From Coke® and Cosmetics—The Changing Landscape of IoT Security and Why Testing Matters


According to Internet lore, in 1982, four students from Carnegie Mellon University’s School of Computer Science developed the first Internet-connected appliance in the world. And because “necessity is the mother of invention” those resourceful fellows didn’t program the Next Big Thing, but rather a campus Coke® machine to remotely check soda inventory from their desks, in order to determine when to re-stock the carbonated canisters.

Fast-forward to 1999 when Kevin Ashton is cited to have first-coined the phrase “Internet of Things” as the title of his presentation while working as a Brand Manager for Procter & Gamble…because lipstick. 

Noting a discrepancy in inventory reports for a new line of Oil of Olay® cosmetics, he became determined to rectify current bar-code scanning systems with a more holistic and realistic view of P&G’s Supply Chain. Fueled by his vision of wireless “smart packaging” he would go on to partner with MIT’s Media Lab and the Auto-ID Center to study nascent RFID capabilities. He explained: 

“Today computers — and, therefore, the Internet — are almost wholly dependent on human beings for information. Nearly all of the roughly 50 petabytes of data available on the Internet were first captured and created by human beings — by typing, pressing a record button, taking a digital picture or scanning a bar code. Conventional diagrams of the Internet include servers and routers and so on, but they leave out the most numerous and important routers of all: people. The problem is, people have limited time, attention and accuracy—all of which means they are not very good at capturing data about things in the real world.“

Who’s one to argue with that sentiment? We may not be very good at capturing data, but we’re great at creating it. Type, press, snap, and click we do, ad nauseam. Beyond taking selfies and pictures of our food/pets/kids/feet/vacation, we’re wont to accept Big Data as part and parcel of the digital landscape and online personas, navigating embedded systems in connected devices from wearables, to cars, refrigerators, and beyond.  We’ve collectively become the Internet of Every Thing.

Big Data Gets Bigger

According to Eric Schmidt, Google’s CEO (2001-2011) “Every two days we create as much information as we did from the dawn of civilization up until 2003.” And apparently this is from just user-generated content. Include machine-to-machine communication (M2M) and sensors, and the amount of data generated becomes staggering. We’re hitting zettabyte* territory and fast, which is precisely why managing security across our ever-growing networks is critical.  The perimeter keeps extending out further and further.

And yet we trust that our information is securely managed; that IT has it covered. Data is passed between our smart watches and host phones; medical and health devices store information, transmit personal data, and even administer doses of medication…via the network. Unfortunately, device firmware and application updates are not necessarily secure or safe from compromises and breaches.  SSL is not always used, while channels and users are not always encrypted and authenticated. 

Even our cars are in the cyber crosshairs, as evident in the much-hyped Jeep® hack by Charlie Miller and Chris Valasak, who compromised connected cars via UConnect® from a vulnerability in the car’s entertainment system. This type of remote exploit can potentially turn hundreds of thousands of vehicles into targets, with catastrophic results. 

Don’t be Vulnerable. Conduct a Security Audit.

Now that the IoT has increasingly become a Hot Zone, where should one start in determining what to assess? Networks are complex amalgamations of interconnected devices and elements, on and off premise, in the cloud, and even off our planet. As with most security risk assessments, first identify what areas and surfaces are at greatest risk. 

Luckily, the OWASP (The Open Web Application Security Project) has identified the top 10 IoT areas of vulnerability for IoT devices and solutions:
  1. Insecure Web Interface
  2. Insufficient Authentication/Authorization
  3. Insecure Network Services
  4. Lack of Transport Encryption 
  5. Privacy Concerns
  6. Insecure Cloud Interface
  7. Insecure Mobile Interface
  8. Insufficient Security Configurability
  9. Poor Physical Security 
Each one of these areas can be weak links in the very much expanded security perimeter of IoT and highlight specific threat agents, attack vectors, weaknesses, technical and business impacts. Test principles and best practices can be applied for a 360° view of the environment. To that end, test criteria should include: 
  • What is tested?
  • How is it tested? 
  • Why is it critical?
  • What can make this fail?
  • When/what do you test?
  • What to look for in the test environment? 

Testing with the Right Partner Matters

Spirent understands the potential and opportunity of securing IoT and it’s staggering. Yet, so are the security threats and increasing capacity demands put on network infrastructures. Understanding where security weaknesses are and building right-sized networks (physical and virtual) can prove daunting, which is why testing with the right partner matters. 

Testing by creating Volumetric DDoS scenarios that emulate thousands or even millions of hosts attacking a network target can show you specifically where security counter measures work or fail. Bring certainty to Quality of Experience by testing with mixed attack traffic along with real-world application traffic scenarios, including the emulation traffic produced by IoT endpoints. Understand the effect of “bursty” traffic under a variety of load conditions by testing from an updated database of thousands of attacks and applications. We can test a variety of scenarios, but as far as checking whether your soda machine needs stocking, we’ll leave that up to you.

Test, monitor, and protect your connected devices. Learn how.


comments powered by Disqus
× Spirent.com uses cookies to enhance and streamline your experience. By continuing to browse our site, you are agreeing to the use of cookies.