Connected-devices industry grapples with security

On Oct. 21, hackers took control of thousands, if not millions, of internet-connected devices and directed them to clog up web traffic across the globe. The hack led to temporary outages of some 1,200 websites, including Twitter, Netflix and PayPal.

While the attack was one of the largest of its kind, some local tech observers say it was fairly innocuous, causing more inconvenience than devastation. But they say it underscores the vulnerabilities of some internet-enabled baby monitors, refrigerators, garage-door openers and more—collectively known as the Internet of Things—weaknesses that could be exploited for more severe attacks on society or on device owners.

Central Indiana has an emerging IoT hardware and software cluster, and several professionals say the October hack did not involve their products and has not dimmed their business prospects. But they acknowledge the industry at large has to strengthen IoT cybersecurity, and some even are endeavoring to develop standards and best practices for the fledgling sector.

“There are some really good models out there and some really good understanding of cybersecurity as it relates to managing people’s data centers and email and IT systems,” said Paul Mitchell, board member at Newberry-based Battery Innovation Center, a not-for-profit that soon will launch a partnership with Illinois-based Underwriters Laboratories to test the security of connected devices.

“But there has not really been as much attention as probably there should be around consumer products and connected devices that are part of this IoT future world that we’re moving into.”

Research firm Gartner estimates 6.4 billion IoT devices are in use worldwide this year, a figure that’s up 30 percent from last year and is expected to reach 20.8 billion by 2020.

These include web-connected thermostats, washing machines and webcams installed in residences, as well as HVAC and lighting systems installed in commercial buildings.

Remote monitoring and controlling—including via smartphone or personal assistants like Amazon Echo—are common features among these so-called smart devices.

Some local players in the space include Pi Lab LLC, which makes the “Edwin the Duck” smart toy, and Dattus Inc., which makes software manufacturers use to monitor web-enabled equipment. There’s even an Indy IoT conference, which just wrapped up its second year.

Many IoT devices come with cyber defenses baked in, or they operate on a secure network that’s tough to penetrate. But many don’t, which is one reason October’s internet outage was so sweeping.

“We’re in that early hour of the Internet of Things, where [companies] are creating these things in a vacuum, not paying a lot of attention to security, enterprise architecture, scalability, serviceability,” said John McDonald of Fishers-based IoT software company CloudOne Corp., which helps companies like engine-maker Cummins deploy and manage web-enabled engines.

“They’re just experimenting.”

How it happened

The October attack targeted Massachusetts-based Dynamic Network Services Inc., which runs a service that routes internet traffic. In what’s known as a “distributed denial of service” attack, hackers enlisted devices such as webcams to overwhelm certain sites with visits, rendering them unavailable for legitimate users.

Dyn, as the firm is often called, is still investigating the attack, but a Chinese webcam manufacturer recalled its products as a result of it.

The damage could have been far worse. In recent years, well-intentioned hackers have cracked into devices—including a web-enabled Jeep while it was driving—exposing weaknesses that ultimately led to recalls.

J.J. Thompson, CEO of Indianapolis-based Rook Security LLC, said hackers with more nefarious intentions could use vulnerable IoT items to attack hospitals, power systems and more—or use them to access personal information.

“The immediate-term problem is twofold,” he said. “One is, these devices are susceptible to attacks and they can be used to carry out attacks on critical infrastructure. Part two: These devices can provide a gateway into your house, into your private networks and into your private accounts that people can exploit and cause you harm.”

Mitchell, the Battery Innovation Center board member, said his organization about a year ago entered into a partnership with UL for battery testing, but that ultimately broadened into discussions about cybersecurity for the underlying products.

The Battery Innovation Center—which is supported by Duke Energy, Purdue University and other groups—has ties with nearby Naval Surface Warfare Center Crane, an operation employing thousands that conducts some of the nation’s most sophisticated electronics research for the Defense Department.

“Think about all of the new technologies that are being connected to the electric grid, whether they are intelligent appliances in people’s homes, like HVAC systems or refrigerators, or you think about technologies like smart grids that utilities are deploying,” Mitchell said. “All of those devices are connected to the Internet, so that opens up a new threat around cybersecurity.”

More study

Days after the Oct. 21 attack, the National Science Foundation granted $1.8 million to professors at Indiana University’s School of Informatics and Computing to study IoT security. Among other research, the professors will be exploring the best models for privacy within homes with a multitude of internet-connected devices.

“A house with numerous built-in technologies may have many people living in it, like parents, children and grandparents, or visitors who temporarily introduce another device into the technological ecosystem,” said Steve Myers, one of the IU professors engaged in the study. “Or, when a family sells a house, they may leave behind their internet-connected devices for the next occupants.

“We’re seeking to provide a privacy structure in this environment that will allow people—users and bystanders—to interact with Internet of Things devices, and to enjoy their benefits, but also not suffer unknown information compromises.”

Brian McGinnis, a Barnes & Thornburg LLP attorney who specializes in data security, said it’s not just new internet-enabled devices that might be unsecure, but older items as well, including machines that run critical infrastructure that have recently come online to communicate with newer machines. 

“How you make those things talk to each other is a big problem in and of itself,” McGinnis said, “and even if we figure that out, now you have something that was never designed to be connected to the internet connected to it.”

McGinnis said he expects regulations and standards around IoT security to improve as the industry matures. But he noted that anything connected to the internet is hackable.

“The most secure toothbrush is the one you get from the dentist that’s not connected to the internet.”

Jackson Systems LLC, an Indianapolis-based HVAC controls manufacturer and distributor, sells a variety of web-enabled systems to residential and commercial customers, including systems for temperature, air pressure, humidity, lighting and more.

Engineering Manager Dave Moor said many clients use the internet to monitor and control systems. But some systems, like an automated carbon monoxide ventilation system for an underground parking garage, don’t rely on the internet—which makes them more secure.

“Typically, that will be hard-wired, directly from the sensor to the exhaust fan,” Moor said. “And that alleviates quite a few points of failure if you were trying to do that over the internet.”•