This story is over 5 years old.


The Sheer Difficulty of Securing the Internet of Things

When everything's connected, any door will do.
As more things get connected, more things can be hacked. Image: Samsung/Flickr

It's well-understood that the cornucopia of devices that make up the growing Internet of Things can be hacked. But there's another side to the coin, too: Infected things—think vending machines or an office printer—can also be used as a vector into other systems. To put it bluntly, when everything's connected, any door will do.

That's the conclusion of a fascinating New York Times article about hacking the IoT. It sounds like brain-bending future talk, to an extent; that malicious code is able to hide inside vending machines with wi-fi and attack other objects is just cause for raised eyebrows. But security experts have long understood that hacking a corporate network via some Internet-connected object was more or less inevitable, and it comes down to an intrinsic part of how connected objects work.


Zachary Peterson, a security expert who teaches at the California Polytechnic State University, told me the rub is the vast majority of cheaply produced modern computer hardware—CPUs, motherboards, RAM, etc.—are able to execute what’s called “arbitrary code," or (essentially) just about any code you want.

The flexibility of hardware when it comes to programming is great when you need to develop a system to connect multiple objects to the web. For example, a soda machine and a candy vending machine are both great use cases for adding connectivity, but are just different enough that each would need its own software package. If the hardware each used wasn't flexible, it'd mean designed discrete hardware for each, something Peterson said would be too costly to be feasible.

But if hardware can run arbitrary code, it can be exploited. Arbitrary code execution allows an attacker to run his or her own program with few hardware mechanisms in existence to prevent it, which is a dangerous form of attack, and one that can theoretically infect a wide range of connected hardware. And if that hardware can take instructions from the web, it's far more accessible to hackers.

That’s the essential security problem for the Internet of Things: It's built on hardware with similar technical vulnerabilities as PCs. Since a wide range of potential attackers, from individual hackers to governments, know this, breaches are inevitable. Stuxnet is perhaps the best-known virus to attack physical hardware, but the vulnerabilities of the IoT have already been shown to be wide-ranging.


For the IoT to work, at least for the moment, the potential for attack is a necessary evil. Hardware that runs arbitrary code is cheap, and the alternatives are not—since building hardware that can only do a single thing and can also plug into the internet is prohibitively expensive, according to Peterson.

On the software side, the idea of internet-connected objects also presents security concerns, much like the vulnerability we reported on yesterday. While there is an enormous amount of industry knowledge about how to secure “traditional” apps, security expert Nitesh Dhanjani told me, there is little expertise on how to build secure code for connected devices. “There’s no knowledge, no textbooks, and few use cases for writing secure code for an Internet-connected sensor-based physical device,” he said.

The lack of knowledge on secure IoT programming is surely already changing, and evolve into something resembling the far more sophisticated level of app security, but it’s not happening overnight, Dhanjani told me.

In addition to the hardware and software aspects of securing the IoT, people’s understanding of new technologies also plays an important role. At the corporate level that generally involves understanding how each new gadget—such as an web-enabled TV—interacts with the ‘net, and what it can and cannot access.

“It’s difficult to defend networks because it’s hard to figure out where to put things,” Cisco security expert Bret Hartman told me. Basically, the more gadgets that end up getting connected, the greater the vulnerability becomes—especially when there are large numbers of new things hooked up. “It’s impossible to make a system perfectly secure.”


Hartman is talking about corporate networks with sophisticated IT departments, often staffed by several people whose sole job it is to look at security. But, at home, the security challenges are even greater, partly because time and time again, people have shown they prefer ease-of-use over security.

At home, as thermostats, cars, baby monitors, and everything else join the web, one primary “attack surface”—the term security researchers use to describe the target of network penetration—is the router. “Home routers have a history of weak security, including flaws that allow remote compromise of the internal network,” said security expert Josh Yavor. In addition to technical flaws with the way that the administration panel is setup, usually as some kind of web interface, there are numerous other methods of infiltrating a home network.

Another common way for hackers to gain access to a home network is via malicious software installed on a home computer or smartphone, Dhanjani said. Once an attacker has access to a machine, it’s (again) straightforward to compromise any of the other devices connected to the network—using one vector to attack a household of devices is potentially possible, if all those devices communicate together across the same network.

Thus far the attacks on this new generation of objects connected to the Internet aren’t occurring at the same regularity as typical hacks. That’s something that will undoubtedly change quickly, Dhanjani said, especially as the number of connected devices—be they in people's homes or offices—grows.

Also changing is the approach to defense. McAfee today outlined its own guidelines for securing the IoT, which essentially boils down to ensuring that each individual device has its own built-in security measures, instead of trying to figure out how to secure a growing ecosystem after it's already been deployed.