Your system may not be as safe as you think…
Luís Madeira, Techsensys security expert, talked to us about information systems, security in general and some security related specifics of IoT technology.
This article has been edited for clarity and brevity purposes (text in quotes is a direct citation) – it is based on a long conversation with Luís Madeira, a software engineer and security expert that has developed systems for just about any type of client you can imagine – corporations big and small, national administration branches and foreign governments, you name it – he´s done it.
Having a life-long interest in computer security, that probably started at age 7, when he got his first computer, and then progressed to exploring BBS´s and learning how to exploit information systems vulnerabilities in a completely self-taught manner, the natural career path for Luís was software engineering.
To this day he credits his success building secure frameworks with these early-developed hacking skills – because as Luís himself puts it “you must know how to attack a system, in order to build effective defenses around it”.
Currently, among other projects, he develops solutions with Techsensys, Outfit – Tailored Agile Solution´s IoT partner.
SYSTEMS SECURITY – TODAY´S HOT TOPIC
This is, for the most part, an area that remains “in the shadows”, somewhat obscure and out of the picture – right up to the point where something happens with real and visible impact on people´s lives.
The recent growing interest in this topic as much to do with some high-profile attacks such as the DDOS attack that happened a few months ago on DYN DNS servers, a network that hosts critical services for the likes of Amazon and Facebook – this attack effectively crippled many of their services, in some cases shut them down entirely for several hours – and that is something that gets people´s attention.
But still, when people think about cyber security, they tend to have a very narrow minded, tunnel vision type of focus on the problem at hand – for the most part, the general public and the corporate client are oblivious to the real dangers that are out there.
“I firmly believe that – as low as the standards are, most of what is the security of Information Systems is built upon the unawareness of the general public”
“People tend to think that inserting a pen (Rubber Ducky) in a computer that sucks up all the information, or hacking a device remotely, from a van parked across the street, are almost sci-fi, Hollywood movie type scenarios – but they´re not. Just check out the demos and lectures at DEF CON (security convention) every year something new and outrageous shows up…”
Luís Madeira – IoT solutions developer and security expert (Techsensys)
THE GENERAL PUBLIC – “AVERAGE JOE”
The average “civilian” user – the tech-savvy person with a smartphone, a laptop, the type that uses social networks and has some degree of technological literacy, is completely oblivious not only to security issues, but to the most basic privacy protection practices.
People generally have no idea that their smartphones can give away information as to where they´ve been, for how long, to which networks they were connected, and so on. You can basically track someone, find out where they live, where they work, where they shop, based on these very tiny pieces of information.
And how hard is it to get that information? The fact is you don´t even need physical access to the device.
Someone carrying around a Raspberry Pi connected to a powerbank in his pocket can walk around any given area picking up all this information from surrounding phones.
“I was involved in a project for the banking industry, where I had to install a piece of software on my smartphone that picked up information on credit cards – then I was with a coworker on an elevator, and my phone started buzzing… It had just picked up all of his contactless credit card information. I mean everything – full number, CVV, name, and more than that – a record of his last 10 transactions… It was scary. And anyone can do this, it´s not rocket science.”
In these types of scenarios, we´re talking about someone being deliberately targeted by a hacker, for whatever purpose – getting information for resale, identity theft, whatever.
But far more dangerous situations, because they’re more frequent, are cases of negligence – people give way too much personal information, whether knowingly (thy might think – hey , I got nothing to hide) or because they don´t bother to read the terms of service of an application or online service they started using, and all of a sudden their whole lives are being looked at under a microscope, for what in the best case scenario are data mining operations, and in the worst case scenarios we might be talking about very elaborate identity thefts.
And this carefree attitude towards privacy issues can have repercussions for companies, too. Because people tend to access all sorts of webpages, apps and services on their work computers – they take pen drives home with sensitive information without having an encryption system in place, and so forth.
“You can have all the bells and whistles on your system, the “illusion of safety” as I call it – but if the system must function within a larger framework, and It usually does, and that framework hasn´t been properly secured, it amounts to nothing. I can have a setup that doesn´t allow for SQL injection, XSS scripting, the whole nine yards – but then you have a flaw in the larger infrastructure, negligent user behavior or a social engineering based intrusion –and I get root access to the server. Boom. Game over.”
THE CORPORATE CLIENT
The average corporate client, and this is a gross generalization, is usually more informed than the average public – but only slightly so.
Usually the main priority of the corporate client is the data – where´s my data? Who can access the data? – and understandably so, because we´re often speaking of information that´s worth a lot of money – proprietary material, the source code for an application, etc.
So, the corporate client is very concerned with this particular aspect of security, because of the menace of industrial espionage, but will frequently be completely ignorant of many other “angles of attack”.
“For instance, if a hacker manages to install some form of ransomware on [a company´s] system, denying them access to critical information and demanding to get paid to cease the attack; or if he cracks a protocol of communication between sensors and main system, by installing a “man in the middle” and effectively renders the sensors useless until they agree to pay up… These are all possible strategies that must be accounted for, and dealt with.”
And the use of these tactics is growing in number and intensity, because the knowledge necessary to perform this type of actions is readily available online – and corporations are high value targets, willing to pay up if they see any danger to their business.
“There is a need for a cultural change – and to see system security as an ongoing effort. I update all our servers every three days. We´re constantly tracking the latest news from the hacking community on any new exploits that might affect our systems. We have independent audits all the time – this is very important, to get someone from outside the team that designed the system, to conduct penetration and security tests, I can´t stress this enough.”
SECURITY – THE BIG BAD WOLF OF IOT
Security issues are constantly portrayed as the “big bad wolf” of IoT – and to a given extent, rightly so; but what makes the IoT ecosystem so unique that requires specialized knowledge?
When we talk about IoT systems, we´re usually talking about sensors that measure some form of environmental data – temperature, humidity, when a car or person move up to a doorway – and then communicate with a main system in order to trigger an appropriate action: adjust the air conditioned, adjust the watering system in a greenhouse, open a door or gateway, etc.
Menaces to this type of system would involve interfering with one or more elements in this chain of events.
“The classic example that we give is: examine a nuclear central, where someone highjacks the core temperature sensor – so the cooling system doesn´t “know” the core is over-heating and never kicks in, and we ultimately have a meltdown. It´s an exaggerated example, of course, but it illustrates the point.”
NOTE: there was already an attack of this sort, on an apartment building complex in Finland – it caused the systems to enter an endless cycle of rebooting, leaving the residents with no central heating and only cold showers.
The IoT ecosystem, as with any emerging field, had many problems that were the fruit of experimentation with a new technology and using components that weren´t optimized for security – using Bluetooth for communication, for instance, which is terrible from a security perspective, is a perfect example.
Nowadays, we have access to much more evolved sensors and communication procedures, that involve end-to-end data encryption; use of tokens and IP whitelists, and other strategies.
“IoT is not – by default, any more or any less safe than any other approach. It´s all about the choice of the components and how you design the system. You can have IoT based systems that are completely safe, and very sketchy traditional solutions. You must be aware of the pressure points of any give system – there are pressure points in the sensor array; there are pressure points in the communications protocols; there are pressure points in the infrastructure – and ultimately there´s a massive pressure point in what concerns the end user security education. All these must be addressed.”
– The Techsensys Team
IoT systems are neither safer or unsafe by default – it´s all about how the system is designed in the first place, user education and the maintenance procedures that occur on a regular basis.
The main takeaways for anyone thinking about implementing an IoT based system, as far as security goes, are:
1 – Expert Services
Refer only to the services of top-level professionals, that are specifically trained to design and implement a solution for your particular needs.
Techsensys and Outfit – Tailored Agile solutions strive to offer the best in the IoT field; joining the expertise of Techsensys in components and system design and Outfit´s know-how in providing software integration and user-friendly solutions, using a platform that complies with the highest standards of security in the market.
Outfit and Techsensys offer end-to-end solutions, secure by design, and fully tailored to fit the best interests of the end client and user.
2 – Mind the Pressure Points
Be mindful of all the pressure points in all the different layers that comprise your system: sensors, communication, infrastructures and system integration, end user security and privacy procedures.
3 – Constant Maintenance / Updates
After the system´s been installed – no matter how nifty, don´t fall asleep at the wheel!
Conduct proper maintenance, making sure the professionals you hire to do this are up-to-speed on all the latest security protocols, and knowledgeable of all the available hacks and exploits coming from the hacking community.
4 – Periodic External Audits
Aside from routine security tests and check-ups, which should be conducted on a weekly basis, get an external team, one that had nothing to do with the design and implementation of your system, to conduct security and penetration tests.
It is extremely important to benchmark your system based on the possibly more disruptive views an outside team might have.
5 – Preventive Medicine is the Best
Foster a culture of proper security and privacy best practices, rather waiting for something to happen and then bolting down the doors!
Take the time to properly educate everyone that must deal with any of the elements in the you IoT chain – from the sensors at the very beginning to the user console at the very end.
“Ultimately, we have to realize we´ll never have a full proof system. It´s impossible to make a system impervious to all sorts of tampering – whether it´s by brute force, or elaborate social engineering strategies, there´s always a way in. The key is to make their job so difficult, so time consuming, so cost–ineffective, that the would-be perpetrators simply don´t bother to try anything and move on to weaker preys.”
Exactly how vulnerable are we to a knowledgeable hacker’s attack? Just few examples:
Killing a car´s braking system via Wi-Fi, or hijacking it´s controls from miles away – surely that´s Hollywood sci-fi stuff?…
How about ATM machines?
Hitting the Jackpot – Def Con 24 demo of another way an ATM machine can be hacked.
IoT is here to stay – choosing to ignore this fact is not only giving away tremendous competitive advantage, it´s actually falling behind in the current business landscape.
Organizations can get that extra edge, by using an IoT solution that will allow processes and workflow optimization, cutting down waste, better control of your company´s production process, among other advantages.
At Outfit – Tailored Agile Solutions and Techsensys we are in constant adaption to address the realities of hacker behavior, mistake-prone humans, and the robustness of the equipment in play.
We develop IoT projects that feature state of the art components and design, incorporated into an Outsystems based software solution – that allows for unparalleled speed and scalability.
All our solutions include Multi-Layer Security features, such as:
Privacy and controlled access to the information – User access control with authentication.
Secure storage and transmission of the information: Encrypted database and communications.
Secure Device management: token-based authentication to prevent non-authorized access.
Secure Integration with 3rd party Systems: API Key management for integrators access control.