Mark O'Neill is Vice President of Innovation at Axway. He was founder and CTO at Vordel, a leader of REST and Web Services Security, acquired by Axway in 2012. Mark is the author of the book Web Services Security, contributing author of Hardening Network Security, both published by McGraw-Hill/Osborne Media. He provides guidance on REST and Web Services Security to Fortune 100 and Global 500 firms and is a frequent speaker at key industry events such as the RSA Security Conference and Oracle Open World. At Axway, Mark is Vice President, Innovation for API and Identity Management.
Enterprise IT Insights for the Internet of Things Published: August 1, 2014 • Service Technology Magazine Issue LXXXV PDF
Abstract: The Internet of Things (IoT) has been generating significant hype, and the recent acquisition of Nest by Google further fanned the flames of anticipation as consumers began to imagine real-life applications. But there have also been timely reminders of the security and privacy issues associated with the growing number of connected devices (such as the Snapchat hack and the publicized Tesla vulnerabilities). In these early stages, the Internet of Things is far from secure. In this contributed article, Mark O'Neill, vice president of innovation at Axway, will provide a timely reminder of the risks presented by the emerging IoT, what enterprise IT has done in the past to overcome similar issues, and how security approaches need to change to accommodate today's level of connectivity.
Since the advent of the smartphone—brief as its introduction was in 1992 with IBM's Simon; complete in its ubiquity with Apple's 2007 iPhone launch—computers have taken over as the operation centers of our most commonly used devices. Today, the most current cars, refrigerators, thermostats, washers, dryers, ovens, televisions and more don't rely on wiring, but rather depend on programming to operate. Internet of Things (IoT) devices have Application Programming Interfaces (APIs), which enable remote management and connectivity. Through these APIs, they can interoperate. The IoT holds the promise of a world where, for instance, a thermostat equipped with motion sensor technology can connect to a home or business network, receive constant updates on the outside temperature, adjust indoor room temperature automatically by controlling heating and cooling systems through APIs … and tell the coffee maker to turn on when someone walks into the kitchen. Connected cars already offer APIs for remote unlocking and location services. And the list goes on; the IoT is already here. By enabling this level of interconnectivity, the IoT promises the highest degree of efficiency in terms of time and energy in our daily lives, as well as the closest levels of machine-to-machine, person-to-machine and person-to-person connectivity the world has ever known. But to make these connections positive and productive, the IoT has to be secure. In its infancy, it simply has not yet achieved the necessary level of security. Hack upon hack into smart devices, their applications and the networks on which they run prove the IoT has holes. The holes exist at the level of the APIs that form the backbone of these interconnections. Patching the holes at the API level is the key to overcoming these security hurdles and achieving success in today's IoT landscape.
The Potential of the Internet of Things
By 2020, the IoT will link more than 30 billion devices and create $1.9 trillion of economic value, according to analyst firm Gartner. [REF-1] It already saves resources and lives: connected refrigerators can tell their owners when food is about to spoil, preventing it from going to waste, and connected medical devices like blood pressure monitors can send individual patient data to doctors in real time. Sensors in cars can send information to databases that automatically analyze it and trigger engine adjustments to improve fuel efficiency. This level of connectivity will only increase as devices' programming becomes more refined and networks operate more openly, enabling faster action upon data gathered and allowing communication between multiple devices (as in the thermostat/HVAC/coffee maker scenario described earlier). Cisco Systems offers a vision for this IoT-enabled future in an infographic that depicts the impact of a municipality's connected environmental sensors: at the first detection of a rain drop, sensors alert a construction company's network so it can adjust operations; recreation centers receive data they need to move outdoor sports practices inside; and transportation and agriculture systems make accommodations as well. [REF-2]
We're seeing the first steps toward this pervasively interconnected IoT coming to life with shifts in the tech world like Google's acquisition of Nest. In February, the companies closed on a $3.2 billion deal that integrates the unprecedented Nest hardware with Google's unmatched Web expertise. Nest on its own provides thermostats and smoke detectors that use sensors to fine tune their functions to the movements, patterns and desires of their owners. Nest products communicate with other devices in the home to create, theoretically, the safest, most comfortable, most efficient environment possible. With Google's infrastructure behind it, Nest achieves the level of connectivity it needs to become a true giant of the IoT, gaining resources to progress its hardware and extend its reach to the industrial and enterprise realms. The acquisition acts as a model for future IoT advancements, demonstrating the potential for integrating technology and connectivity on multiple fronts.
Security Concerns and Hacks: Perils of the IoT
While it stands to bring efficiencies and conveniences we've never before seen, thereby improving lives, streamlining business and helping the planet, the IoT can only be a powerful force for good if it is secure. The intersection of the physical world with the always-on Internet culture means that now, for example, a hacked Facebook account can leave vulnerable not only personal information, but also home security systems, appliances, cars and more. And about that personal information—the amount of it in the IoT, from consumers' locations to their desires and purchasing habits, is staggering. Each smart device and connected app gathers data, and each smart device and connected application risks exposing this data. Companies promising amazing experiences through their IoT-connected products and services must back those promises up with unsurpassed security. Otherwise consumers' risks of fraud, identity theft and other damage through the IoT remain too high.
Some of these risks have become realities for early IoT adopters. In January, Proofpoint, a security-as-a-service provider, discovered a cyber attack on more than 100,000 devices, which included smart household appliances such as TVs, wireless speakers, network routers and at least one refrigerator. Hackers compromised the appliances by turning them into "thingbots," which operate like botnets (robots created from personal computers), to flood websites with malicious emails. These particular thingbots worked alongside botnets to send more than 750,000 emails during a 15-day period. The devices could have also stopped functioning properly, an especially serious issue in the case of the refrigerator.
Smartphones, among the most populous of devices already connected to the IoT, have also proven vulnerable. Last December, a group of hackers posted account information for 4.6 million users of Snapchat, the popular video and photo messaging app. The data was obtained through a vulnerability in Snapchat's API. The Snapchat hackers claimed to have exposed the data as a way of alerting the app company to its service's security weaknesses.
Cautionary tales abound for other industries integrated with the IoT as well. Businesses leave valuable data open to exposure and risk supply chain disruptions if they do not address security when they use barcodes, RFID and GPS technology to track supply chain status, and when they Internet-enable functions that traditionally only operate behind the firewall. In the automotive sector, connected cars have risks to address. Tesla's Model S came under scrutiny for initial weak security measures, namely, requiring customers to set up only one password – and a weak one at that – to locate and unlock the car. A security researcher also found vulnerabilities in the way the Model S API interfaces with third-party apps and advised customers not to connect the car to them until Tesla solved these API security problems. [REF-3]
Finally, healthcare providers have to be especially careful. If, for example, a provider prescribes an Internet-connected blood pressure sensor to a patient and hackers retrieve its data, the provider will face a damaging Health Insurance Portability and Accountability Act (HIPAA) violation. Providers have to protect patient safety, too. Hackers with malicious intent can manipulate any connected devices they infiltrate: hospital equipment with open Web services APIs, Bluetooth-enabled defibrillators, automated chemotherapy infusion pumps, refrigerators storing drugs and blood, and more. They could even take down entire emergency room systems. Hospital networks and computers also need proper protection, as hackers who gain access can view X-rays, change prescriptions and alter records. Investigations have shown that hospitals remain unaware of these security risks and are ill-equipped to address all of them. They rely on the vendors providing their devices to ensure their security. [REF-4}
Tech Companies' Traditional Approaches to Security
As the hacks into devices and their apps, as well as the vulnerabilities in connected cars, medical devices and other connected hardware have shown, the IoT requires security within the device itself. The protection has to happen before any data leaves the particular device because it is the device—not an external server or network—that gathers and keeps the data (at least initially) and therefore acts as the first point of vulnerability. Smart thermostats, refrigerators, phones and more transmit location information, identity information, financial information and user preferences through APIs, which are the cores of their operations. The API is the conduit for sensitive information. Therefore, security must live at the API level.
The question then becomes, can security work at the level of the API and still follow traditional models of data protection for software and the Web?
In the past, security programs have operated in the vein of Microsoft's Patch Tuesday, which involves the vendor and its consumers in a regular exchange to initiate repairs and protect against newly discovered threats. Microsoft designates the second Tuesday of every month as the time to make patches available for users to download to correct discovered flaws in code or gaps in security. Patch Tuesday has worked fairly well to protect Microsoft's customers, but it does mean vulnerabilities can linger for several weeks before they are addressed and it can slow devices and networks down if one Tuesday brings with it many patches.
We saw this kind of patch system at work in crisis mode across the web in April, when researches discovered and alerted the public to the Heartbleed bug. Websites immediately went to work fixing broken SSL code while urging consumers to change their passwords on all of their accounts. Service providers and consumers could take reactive steps to protect data, and they did.
The problems with translating this style of vendor/consumer shared action security to the IoT are that there are far too many "things" from far too many vendors involved, and some of those things cannot afford to go offline temporarily for a code fix. In addition, many of these devices are hardwired and simply cannot be patched. One household alone could have connected thermostats, laundry machines, kitchen appliances and entertainment centers all from different vendors, and all with different operating systems. To communicate with each separate vendor and follow different protocols for protecting or patching those devices is unrealistic and unattainable. And if it's a programmed defibrillator or medicine pump that is at stake, reaching the vendor in time and applying the patch without losing functionality could prove unsafe, if not impossible. There is no "Patch Tuesday" for the IoT.
If security instead operates at the level of the API, it remains fully within the control of devices' manufacturers and vendors, which in the world of the IoT is the safest place for security to reside. The API allows for "virtual patches" to be applied. Traditionally, manufacturers have attempted to secure their devices by obscuring or not specifying an API or control mechanism, but this tactic has not worked. Tesla took this approach with its Model S, attempting to keep the API secret, and the result was the security weaknesses described earlier. If manufacturers are upfront about their APIs, with API management in place, they can apply controls before hackers figure out how to manipulate their systems. The APIs can be the point from which companies enforce their privacy and security policies.
Here is how they can do it.
Security for the IoT: Protection at the API Layer
Like software programs and Web technologies, devices connected to the IoT need security patches when unanticipated threats arise. But these patches will only be effective if they can operate at the level of the API, where the devices' manufacturers can control and apply them singlehandedly, before the threats reach consumers' data.
To managed security at the APIs level, an API gateway is used. An API gateway creates security layers for APIs, managing traffic flow through them and equipping them to mitigate unforeseen events. By locating this kind of control at the API level, API gateways allow security to be applied to IoT devices. They also help stop hacks such as the one that affected Snapchat through its API. API gateways give real time insight into app usage and connect to standard network monitoring tools to deliver alerts of any anomalous usage. With these alerts, app owners can immediately detect use that looks unusual and potentially nefarious, and often can intervene before a hack occurs.
In the event of sudden threats like Heartbleed, gateways are also indispensible. They enable APIs to receive virtual patches, a form of upstream security that prevents malicious traffic from reaching APIs without disrupting devices' functionality. Frequently, it is not an option to patch the IoT device (how do you patch a bracelet, or a watch?). Virtual patches work without changing APIs' source code and they manage risks quickly. For example, medical devices can stay online while still receiving necessary protection, and patients need not even know about the threat, let alone face health risks because of it.
Beyond API gateways, API portals let developers see how devices are using their APIs over time. This information is crucial, as it enables organizations to produce audit trails. Organizations can use these audit trails to help in investigations of API attacks and to ensure compliance with industry regulations. Heavily regulated industries like healthcare especially need these data trails, as laws like HIPAA require healthcare providers to notify patients if anyone accesses their medical records. Additionally, businesses increasingly use APIs for B2B collaboration and data exchange, and in these cases audit trails for APIs can function as tracking methods for people accessing information.
Protecting devices on the IoT must include these new API-specific measures, but it is still important to remember to account for and secure against traditional threats. For instance, Web APIs are also Web apps, so attacks like cross-site forgery and cross-site scripting are relevant and require attention. The best way to achieve comprehensive protection is to select an API management system that incorporates Web application security. There is no reason a security system cannot address both old and new styles of threats. After all, the goal in enabling a secure IoT is not to throw away the systems of the past, but rather to enhance and modify them to fit all of the ways we communicate in the present and will communicate in the future.
As the IoT continues to expand and more and more connected devices become fixtures of everyday life, data and device security will matter even more. But security does not happen through obscurity, and to truly protect consumers, security has to live at the level of the API. No longer can manufacturers hide their APIs and hope that hackers do not locate and manipulate them. The IoT requires proactive measures to secure APIs and keep their security up-to-date. Technologies such as API gateways and portals are crucial to providing this correct level of protection. With API gateways and portals in place, device manufacturers and app developers can rest assured that their platforms can hold customer data securely, encrypting it within devices, and remain open to security patches and updates. Also crucial to IoT success, these security fixes can be applied to APIs without interrupting the function of the devices they control. Keeping connected devices online and secure maintains consumer safety, guards customer information and keeps users moving along as efficiently, productively and comfortably as possible.