Securing IoT in 2019 & Beyond - Part 1

Updated: Feb 18, 2020

1 Overview

Many sources estimate that by end of 2020, 50 billion Internet of Things (IoT) devices will be deployed worldwide leading to a > $1( ). IoT devices, active sensors, are specifically designed to connect to a TCP/IP network taking the data they are reporting on to corporate locations via the internet. Typically, they are Linux systems with applications on them to execute reporting and receive updates including any updated configurations. Once configured, there is very little management and oversight required...except from a cybersecurity perspective.

Typical IoT Capabilities Marketing

The Internet of Things (IoT) transforms industries around the world, and it’s not hard to see why. IoT solutions can help you unlock new revenue streams, improve efficiency and increase customer engagement and loyalty.

From a security perspective the active sensor, like any other node on the corporate network, requires the same protections in this heightened cybersecurity.

What is the track record of data breaches? The chart on the right can only conclude that since 2010, it has been getting exponentially worse.

Consider the following:

1. We are shortly heading towards >50,000,000,000 (50 billion) sensors on a network to “unlock new revenue streams, improve efficiency and increase customer engagement and loyalty”.

2. In 2015 Forrester Research reports ( ) that there have only been 2 billion computers sold over time, and that did not include mobile devices.

3. We are at the birth of extremely fast 5G bandwidth capability which is supposed to be 100 times faster than wireless speeds of 2018.

4. We have massive computing power

a. Quad core computers on a watch

b. Super computers

c. Quantum computers around the world

5. The massive increase of computer memory is now commonly >32GB per device

6. The massive increase of storage capabilities is now normally measured in Terabytes for desktop computers and Petabytes+ for high capacity server storage

7. There are nation states with global attack units that target any industry

a. China with PLA Unit 61398

i. ( )

b. North Korea with APT38 ( )

8. NSA hacking tools stolen and used by China to attack ( )

Referencing this list, ask the logical next question…

With the rapid growth of IoT devices, with limited security using 20+ year old aged security techniques and methods…

What Could Possibly Go Wrong?

Consider the initial introduction of these technologies over the decades:

We must learn from the lessons of the past!

Advanced security must be a forethought, part of

the design on the implementation of IoT!

Not an afterthought!

The stage is set for difficult cybersecurity times to occur with status-quo security maintained.

This paper examines the currently known issues and the steps which can be taken today to secure the IoT environment for any corporation, organization or the industry at large.

2 Cybersecurity IoT Issues

2.1 The Landscape

Considering the projections, including 2-3 IoT devices for every human on the planet within 3 years...and growing from there, there will be major opportunities for evil actors and nation states to wage an IoT Cyberwar to control humans and countries.

IoT devices lack even the most basic cybersecurity protections

Justin Sherman, cybersecurity policy fellow at the think-tank New America

Without advanced security and proper configuration, the IoT sensors will be able to attack an industrial or corporate network once the evil actors or nation states are inside the sensor. With the advent launch of 5G wireless service globally before the end of 2019, the ability to get into a corporate network is the largest target rich environment in the history of computing if not adequately secured.

The IoT hacks will no longer be about stolen credit cards, social security numbers or denial of service attacks, etc. IoT device attacks will be surrounding the citizens of ALL sovereign nations. IoT device attacks will soon provide access to trillions of real-world objects, not just digital data. Why? An active IoT device is pure and simply another node on a network, in most cases. If the security profile (authentication/identification, grades of encryption and trust establishment) is not tightened down to a level equivalent or beyond of what the US government defines as top-secret, an IoT attack has the propensity to cause real harm.

Consider some of the recent articles demonstrating IoT security issues today:

  • Hack of High-End Hotel Smart Locks Shows IoT Security Fail. Great features, very poor security –

  • IoT in the healthcare industry is most commonly used in infusion pumps & patient monitors. What are you doing to keep nation-state hackers, ransomware pirates, crypto-miners, and spear-phishers from impacting patients? –

  • “Consider a common Smart City initiative – Smart Metering. Now picture a metro utility being hacked, causing electrical outages or compromising customer’s personal information or payment data. These are potential large-scale events that affect entire communities, not just individual users. The potential risks and impacts are real. IBM and Poneman Institute research estimates that the average cost of a data breach is $3.86 million dollars. That’s enough to strain any city’s budget” –

  • Confirmed: 2 Billion Records Exposed in Massive Smart Home Device Breach

  • Over 283 attack surfaces on the Boeing 787 The level of connectivity in even a single aircraft – engines to flaps to landing gear and anything else that is connected to the 787 – represents a huge attack surface, including

-Action Spoofing -Insecure WiFi Channel

-Alteration of installed BIOS -Manipulating Writable Configuration files

-Device Hijack -Targeting Malware

-Faking the Data Source -WiFi Jamming

  • Threat of a Remote Cyberattack on Today's Aircraft Is Real…” It's not beyond the realm of possibility that a determined, properly prepared malicious actor could break into and compromise an airplane's network — without ever so much as entering the airport.” -

  • Autonomous Vehicles and the Threat of Hacking – “DRIVING 70 mph on the edge of downtown St. Louis when the exploit began to take hold. Though I hadn't touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass” –

3 The New Requirements

NCoded Communications presen