Smart Objects: The Next Pandora’s Box?
September 28th, 2011
The world of technology is changing so fast that keeping up with it is a nearly impossible task. The same applies to the information security arena, where new technology and new ways to attack technology are being developed at an astounding rate. It is easy to overlook emerging technology developments, many of which promise to introduce numerous new vulnerabilities that ultimately lead to new risks. One such development is smart object technology.
Smart objects are tiny objects that have a sensor or actuator as well as a communications device. Most often implemented as minute RFID chips, anything with a power source is a candidate for smart object technology. These objects can be placed within frequently used devices such as light switches, refrigerators, thermometers, garage door openers, automobile engines, light switches, and temperature control systems. So, for example, people can use smart objects to turn on heating or cooling in their homes from far away or to make their electric garage door openers unopenable while they are away from home.
Smart objects are also already being used in industrial settings more often than you might imagine. For example, smart objects are now being embedded in assembly line components. Smart objects are also used in power grids to balance power between plants and substations, substations and lines, lines and transformers, and transformers to home electrical systems.
We all know that IPv4 addressing is dead. People currently often say we are running out of IPv4 address space, but they are wrong–we ran out of IPv4 address space years ago. IPv4 addressing provides only 2 to the 32nd power total addresses. Right now we are virtually “limping by” through the use of RFC 1918 addresses and Network Address Translation (NAT) in our internal networks. The limited amount of address space that IPv4 provides has also been a hindrance to the growth of smart object technology. The world will soon turn to IPv6, however, and when it does, there will be so many addresses (2 to the 128th power) that every human being on the planet will be able to have 100,000s of addresses if desired. When IPv6 comes into its own, assigning addresses to a myriad of smart objects will become trivial. Home owners will have networks of smart objects, and smart objects will become as common a part of everyday life as smartphones currently are.
But as previously mentioned, new technology breeds new security problems, and smart objects are no exception. The amount of processing power in a single smart object is impressive, but numerous significant limitations that very negatively affect security come with the miniscule size of the chips used to implement this technology. Smart objects can be dedicated to encryption-related tasks, but building in encryption into smart objects designed for other purposes is not always practical from a chip manufacturing standpoint. IPv6 has an impressive variety of security mechanisms that can be implemented, but the current generation of smart objects is not capable of utilizing many of them if these objects are designed for non-security related functions.
Additionally, the inevitable proliferation of smart objects will also provide a very target-rich environment for attackers. Home users typically cannot secure their own computers, so how likely are they to secure their home smart object networks? Imagine a scenario in which a jilted lover breaks into the smart object network of the “jilter” and turns off heat in the dead of winter or makes the garbage disposal run continuously. Similarly, a denial of service (DoS) attack in a smart object-dependent home could cause havoc. And now also imagine a nation state-initiated massive DoS attack on the increasingly smart object-dependent electrical power grid.
Smart technology will be dominant in only a few years from now. Information security professionals need to quickly come up to speed regarding this technology and then start thinking how security policies, standards and procedures must be changed to mitigate the risk that this technology introduces. Being proactive is everything, and “he who hesitates is lost,” as the saying goes.
–Gene Schultz, Ph.D., CISSP, CISM, GSLC
– – – – – – – – – – – – – – – – –
Dr. Eugene Schultz is the CTO at Emagined Security, an information security consulting practice based in San Carlos, California. He is the author/co-author of five books, and has also written over 120 published papers. Gene has been the editor-in-chief of two journals and is currently on the editorial board of three journals. He is also a SANS instructor, member of the SANS NewsBites editorial board, co-author of the 2005 and 2006 CISM preparation materials, and is on the technical advisory board of three companies. Gene has previously managed an information security practice as well as a national incident response team. He has also been professor of computer science at several universities and is retired from the University of California. He has received the NASA Technical Excellence Award, the Department of Energy Excellence Award, the ISACA John Kuyers Best Speaker/Best Conference Contributor Award, the Vanguard Conference Top Gun Award (for best presenter) twice, the Vanguard Chairman’s Award, and the National Information Systems Security Conference Best Paper Award. A Distinguished Fellow of the Information Systems Security Association (ISSA), Gene has also been named to the ISSA Hall of Fame and has received ISSA’s Professional Achievement and Honor Roll Awards. He is currently a member of the accreditation board of the Institute of Information Security Professionals (IISP). Dr. Schultz has provided expert testimony before committees within the U.S. Senate and House of Representatives on various security-related issues, and has served as an expert witness in legal cases.