongoing cycle.
Case in point: Microsoft’s Windows 10 IoT Core is now in public beta, and in autumn 2015 the software giant announced that its Secure Boot and Bitlocker encryption technologies were being added to the platform to provide greater security from the kind of attacks seen in other IoT applications. Microsoft also began offering a DIY IoT starter pack for hobbyists – which is likely a precursor to wider, enterprise-grade applications in the near future.
As luck would have it, though, less than a month before this publication went to press, their master UEFI (Unified Extensible Firmware Interface) Secure Boot key was leaked, providing a convenient backdoor into essentially all commercially available Windows 10 devices – a list that, had the leak happened five years from now, might have included a lot more than laptops, tablets and smartphones .
And so it goes.
When it comes to understanding security in an IoT world, we must remember that for every smart person putting up safeguards, there is an equally smart person breaking them down. And like all genuinely world-changing technologies, the people and businesses looking to leverage the IoT in their personal and professional lives will do well to educate themselves a little before jumping in.
Because while the IoT will unquestionably be worldchanging, industry-altering, and even life-saving – and while the businesses who take the right actions now stand to benefit perhaps as much as those who saw e-commerce coming decades ago – standing out from the crowd doesn’t have to mean making yourself an easy target.
NB: This is an opinion piece, and these views are not necessarily shared by any of the interviewees, contributors, or advertisers featured anywhere in this publication.