Because the Internet of Things is now integral to critical infrastructure, business, and home environments—from industrial control systems and routers to refrigerators that can tell you when you’re out of milk—potentially disastrous cybersecurity implications must be addressed.
Standard operating procedure within the embedded computing industry makes security more of an add-on or an afterthought that relies on “security by obscurity.” But this can have dire consequences for data security, as malicious actors can easily reverse engineer unsigned firmware to give them complete remote control of a device. And far too often lateral movement is allowed, meaning hackers can pivot inside a targeted system until they find what they’re looking for.
So what damage can actually be done by exploiting these firmware “design flaws?”
The so-called “SYNful Knock” attacks discovered in 2015 showed how likely nation state actors managed to modify the firmware image of Cisco routers to achieve persistence inside victims’ networks. Compromising such a device at the gateway to the network could give attackers a perfect opportunity to steal data, monitor communications and install malware on parallel systems.
Remote control of a smart device or embedded computer could allow an attacker to turn that device into a bot to launch DDoS, click fraud, information-stealing attacks and much more. IoT devices are perfect for this purpose: always on, always internet-connected and with fatally flawed architectures that can be exploited.
In fact, we have already seen several cases where IoT devices have been taken over en masse to build botnets. As far back as January 2014 a global phishing and spam attack was traced back to a compromised network of smart household devices. And cybersecurity firms are predicting things will get worse over the coming year.
It’s Time for Change
So what do we do about this? I propose the following:
• Good security is at least half about good management of the product. Yet the consumer technology industry prioritizes the user experience over everything else. If a more secure product requires one more page of user manual to read, or 30 seconds more brain power for the end-user to configure, the increased security benefit is often dismissed. As an industry, we must weight security more heavily when making product decisions.
• The recently discovered Samsung SmartThings flaws raise some important questions about smart home security. Do these systems really need a mobile app? Does the app need to connect to central server in the cloud? And, most importantly, is it right to have a smartphone control anything that is critical to you? In many cases the app itself is developed not by the smart device OEM but a third party over which they might have little control or visibility. OEMs should implement open and interoperable standards in their devices and home IoT architecture should rely only on a local, secured hub.
• Building a secure infrastructure that extends into the device itself is essential.
As detailed in the prpl Foundation Security Guidance document, we need:
This ensures that IoT systems will only boot up if the first piece of software to execute is cryptographically signed by a trusted entity. It needs to match on the other side with a public key or certificate which is hard-coded into the device, anchoring the “Root of Trust” into the hardware to make it tamper proof. This would have prevented the attacks on Cisco and others.
This enables separation of each software element, where a system can be designed that keeps critical components in secure isolation from the rest and preventing lateral movement. This can allow consumers to enhance and modify their products whilst crucially allowing regulators to prohibit and lock down modification of any function deemed too dangerous.
As the Internet of Things and connected embedded computing begin now permeate every part of our lives, we need to come together as an industry and rethink our approach to securing and managing these devices.
(About the author: Art Swift is currently president of the prpl Foundation, a technology non-profit promoting the development of open source software for embedded computing. He is also CEO of CUPP Computing AS, a privately-held supplier of mobile security devices. He has more than 25 years of executive-level experience in the tech industry.)
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access