Kirill Shilov

@kirillshilov

Will you be able to keep your IoT devices away from hackers?

February 25th 2019

While you’re thinking about a future dominated by robots and holograms, or at least “smarter” phones, studies show that these technological inventions are meant to enhance our entertainment and not actually improve our day-to-day tasks. The real potential of disruption is owned by the Internet of Things (IoT) industry.

Big companies, such as Samsung, Qualcomm, LG, Huawei, and Intel, have already seen this and are all filling patents with the hope of establishing product leadership in the future. How many patents you may ask? Just these five companies combined hold over 13,300 IoT patents to this date, which makes IoT one of today’s most-researched emerging markets.

Let’s look at the state of the IoT market at the beginning of 2019:

  • 7 billion IoT devices
  • 17 billion connected devices
  • $151 billion IoT market evaluation
  • $64 billion worth of Industry 4.0 products and services
  • 90% of senior execs in technology, media, and telecommunications industries say IoT is critical to some or all lines of their business

If you can’t properly understand the significance of these numbers by themselves, let us explain this market growth like this: If the industry continues to evolve at the same speed, the number of IoT devices will exceed the number of smartphones in the next three years!

https://iot-analytics.com/state-of-the-iot-update-q1-q2-2018-number-of-iot-devices-now-7b/

With more than 18 billion IoT devices in consumers’ homes, industry experts and potential customers are questioning their security. And they are perfectly right to do so. Currently, 80% of existing IoT devices are not adequately secured.

Why is IoT device security so weak?

The security issues that befall IoT devices is not new. The IoT industry might seem new, but having smart appliances in our homes is definitely not new. Actually, the first Internet-connected appliance was invented as early as 1982: a Coke vending machine. From there, the industry has seen efforts from Microsoft and P&G in 1999, from Helsinki University of Technology in 2002 (when the term “Internet of Things” was first used), and finally, the concept we’re studying today being born in 2008. More than 10 years of innovation and yet, the security issues didn’t find closure.

The risks can be understood by looking back to 2016, when the biggest DDoS attack at the time occurred. A Denial-of-Service (DoS) attack is when a machine connected to the Internet is used to “flood” a targeted server with superfluous requests, making it unavailable for an extended period of time. Given the fact that most companies aren’t hosting their software on only one machine but on an entire warehouse’s worth of servers, a one-on-one attack seems useless. But let’s look at the extra “D” in DDoS: Distributed-Dos attack. That’s when the hacker uses multiple machines to perform their flooding attack.

  • The attacker can buy and install all these computers in their home, but that is highly unlikely. Even if they have the funds, it’ll be so easy to track the massive purchase or their physical location.
  • They can infect people’s computers or phones. But since most of the operating systems now come with pre-installed firewall and antivirus programs, this method is becoming less feasible.
  • Or the attacker can leverage a network of poorly-secured IoT devices sitting in people’s homes all over the world and direct their computational power towards a target server. That’s the easy solution right there?

That’s exactly what happened in 2016 when the attacker developed the Mirai malware that was searching for IoT devices that were still using the default password. The result was devastating. And the next attack happened in less than a month after the first, shutting down Amazon, SoundCloud, Reddit, Spotify, and many other websites all at once!

https://blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/

A network of 18 billion unprotected IoT devices is not only dangerous for their actual owners, but it could put the entire open Internet in danger.

There’s any solution for secured IoT devices?

The problem is rooted from the development of IoT systems. The proposed architecture is centralized and ineffective: devices have to connect to a central cloud server to perform their operations. It can be Google Cloud IoT, Amazon’s AWS IoT, Apple’s HomeKit, you name it. Even with the proven years of experience in IT from these companies, having the iCloud and Gmail cloud-related hacks on their records makes you think twice before trusting their system security.

How can we solve their centralization issue? With the opposite approach: a decentralized system. The decentralized IoT ecosystem that we’re thinking about is based on blockchain technology. In this way:

  • Network protection — An attacker has to compromise the entire network, not only a single node for a successful attack.
  • Always up to date — The nodes stay synchronized by default.
  • No individual vulnerabilities — Each device becomes a node in a network, moving the point of failure from the individual device to the entire decentralized network.

In simple words: the blockchain enables IoT devices to protect themselves.

https://vecap.io/

So who is there to provide a solution to our grim future? We found interesting applications among blockchain IoT providers, such as IoT Chain developing an IoT operating system, The Watson IoT Platform, who’s proposing a solution that moves the data on a private blockchain, or Atonomi, whose infrastructure is based on the device’s identity and reputation within the network. Even the most popular blockchain-based IoT project at the moment, IOTA, can be counted, although its solution is focused on the transactional and data transfer aspect. That’s actually the common problem of these projects: they are focused more on solving other issues than actually solving the security problems that we have right now.

One blockchain-based project, though, comes as security-first: VeCap. Its solution is not an enhancement of the device’s built-in security functions. It is actually bypassing the device’s security altogether, moving the security to a unified decentralized network. That is exactly the blockchain solution that had been previously discussed. But their ambition goes even further. Instead of having a network for each individual, imagine having a global network formed out of all the active devices in the world! That’s pretty bold, right? In this case, a hacker will need to hack at least 51% of the devices in order to compromise the network. We’re speaking about millions of IoT devices in tens of thousands of homes and offices. It’s not too far-fetched to claim that this task sounds impossible.

The road to a global IoT network

A global network, in order to remain secure, needs a gatekeeper. However, if there’s a party in charge of keeping people in or out, the network is no longer decentralized anymore, right? VeCap found a workaround for this. The network can be joined by anyone at anytime under two conditions:

  • Use a VeCap certified device — There’s no centralization at the network level, but it still gives too much competitive power to VeCap as a company. That’s why there’s a second option…
  • Use the VeCap adapter to connect an uncertified device.

Basically, anyone with any type of device can join the network. There is a level of security, but it’s not in control of any one party.

That’s the security-first approach that IoT desperately needs right now. The focus on individual devices and single-purpose applications born from the greed of software companies and device manufacturers has distanced us from a unified standard. This problem of lack of interoperability was recognized by the European Commission when in 2017 they introduced The European Interoperability Framework (EIF), which gives specific guidance on how to set up interoperable digital public services.

This reluctance between companies is typical when it comes to new technologies. VHS fought for a long time until it became the standard of videotapes. Energy outlets are still not standardized around the world up to today. We have a long way to go, but with the VeCap solution already proposed for IoT, are you willing to wait for these vendors to agree with each other in such a competitive market or are you going to help it become a reality?

How close are we to Internet failure?

Since that initial attack on IoT devices in 2016, in only 3 years 20% of all companies faced at least one cyber attack on their IoT devices. One report shows that 97% of these attacks can be catastrophic for the organization, with potential losses up to 13% of its revenue. These are alarming numbers, given the fact that hackers need less than a minute to gain access to an unprotected device. Manufacturers alone can’t keep up with the attackers anymore. But that’s where projects like VeCap could take the security concerns off of their shoulders and bring confidence among adopters.

More by Kirill Shilov

More Related Stories