Vulnerable "Smart" Devices Make an Internet of Insecure Things
Yet backdoors and other insecure channels have been found in many such devices, opening them to possible hacks, botnets, and other cyber mischief. Although the widely touted hack of smart refrigerators earlier this year has since been debunked, there’s still no shortage of vulnerabilities in the emerging network appliance so-called Internet of Things.
Enter, then, one of the world’s top research centers devoted to IT security, boasting 700 students in this growing field, the Horst Gortz Institute for IT Security at Ruhr-University Bochum in Germany. A research group at HGI, led by Christof Paar—professor and chair for embedded system at the Institute—has been discovering and helping manufacturers patch security holes in Internet-of-Things devices like appliances, cars, and the wireless routers they connect with.
Paar, who is also adjunct professor of electrical and computer engineering at the University of Massachusetts at Amherst, says there are good engineering, technological, and even cultural reasons why industrial computer security of the Internet of Things is a very hard problem.
For starters, it’s hard enough to get people to update their laptops and smartphones with the latest security patches. Imagine, then, a world where everything from your garage door opener, your coffeemaker, your eyeglasses, and even your running shoes have possible vulnerabilities. And the onus is entirely on you to download and install firmware updates—if there are any.
Of the network appliance scores of papers and research reports the Embedded System group publishes, Paar says one of the most often overlooked factors behind hacking is not technological vulnerabilities but economic ones.
“There’s a reason that a lot of this hacking happens in countries that are economically not that well off,” Paar says. “I think most people would way prefer having a good job in Silicon Valley or in a well-paying European company—rather than doing illegal stuff and trying to sell their services.”
But as long as there are industrial computer hackers, whatever their circumstances and countries of origin, Paar says smart engineering and present-day technology can stop most of them in their tracks.
“Our premise is that it’s not that easy to do embedded system right, and that essentially has been confirmed,” he says. “There are very few systems we looked at that we couldn’t break. The shocking thing is the technology is there to get the security right. If you use state of the art technology, you can build systems that are very secure for practical applications.”