Over the last few decades, technological revolutions have completely changed the way we live. The personal computing revolution began in the early eighties – businesses began transitioning to a technology that allowed them to process data automatically, store it digitally and find it quickly and efficiently.
In the early nineties, the internet started to become commonplace in businesses and households in the Western world, changing the way we do our jobs, process data, store data and even communicate with one another.
While these revolutions worked together to enable the rapid growth of global businesses and personal communication, downsides were inevitable. These downsides began to appear after just a few years: potential loss of data, data theft and loss of goods or business efficiency became an unwanted by-product of technological advancement.
Some of the first attacks on these emerging technologies came from technological enthusiasts who wanted to test their abilities or show off their knowledge – like the Morris worm (1988) which, at least according to its creator, was intended to gauge the size of cyberspace. Many of the attacks that followed were built with clear, malicious intent.
The golden age of cyber-attacks began after the widespread adoption of the internet and personal computing by businesses around the world. Attackers had very strong incentives to turn opportunity into organized crime: the platform for attacks became endless as everyone had a computer. As most computers became connected to the internet, attackers could do anything they wanted from their home office, with very little risk of being exposed. It was easy: systems were not protected, the internet was not designed to prevent attacks, and there was an immediate, tangible impact that they would be able to capitalize on – stealing or destroying data, disrupting communications and access to websites, etc.
It quickly became evident that security had not been a priority when internet protocols were written or when the personal computing industry began. However, for adoption of these new technologies to grow exponentially, security needed to be taken seriously. Very quickly, security solutions started to emerge to enable a safe use of the new technologies, and major players in the growing computing industry (Microsoft, Intel and others) started to ‘bake’ security into their own products as a given.
Blockchain technology, which allows all transactions between parties to be recorded in a verifiable and permanent way, also increased the incentives for attackers – making it easier for them to stay anonymous, and yet still receive immediate profit on their work, in the form of ransomware, an industry that has grown exponentially in recent years (over $1bn in 2016 and still growing).
We are now on the verge of another major technological revolution: connected devices. Connectivity is becoming a must-have in anything we interact with; it allows physical devices to become sensors and actuators; it allows us to control devices when we are not physically close to them; it allows us to look into our devices, understand when they need to be serviced or whether they are likely to malfunction soon; it allows the devices themselves to make smart decisions – ones that will save us time or save us money, or ones that will make our lives more comfortable.
This revolution, too, has similar downsides, and as adoption grows these downsides start to appear. We are starting to see attackers, just like in the early days of the internet, testing out their abilities, tools and infrastructure. As the adoption of connected devices grows, we are certain that attacks will too. The drivers for the attackers in a connected world are far greater than in the internet revolution:
- Attackers have an even larger platform: billions of devices are already connected, and Gartner predicts exponential growth is expected in the next few years.
- Many more connectivity interfaces: in the past, most connectivity went through modems. Today, every device contains wired or wireless connectivity options and different protocols for different needs (WiFi, Z-wave, ZigBee, Ethernet, Bluetooth, BLE and many more).
- Devices are even more vulnerable: device manufacturers are rushing to market, focusing on performance and product efficiency, leaving security as an afterthought. The ecosystem is much larger today and allows device manufacturers much more flexibility – to choose from a variety of operating systems, mix their own code with outsourced code, embed open-source libraries – but this all means that it is much harder to maintain good practice of secure coding.
- The impact is greater and faster: causing data loss is only one of the options available to attackers when planning an attack in the IoT space. When they attack a connected device, the impact could well be physical, one that will affect our immediate environment and actions, putting our day-today activities at risk. For example, attackers can now lock smart locks in hotels, in a new, modern version of ransomware.
- Cyber-crime has proven to be successful for over two decades. The only change today is shifting the focus into the new space.
While there are many similarities between the technological advancements of different decades, there are also major differences:
- Personal computing was designed to allow the user to use different applications on the same system, in parallel. The IoT revolution assigns specific applications to every connected device. The device and the application are provided together (even if they were not written by the same software developer).
- Embedded devices usually do not have a graphic user interface, making it harder for attackers to exploit user weakness with social engineering, but also makes it harder for the user of the device to recognize if something is wrong.
- Security vendors build anti-virus and other applications which can run on operating systems to interfere with and prevent attempted malicious attacks. In the IoT space this task is much harder, where there is a big variety of hardware and operating systems in different devices, as well as low compute, storage and power resources that can necessarily support additional applications on the device.
The conclusion is obvious: the only ones able to ensure security and trust in the connected device ecosystem are the device makers; they are in a unique position to bake security into their devices. As history has taught us, security cannot be an afterthought, and cannot be built on top of a device, especially not a connected device.
VDOO provides a platform for IoT makers to allow the secure development of connected devices and ensure the safety of the IoT revolution.