Today, the Internet of Things extends to smart homes with heating, entertainment and security systems linked to streetlights and smart cities – meaning the infrastructure has now been put in place to support a connected world.
So what will tomorrow bring? More and more applications will spiral off of it leading to impressive growth. Gartner, Inc. Forecasts that 8.4 billion connected things will be in use worldwide in 2017, up 31% from 2016 and will reach 20.4 billion by 2020, and Accenture estimates the industrial Internet of Things could add $14.2 trillion to the global economy by 2030.
However, industries must remain cautious, as advancements in IoT will come with grave consequences if it is not suitably protected. For example, the largest IoT botnet on record, Mirai, attacked DYN via DDoS last year.
The chaos that low power, low cost IoT devices were able to create once infected with Mirai malware was a huge wake up call to the industry, consumers and governments alike. The Department of Homeland Security (DHS) even issued some security guidance in response to the attacks, calling for industry to up its security game.
Problems and solutions
Common problems have been observed within the security of IoT and these issues are extremely vulnerable to hackers. So let’s change the dynamics of security from the ground up.
Proprietary closed source development is a recurring trait in IoT devices that have been breached; and even though this is seen as a more traditional approach, it is outdated.
Firmware binary code is easily accessible online with debugging tools and interactive disassemblers such as jTag also available. Major software manufacturers like Microsoft, Adobe Flash and Oracle Java are all victims to this due to their products being proprietary closed source.
Java security is so bad many mainstream browsers don’t even run it; Flash is such a security concern that modern browsers offer the option to activate plugins on a per-page basis, while system administrators will be well aware that Windows receives numerous security updates every single month. Security by obscurity simply doesn’t exist anymore – if it ever did.
Open source and open security is an enhanced approach. Wider attention can be focused on a piece of code that gives a better chance of engineering something more robust. The open source community is 100% focused on quality and usability with emphasis on doing what’s best for the software and end-user. Decisions are not made based for commercial gains, politics or any other corporate dynamics.
Thanks to the dedication, strength and sheer size of the open community, security flaws are routinely fixed within hours of discovery. It’s not uncommon to have a rolling process producing and making available near-real-time updates – i.e. the Linux Debian security model.
Network connectivity will also see an improvement from open source standards. The TCP/IP protocol is one of the most complex and tricky to implement, meaning often engineers who are inexperienced in designing kit with a network component are out of their depth.
With global, interoperable open standards, users are able to outsource the trickiest work to the subject-matter experts. They then create and maintain the most secure standards and frameworks possible for hardware or firmware developers to follow.
Secure boot needs to be enforced as the firmware update system in today’s devices is flawed in that it’s not signed. The hackers behind the Cisco attack were able reverse engineer the code, modify it, re-flash the firmware and reboot to execute arbitrary code.
The solution is to ensure that the system boots up only if the very first piece of software to execute is cryptographically signed by a trusted entity – i.e. the vendor. A hard coded public key or certificate will need to match on the other side, which will be completely irreplaceable and impossible to tamper with once a “root of trust” has been established.
If a hacker tried to infiltrate and modify the firmware, the first stage of the boot up would fail as it would not match the original public key and the system will refuse to come to life.
Many systems allow lateral movement within hardware, which ignores the fundamental rule of Security by Separation. To counter this problem the answer lies in hardware-assisted virtualisation to contain each software entity allowing critical components to remain safe secure and isolated. Failure to do so enables hackers to meander inside a system until they find a way to exploit what they’re really after.
For example, a researcher should not gain access to an airplane flight control system via the on-board entertainment platform- yet, this has happened. Furthermore, white hats Miller and Valasek exposed this hack when they gained control of a Jeep’s brakes and steering after accessing the in-car entertainment system.
No software is 100% safe from exploitation, so having this secure separation means if one piece is compromised, the attackers will not be able to use it as a stepping-stone into other areas of the system.
Who is responsible?
Responsibility undoubtedly comes up in most conversations about IoT security but who bears the blame? The fact is users, vendors, service providers and operators and regulators are all important players and need to work together on a common platform to provide a more secure approach.
Users can raise awareness that their new gadgets are not secure and likely riddled with vulnerabilities and if this concerns them, check for any updates and take control of their home networks by making sure there are no ports open unnecessarily.
Correspondingly, vendors need to operate under the assumption that users won’t do any of this and make sure their devices are updatable to take into account any security threats and take the burden off of the consumer.
This will also see service providers and operators included in these conversations about security, particularly where a connected device is dependent on a cloud or other service in order to fully function.
When it comes to the government, initiatives such as the aforementioned guidelines suggested by the DHS are suitable indicators on what is expected from manufacturers and developers.
While it may have taken them time to react, it is encouraging to see them take a strong stance on security. Some within the tech realm even want the IoT to be regulated by an industry body to maintain and monitor security and give transparency to the user on products.
In fact, during a recent Info-security webinar, the 100+ audience was polled and 52% thought this was a viable means to dealing with IoT security.
As the IoT develops lessons from the past must be taken onboard in order to prepare for the future. This brings with it questions that need answers to ensure the security of IoT and the protection of the population.
The mentioned solutions are obviously describing an ideal “promised land” of hardware security and should encourage change within the IoT landscape. This is a journey that must be an taken as an industry because eventually, everyone in our world will be connected, so the potentially fatal security issues that have previously broken the Internet of Things, must be managed.
Sourced by Art Swift, president at the prpl Foundation