I am afraid of the Internet of Things. Is my television listening to me? Maybe someone has hacked into Alexa or Cortana or Siri, or is using my Nest thermostat as an attack vector into my wireless LAN or enterprise WAN. Can someone track me via my smartwatch or fitness band? What about all the automotive stuff? I don't believe there's any one technology that will provide the security we need. We need to harden all connected devices to make sure they are resistant to attack. And we need to ensure that network traffic is filtered, cleaned, sanitized, to prevent the hijacking of data or connections back to devices or remote data centers.
We need artificial intelligence. Crypto – that's good and necessary, but not sufficient to protect our devices and their data. Virus definitions and malware profiles are too big, too slow, and too risky, especially when it comes to small, low-powered devices. Plus, by definition, signature files are always protecting against the past attack vectors, not the ones that nobody sees. Security has to be smarter and focus on detecting bad behavior.
How big is the problem? Big. As cited in Maria Korolov's recent article, “,” the Pew research center estimates that 68% of U.S. adults own a smartphone, and that mobile shopping will account for 30% of online shopping this year. She cites research showing that half of smartphone owners use mobile banking, and 1.4 billion people log into Facebook each month using their mobile devices.
What's more, 30% of Android users don't protect their smartphones with passwords, and 44% do not have an anti-malware solution installed, according to research from Kaspersky Labs and B2B International. Bluetooth is another vector; Korolov quotes Bruce Snell, director of security and privacy at Intel Security, explaining that some devices use default pairing passwords for Bluetooth, like 0000 or 1234, allowing cybercriminals to pair and gain access to a device easily.
Another big issue with Bluetooth connectivity is that it is authenticated once. After pairing once, the device is considered trusted. This leaves the door open for impersonation or man-in-the-middle attacks against the host device and the connected accessory, explained Snell.
We're not just talking about smartphone and Bluetooth fitness bands. Any connected device with a camera, or a children's toy, as well as appliances and other non-mobile IoT devices, are vulnerable. Recently, security company Rapid7 tested a variety of consumer baby monitors and found 10 vulnerabilities, ranging from a case where any authenticated user at one particular company could view camera details about any other of the company's subscribers, to another where cameras were shipped with hard-coded backdoor security credentials, to insecure streaming accessible by an easy-to-guess URL. Scary, creepy, and only the tip of the iceberg.
Protect the device and protect the network
OK, we understand the problem. What's the solution? There's no one-size-fits-all that I can see – and nor can we trust that device makers and cloud-based services are fully equipped to roll their own security. We need at least two approaches.
- One is to have a solid, validated, security solution installed on mobile devices – and it has to be a thin solution, able to run without bogging down small processors, use limited ROM and RAM, and not require frequent updates.
- The other is to filter traffic as it traverses the Internet, catching and stopping malware and attacks without adding latency. Traditional firewalls and intrusion detection/prevention systems aren't the best way to go here; there are too many places where traffic comes, where traffic goes, and often those sources are outside our data centers, colos, and WANs. With traffic often flowing to, from, and between cloud providers, the security has to be in the network itself, probably implemented as virtual network function over SDN and NFV.
At the MEF GEN15 Conference, held in November in Dallas, I met with several companies focused on network security, and two stood out, not only because of their strong focus on IoT, but also because they are using AI to help identify and mitigate threats.
On the device side, Cylance says that its Protect software guards against 99% of threats using a pattern-based approach, instead of signatures. The software runs on Windows and Mac, but more importantly in this context, can also be embedded into small devices. In that IoT world, Cylance will use less than 1% of CPU resources, according to Stuart McClure, the company's CEO and founder – and does not require an Internet connection or any signature updates.
We need solutions like Cylance's Protect embedded onto IoT endpoints because we can't trust the network.
And we need solutions like Wedge Networks' Cloud Network Defense to protect carrier networks because we can't trust the IoT endpoints, enterprise data centers, or cloud service providers.
Because CND works on an SDN-based carrier network via NFV, it can be always watching – and never affected by the malware itself. Wedge's founder and CTO, Hongwen Zhang, explained about the company's new filter technology, called WedgeIQ, that goes beyond deep packet inspection to apply AI machine learning and Big Data-style analytics to see new real-time threats – and apply instant countermeasures. What's more, CND is a multi-tenant system, if one carrier catches a new attack against once of its customers, all other customers will be protected as well.
Cool, clean, delicious, doubly safe water
To use an analogy for the belt-and-suspenders approach, my wife and I expect our local municipal water to provide us with clean, clear, safe drinking water. That's their job. However, in order to make sure the water is as good as possible, we also have a reverse osmosis filter system under the kitchen sink, which purifies all our cooling and drinking water. The municipal water treatment system, that's WedgeIQ. The RO drinking water filter, that's Cylance Protect.
Our drinking water is clean, tasty, and safe thanks to double protection from the service provider and at the end point. If carriers adopt AI-based filtering technologies like WedgeIQ, and if device makers install embedded software like Cylance Protect, we might have a shot at protecting not only the IoT, but most importantly, the people who use it.