The Paranoid Ramblings of an IoT Adopter…

The security mindset that an entire organization must adopt if they plan to develop and manufacture devices or things that connect to the Internet, known as the Internet of Things (IoT), is a stark departure from the traditional thinking of building end systems like personal computers and servers. Personal computers, their operating systems, and any installed application software can be patched to fix security vulnerabilities after they are released into the wild, normally without serious consequences. Always-connected devices that monitor and control nuclear power plants, advanced driver assistance systems in our cars, train railway signaling systems, or ground-to-air communications on commercial airplanes can’t always be patched in a timely manner. Some devices are closed systems and can’t be patched at all. Their security must be built into the product at the time of its manufacture. A security vulnerability found in these devices can be a life-and-death situation for its users.

This means that every component from the firmware, hardware, and software of the device, including its technical application, must be carefully and thoroughly tested for potential security threats during their initial design and development. Employing application fuzzing tools and performing extensive security penetration testing using today’s most advanced ethical hacking tools is mandated. Fuzzing is the black box testing technique that seeks out coding errors and security vulnerabilities in software like operating systems. It achieves this by sending large amounts of invalid or random data to the component or device under test in an effort to put the system in an unstable or crash condition. In these states, devices can be easily breached, taken control of, and divulge any secrets they contain. These processes are a part of a Software Development Life Cycle (SDLC) framework that is discussed further in Part 1 of my earlier Three Dependencies for Secure IoT Adoption blog.

Today’s cyber criminals have become increasingly sophisticated using smart targeted malware that will only trigger if a specific system is found, and programmed to attack at different intervals and delay to remain undetected in the corporate network. Ironically, the source code for StuxNet that was used to attack the Iranian nuclear facility several years back can be downloaded from the Internet! CISOs, security architects and network administrators have their work cut out for them! They must employ a defense-in-depth security defensive strategy. Additional security countermeasures are discussed in Part 2 and Part 3 of the Three Dependencies for Secure IoT Adoption blog.

Security vulnerabilities found in mobile devices and wearables may not mean a life-and-death situation, but a user’s private financial information can be stolen and sold to criminals on the dark web. Recent examples that have been in the headline news are breaches in the point-of-sale (PoS) terminal systems found in brick-and-mortar retail stores. Close to 166 million customer cardholder names and credit card data have been stolen by cyber criminals at popular stores like Target and Home Depot. More recently, breaches have occurred at Hilton Hotels, and Trump Hotels where malware was undetected in their PoS systems for over one year! How does this happen?

According to Bit9, retail stores make seasonal operational changes to prepare for the holiday shopping season to optimize payment transactions.

  • Before Black Friday, PoS system security updates are delayed until after the holiday shopping rush.
  • 20% of businesses disable anti-virus agents during busy periods to avoid system slowdowns.
  • Some merchants bring extra PoS devices “out of the closet” to accommodate seasonal staffing.
  • Retailers are still running PoS systems with Windows XP (52%) installed for the customer payment terminal and Windows 2003 (19%) for the payment system back office. As part of their extended end-of-support (EOS) announced in April 2014, Microsoft disabled its development and distribution of anti-malware patches and updates for Windows XP in April 2015, leaving 250 million PCs vulnerable!

However, the convenience of using mobile-payment systems built into mobile apps to pay for in-store purchases can’t be beat. These devices use near field communications (NFC) or magnetic strip transmission (MST) technologies to communicate with contactless PoS systems at popular retail stores and hotels. Counter to what people may think, this is still the most secure payment transaction system available. And yes, recent reports of cyber-attacks breaching LoopPay systems have also been in the news recently. Several servers at LoopPay were breached in an attempt by criminals to steal the intellectual property that allows MST to communicate with older PoS terminals. According to Samsung, who owns LoopPay, the two networks are not connected, so Samsung Pay was not directly affected in the breach.  

It seems like a never-ending cycle of security breaches with more frequency and ferocity evolving in the future! What is an  IoT adopter to do? It certainly gives me pause and plenty of paranoia about the upcoming holiday shopping season. It’s bad enough you have to fight big and unruly crowds to get the gifts you want at the retail stores! I’m even more paranoid about carrying so much cash around to counter these cyber threats, because then there is the threat of physical harm by would-be thieves.

But there is hope! Aside from waiting until Cyber Monday, technology from a company called Socure with an app called Perceive uses live facial recognition as the second factor of authentication when paying at the PoS terminal. Termed “pay with your face,” the technology uses facial biometric that operates with the front-facing camera on any smartphone to recognize facial features in real-time. This eliminates the need for passwords or PINs to verify your payment transactions. What else can you do to protect yourself when you’re out at the shopping mall this holiday season? Here are our tips:

  • Keep your cash, credit, and debit cards at home.
  • Keep your wearables and mobile devices hidden from plain view.
  • Turn off the NFC, Bluetooth and Wi-Fi connections unless you actually need them.
  • Also enable the “Ask to Join” Wi-Fi networks feature.
  • Avoid connecting your Wi-Fi to insecure or shared hot spots or captive portals.
  • Use a bank account with a minimal amount of money for the payment app - replenish as needed.

James Saturnio

Senior Solutions Architect at MobileIron

About the author

James Saturnio is a Senior Solutions Architect for the Technical Marketing Engineering team at MobileIron. He immerses himself in all things cybersecurity with equal parts mobility and IoT technologies. He has been with MobileIron for 5 years. Previously, he worked at Cisco Systems for 19 years where he started out as a Technical Assistance Center (TAC) engineer, then a software engineer, and as a Technical Leader in the Security Technology and Internet of Things (IoT) business units. He was the main architect for the IoT security framework that is still being used today by Cisco’s IoT customers.