IoT – like Internet of Trouble

Right now IoT, acronym for Internet of Things, is undoubtedly among the most popular buzzwords in the IT industry. And there is no doubt that we could compile some relevant business cases if we suddenly managed to get everything to be so easy and connected as we’ve become used to like with smartphones. Devices we previously could not get data from – or rather to a very limited extent, can now – or will soon – give us factual, detailed and real time information.

This will give us enormous insight and overview in business, and based on these data companies will implement totally new and optimised business processes.

One example is the Smart City projects in some of the Danish cities. Here you use registered data via WiFi Beacons to find out how many cars are on the motorway, approach roads and bypasses. Or you can use real-time data from different meters for heat, electricity, rain water, temperature, etc. for energy optimisation of district heating production.

Why Internet of Trouble?

Now, in 2018, we have gradually come so far with IoT that almost all new electronic devices and dimmers can be connected to the network via wireless protocol – and this is where the Internet of Trouble begins.

On wireless networks we raise the security with standards such as e.g. dot1x, WPA2 and Cisco ISE – to name a few. But the matter security is not necessarily highest on the agenda of The Manufacturer of the Thing.

Because the WiFi chip and related driver that the manufacturer has bought, is of course bought from the supplier with the best price. And this poses a challenge because almost every device I have encountered can only approve wireless networks like OPEN, Static WEP or WPA2-PSK. The same PSK for potentially hundreds or thousands of devices is the best recipe for a really bad idea!
It must be said, though, that we with Cisco ISE have more control over such PSK IoT networks by assigning each device its own PSK on the same SSID. This method brings someone like me a little more ease to my WiFi soul, but it is a huge administrative burden to manage all these keys and devices. Nevertheless, the challenges do not stop here.

Many holes in the WiFi

Not only do the dimmers you want to connect not support any of the modern authentication methods, but the actual methods of implementation are in themselves inadequate. In practice this means that everything we had ensured was secure suddenly has many holes. Unfortunately, this also applies to the professional dimmers, and not just the ones we connect to our private network at home. And I have a few really nasty and very classic examples that I myself have been watching live.

Kidnapping or sabotage

You should also note that compromise doesn’t necessarily have to be at home in your personal kettle. It could also easily be one of the devices integrated in the production’s network and TA-DA, the crook suddenly has a key to the wireless production system. And perhaps even worse – he has control over something in the production network that performs an important function. A function that can now be changed, where sabotage resulting in production errors can become a reality.

If you discover that you have been hacked and the code has been stolen, you will have to change the PSK on ALL devices immediately.

The other scenario is that the wireless device gets “kidnapped” (like the kettle above) and emptied of all important data. When do you discover that it is gone? Would you find out at all – and is monitoring of all devices even included in you IoT project? It would be a pure nightmare, because I have yet to see an MDM – Mobile Device Management – or IoTDM for any of these systems that would make it easy.

What to do!

1: Make demands of supplier’s security on these wireless IoT clients
Dot1x with WPA2 (EAP) in reality is not a very modern authentication method. It has existed for MANY years and is therefore a must have and not optional.
Management Frame Protection 802.11w is significantly more modern and thus probably not supported by the latest dimmers. If I had to buy new equipment today, this would feature high on my requirements list.

2: Securing the IoT network
With the uncertainties of 1st  generation IoT products, we will not be putting IoT devices directly on the production network.
I cannot recommend enough that they must be put into their own segment, and from here to use every trick in the (security) book/toolbox to secure the rest of the network such as Firewalls, Firepower, ISE, Netflow and SGT. Namely: Isolated network for dimmers!

Add ISE and Netflow to profile equipment and assess whether there is suddenly new and different traffic form these devices. However, profiling could also be a fix with no end if you have many different devices.

3: Wait for generation 2!
Often it is attractive to be the first mover. And with all the attention surrounding IoT, no-one can sit around being ignorant. But in exactly this case it could be both risky and fatal to be the first one with the coolest stuff.

If we take a look at what the big software houses have in their jar, we can see Microsoft with their Windows 10 Core for Raspberry: https://www.raspberrypi.org/blog/windows-10-core-iot-starter-pack/ Or Google’s Brillo project: https://developers.google.com/brillo/

Both these operating systems are from software providers we can trust far more than an electric kettle from Aldi. We can only hope that the development of these OSs goes in the direction of smartphone, opening the possibility of MDM and other opportunities for control and management.

The worst thing in this comparison, however, is the way these devices actually got into the business to start off with – if there’s anyone that can remember. HINT: The boss got a new dimmer that is just so smart, and just HAS TO BE online. And of course he MUST be able to see AND control it from his laptop.

And here is where the fun really begins.

Just wait until we get IPv6, where everything suddenly has the correct IP!

By Thomas Obbekær Thomsen, Network Systems Engineer, Conscia
An impassioned tech nerd and a Wild Wireless Wizard. Has worked with wireless since way back in 2008, and has a “dark” background in IP telephony. Works with design and implementation of anything wireless, from tiny installations to solutions with several thousand same time access points and clients. Whenever possible, Thomas Obbekær Thomsen gladly digs deep into the technology.
Certifications: CCNA, CCNA Wireless, CCNP Wireless, CCNP R/S, as well as other specialisations.