Successful social engineering attacks through IoT systems could lead to a perception of being surrounded by hostile devices, and greatly retard development; making the consequences of social engineering attacks in the IoT very significant.
Social engineering attacks will certainly evolve into the Internet of Things (IoT), if they have not already. These attacks have the potential to be lucrative for the threat agents in terms of fraud, identity theft, espionage and even property ransom.
My colleague Raj Samani recently published a paper where he defined social engineering as “The deliberate application of deceitful techniques designed to manipulate someone into divulging information or performing actions that may result in the release of that information.”
The IoT represents a whole new and fertile territory for social engineering attacks, which blend some of the most effective attacks from the contemporary Internet with attacks more commonly found in the industrial-control world. Namely, attacks which seek to combine attacks intended to capture information with intrinsic value (passwords, account details, access to vulnerable systems), with attacks that seek to trick users into executing complex sequences of commands on the basis of mis-information.
The current generation of Things on the Internet have dubious security. You will find plenty of reports of devices like baby monitors, TVs, medical devices, and even cars that have been hacked or are demonstrably vulnerable to hacks. At this point we have little reason to believe this situation will improve in the near term. The lack of standards, coherent regulations and the demand for cheaper, not more expensive, Things will ensure that opportunities for social engineering and hacking the IoT in general will not be in short supply.
Why is this different that social engineering today?
The consequences of social engineering attacks in the IoT could be worse than the same attacks in the “IT Internet” of today.
The perception goes from one of “living with weak devices”, to being “surrounded by hostile devices”! Devices that might at any time try and deceive you into doing something against your interests, like a malevolent robot from a science fiction movie. That would bad. It is one matter if your Things are being hacked and compromised behind your back, it is another matter if your Things are tricking you into hurting yourself, or others. As an potential outcome:
- Social engineering attacks in the IoT will delay adoption of technologies that otherwise might present major social and business benefits.
- Social engineering attacks in the IoT will undermine confidence in the safety – not just the security – of the IoT. Social engineering in the IoT is a potent form of force-multiplier because people ultimately have control of all Things: hack the person and you have access to it all.
- Social engineering attacks in the IoT might raise the levels of regulation in a reflexive and ill-conceived manner, with outcomes as uncertain as leaving the IoT at its current, low state of security-maturity. (See my blog post about regulators in the IoT.)
Where do we begin to address social engineering in the IoT?
Like social engineering on the Internet today, there is no single remedy. Layers of security and technology will need to be applied. Existing products from many vendors will need to be enhanced, and new solutions will need to be developed.
But I propose there are at least two specific areas that need to be a focus: one is a “management control” and one is a “technical control”:
- Management standards. I blogged about IoT security standards This work needs to continue quickly, and 2015 looks like a good year of progress, with both NIST and the Industrial Internet Consortium set to release reference designs including security for the IoT. We will have to see if these designs are sufficient to address the vulnerabilities to social engineering in the IoT.
- Technical solutions around authentication and encryption that low-resource Things can support. The harder it is to send and display fraudulent messages via Things, the harder social engineering with Things will become. Things need lightly, faster, more efficient authentication and encryption technology that is typical today with symmetric and asymmetric crypto. I also blogged about this topic under the heading “Multi-party authentication in the IoT – part 1, part 2, part 3”