Why Does a Coffee Machine Need Its Own Account?

A story about a smart coffee machine that was used to contaminate the computer network of a European petrochemical factory with ransomware hit the headlines last year. This incident isn’t one of a kind, though. We are witnessing an increase in hacker attacks involving home appliances, robotic devices, drones and other IoT entities used in cities, enterprises, and offices. A few known examples of things going out of hand include the following:

· Cleaning robot switched itself on, got onto a kitchen hotplate, pushed a cooking pot out of the way and burned itself, almost setting the apartment on fire.

· Security robot drowned itself in office fountain.

· Robotic lawn mower escaped from its “workplace” and cut a fuel hose along the way.

· Robot surgeon that hurts patients during surgeries and grips organ tissues with its “hand”.

· Unauthorized control of drones.

· Shutdowns of industrial HVAC equipment.

· Hacked smart toys, watches, fitness trackers and other wearable personal and office devices.

All of these incidents make us question the security of smart systems and devices that we encounter day by day.

Some situations of that sort might occur due to garden-variety malfunctions of IoT devices, yet most of them are upshots of well-orchestrated interference in pursuit of certain benefit.

In the era of ubiquitous hacker intrusions and other cyber threats, it’s imperative to strengthen the security of personal and corporate devices. Companies, in their turn, should focus on safeguarding smart systems leveraged in business processes, industry, manufacture, medicine, etc. in order to reduce the risk of equipment failure due to third-party tampering and, of course, to protect proprietary data as it’s being transferred and stored. Basic security involves changing default passwords, regular software updates, and of cause establishing secure and encrypted connection by means of VPN.

Smart things are already everywhere: outdoors, at home, in office, in medicine, transport, production, industry, agriculture, logistics, power supply, and other domains. This list is continuously expanding and we are rapidly approaching a smart, but not yet secure, ecosystem.

In the dynamic IoT market, which is currently one of the most promising and revolutionary technologies around, the vendors neither spend enough time nor pay sufficient attention to the security of their devices. Instead, they are focusing on fast production in order to maintain their market niche and drive innovation in this environment.

This rampant development and manufacture race provides malefactors with a bevy of exploitation opportunities.

I won’t dwell on the types of IoT devices and their security on the whole here. I’ll instead focus on the issue of managing the accounts and user access to these devices, as well as the functionality required by IDM (identity management) systems that are shifting from applications to things.

So, what is IDM in the context of IoT? What needs to be taken into consideration when building IDM systems? What does the future hold?

The implementation of the Internet of Things presupposes a complex interaction between humans, things and services. Consequently, it’s necessary to ensure appropriate verification of accounts and access privileges for applications, systems, and devices (things).

Clear-cut interaction between devices and the transmitted data, as well as proper control of them — these are the fundamentals of a successful IoT implementation in both the consumer and industrial space. IoT solutions should deliver a set of components for managing accounts and privileges that can accurately define the scope of access a specific user has and also verify user identity while checking authorization policies and access privileges.

According to Gartner, a global research and advisory company, 40% of IDM vendors will have to upgrade their solutions for IoT by 2020, versus less than 5% today.

WHAT REALLY MATTERS?

Assigning “user” accounts to devices

Industry players will need to determine the attributes that compose an “identity” of a device. This way, the manufacturers of IoT entities will be able to leverage a universal scheme or data model in order to make the registration, verification and authentication processes simple and applicable to different scenarios. When these attributes are determined and collected from a specific device, they can be used to register this device’s account. For some smart things, the registration may require a certain additional verification, for instance, to confirm that the device itself is officially certified.

Interaction

Human-human interaction won’t be enough anymore, and it will be necessary to establish other ties between devices, things, humans, services, and data. Furthermore, the many-to-many relationship will come to the fore.

Some of these ties will be used for temporary access to data, while others (human — smart device, or smart device — smart production) will be permanent. These relationships need to be registered, verified, and then revoked if necessary.

Authentication and authorization

The components of authentication and authorization should be applied at each stage of IoT data streaming. The following protocols are currently supported: OAuth2, OpenID Connect, UMA, ACE, and FIDO.

Access rights management

The creation and/or management of attributes related to user access privileges should take place at the device startup and initialization stage as well as during user registration. The applicable standards include LWM2M, OpenICF, and SCIM.

As we know, traditional IDM systems are intended to grant access to a company’s internal systems within the network perimeter. The booming Internet of Things technology requires more dynamic IDM solutions that can support and add not only internal users, clients and partners, but also devices and smart systems regardless of their location, thereby expanding protection capabilities in the paradigm of digital transformation.

Why Does a Coffee Machine Need Its Own Account? was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.