Security Issues in Edge Computing and the IoT
The Internet of Things (IoT) is widely considered to be the next wave of computing, where distributed devices automate common tasks and make management possible through user-friendly mobile interfaces.
A major part of the evolution of IoT is the concept of edge computing. In this post, we’ll talk about what edge computing is and the security concerns associated with it.
What is Edge Computing?
Computing technology is constantly evolving, and has already moved through several different iterations as businesses seek the most efficient and cost-effective solution to meet their needs. In the beginning, companies purchased a single mainframe and employees connected via dumb terminals. As technology evolved, dumb terminals were replaced with personal computers, able to accomplish computing-intensive tasks on their own. With the rise of big data and an Internet-driven economy, cloud computing and outsourcing data storage and hosting to distributed data servers became popular.
At each iteration, computing power becomes more distributed and decentralized, from a single mainframe to a network of computers to a massive network of servers designed to perform data storage and processing at-scale. And with the increasing number of devices being deployed in the Internet of Things (IoT), people are beginning to realize the possibilities. Rather than having each device act like a “dumb terminal” sending data to and receiving instructions from the cloud, IoT devices are being designed with the ability to perform necessary computations on-device rather than outsourcing it to the cloud. This act of decentralizing the network, moving functions and power away from a single hub into the devices around the edge, is called edge computing.
Edge computing has the potential to dramatically increase the efficiency of systems built using IoT devices. Due to power constraints, the original IoT devices were designed to have the minimum amount of computing power necessary to collect and transmit data and receive and implement instructions. This puts a large amount of strain on communication networks and cloud computing servers that need to transmit and process the massive amounts of data collected by thousands or millions of IoT devices. IoT devices also experience delays as they wait for data to be sent away, servers to process it and instructions to arrive.
By enabling devices to process their own data or even just to filter out unnecessary details, IoT manufacturers are beginning to use edge computing to improve user experience and their own bottom lines.
Security Risks for Edge Devices
The Internet of Things and corporate Bring Your Own Device (BYOD) policies have created opportunities for improvements in efficiency and productivity as employees use the devices that they are most familiar with to do their jobs. However, security teams and policies haven’t caught up with the new rules. 66% of IT professionals don’t know how many devices employees bring into work, while an estimated 84% of companies have experienced an IoT-related breach.
In this section, we’ll talk about some of the most common security vulnerabilities associated with IoT devices, which pose a serious threat with the increased computational power that comes with edge computing.
Default and Weak Credentials
In theory, the average person knows that they are supposed to have unique, strong passwords for their computer login, bank account, email and so forth. In practice, the average person probably uses the same, weak password for all of these accounts. And these are accounts where the user knows the risks associated with an attacker cracking their password and gaining access to their account.
Most IoT devices have web-based management interfaces where users can log in to adjust settings, install updates and do other routine tasks. These interfaces often come with a default password that users are encouraged to change as part of the operating instructions. Realistically, how many users are going to set a unique, strong password for their coffee maker? Unlike traditional IT, where users have been trained and tested on the risks of poor password management, most users aren’t accustomed to considering the capabilities and risks associated with IoT devices.
This means that IoT and edge computing devices are likely to be protected with poor passwords, making them easy targets for attackers accessing their stored information or intending to use them as part of a botnet. Whenever possible, security teams should expand their password policy to testing and enforcing strong passwords on IoT devices.
IoT devices are commonly considered more as toys or appliances than computing devices. This means that the data that they collect and transmit is considered largely innocuous and is often sent unencrypted and unauthenticated.
But while data from an IoT device may seem innocuous, it could still be of value to an attacker. For example, while the office temperature managed by an IoT thermostat doesn’t require protection, an energy-saving setting that disables climate control when the office is unused may tell a potential hacker or thief when everyone leaves for the day and security is at its weakest. Encrypting an IoT device’s communications raises the bar for an attacker attempting to learn the command-and-control syntax to take control of the device.
If an edge computing device doesn’t have built-in support for TLS and encrypted communications, it should be placed behind an appliance that uses VPN technology to encrypt traffic in transit between the device and its destination.
Internet of Things devices are designed to stick around for a while. Most people don’t think about upgrading their home thermostat or lights every couple of years, like they do their computers. However, with the increasing amount of computational power and access given to IoT devices, it’s still necessary to make changes and install patches for newly-discovered security vulnerabilities.
In order to install updates on an IoT device, a user typically needs a higher level of access than the default permissions on the device. Most IoT devices have a maintenance mode intended for technicians to verify that a device is functioning correctly and to install updates and new software. This mode has complete access to and control over the device and is designed to make things easy for a trained technician, meaning that it probably has a default or hard-coded password that the user hasn’t changed or can’t change. While an organization can force changes of default passwords on devices entering an organization and lock down maintenance mode as much as possible, the potential still exists for hard-coded passwords or backdoors that could allow a technician (or a skilled hacker) to access the device.
Whenever possible, maintenance mode should be disabled or hardened against attack. If disabling it is impossible, it should be protected by a strong password and located behind a firewall that only allows access by certain, trusted machines.
Physical Security Risks
There’s a longstanding rule in information security: “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.” This rule refers to the fact that physical access to a computing system can allow a skilled hacker to bypass most security mechanisms on the computer. Think a password is enough to protect your Windows machine? Unless you have boot protection on it, any attacker with five minutes and a Linux flash drive can get administrator-level access.
If allowing an attacker to have physical access to a laptop is bad, then having access to an IoT device can only be worse. Security is commonly acknowledged to be a low priority in the development of IoT devices and they are likely to have few, if any, built-in protections. Worse, these devices are designed to be placed in locations with minimal oversight. By increasing the computational powers of these devices and giving them a more vital role in an organization’s operations, the risks associated with deploying these devices without taking appropriate security precautions are dramatically increased.
When possible, steps should be taken to provide IoT devices with physical security protections. All such devices should also be considered untrusted and operate on a different segment of the enterprise network.
Poor Service Visibility
Visibility is key to a strong organizational security posture. If your security team is unaware of the services running on a certain machine, they can’t take the appropriate steps to ensure that it is properly configured and secured. In traditional IT, this is a reasonable well-solved problem. Most computers don’t come running Web servers and other potentially insecure services by default.
This isn’t the case for IoT devices. Most IoT devices need a management interface, which typically means that they’re running a webserver. They are often designed to send data to cloud-based servers, which means that they are sending potentially sensitive data to locations outside of the organization’s control.
With the rise of mobile computing, IoT devices often have mobile-friendly interfaces to allow them to be managed from a smartphone or tablet, but 80% of IoT applications have no security testing. The convenience of IoT devices makes them popular and their novelty means that the average person isn’t familiar with the associated risks. In most companies, it’s a struggle to get people to clean the coffee maker a regular basis, let alone remember to check if it needs updates.
Identifying and securing services provided by IoT devices requires proactive efforts by users and corporate security services. This may include analysis of network logs to identify traffic from unknown devices within the organization’s network perimeter, followed by testing and development of security plans for identified devices.
The issues described here are only some of the most common security issues of edge computing devices. The race to market means that security testing is often incomplete if it happens at all. Design flaws, poor coding habits and other shortcuts or oversights can produce a device that inadequately secures its own data and is a threat to other devices on its network and the Internet as a whole.
The Open Web Application Security Project (OWASP) publishes a list of the top ten IoT security vulnerabilities, which is a good starting point for organizations wanting to identify the potential risks of their deployed or potential IoT systems.
Security at the Edge
The Internet of Things and edge computing have the potential to dramatically increase convenience and the communications and computational efficiency of distributed devices. However, the youth of the Internet of Things and its unique situation, with surprising and geographically distributed items having access to computational resources and potentially sensitive data, means that the security of edge computing has a ways to go. IoT-focused solutions are being developed but are still in their infancy, with a lot of room for growth in the field.
However, progress is being made in certain areas, like the creation of a framework for Industrial Internet of Things device security developed by the Industrial Internet Consortium. People are starting to ask what we can do to make this new technology safer. Edge computing has a lot of promise, but requires users and organizations to put time and effort into considering and addressing its potential security implications.
So what exactly is the Internet of Evil Things?, Pwnie Express
The Internet of Things: Today and Tomorrow, Hewlett-Packard
2017 Study on Mobile & IoT Application Security Whitepaper, Arxan
Top IoT Vulnerabilities, OWASP