By David West
Engineering Director
Icon Labs
www.iconlabs.com

 

 

The IoT
is here but we need to make it safe
, according to a recent article by editor
Paul O’Shea. This article takes it the needed one step further and tells you
how and what you need to do to protect your connected devices.

 

In
July of 2014, HP Labs did a study of 10 popular IoT devices and found security
was shockingly bad. The researchers studied 10 devices, looking at end-to-end
security capabilities including privacy protection, authorization, encryption,
user interface protection, and code security. They found 70% of the devices had
at least one major vulnerability.  At the
end of their study, researchers identified over 250 vulnerabilities, an average
of 25 per device.  Security was clearly
an afterthought or not considered at all. That’s bad enough for an engineer to deal with, but much
worse for the unprepared consumer.

 

An
average consumer, or even a security savvy consumer, has little ability to know
which brand of IoT device has better security or any at all, leaving the
primary responsibility for securing their devices squarely with the OEM.

 

lockwebdevices-HiRes

 

 

A
compromised consumer device may have little impact on the device’s performance
and the consumer may not even realize their device was hacked. Should the OEM
care? Absolutely!
On the surface, the hacked device may seem benign. But a device, like a smart
refrigerator, may reveal WiFi credentials to a hacker giving them a beachhead
from which they can then attack other more critical devices on the network. So,
it’s about more than just protecting the device itself.

 

It seems moments
after a solution against digital invasion is in place, someone finds a way to
circumvent it. Security is in many ways an ongoing, never ending arms race and hackers
are adept at finding ways to exploit security vulnerabilities.  The key is to add appropriate levels of
security making it more expensive for the hacker (in terms of time and
computing resources) to exploit a device or system. Hackers usually go after
the easy exploits, and avoid the challenges offering little financial or ego
benefit.

 

The first step
for the OEM is to evaluate their device’s vulnerabilities, decide what to
protect against, and determine how the economics of the device is impacted.

 

Vulnerabilities
in IoT devices

Design vulnerabilities are weaknesses resulting
from a failure to include proper security measures when developing the IoT
device. Examples of design vulnerabilities in HP’s study include use of
hard-coded passwords, control interfaces with no user authentication, and use
of communication protocols sending passwords and other sensitive information in
the clear.  Other, less glaring examples
include devices without secure boot or allowing unauthenticated remote firmware
updates.

 

iot-socket_securityneeded

 

 

Security
capabilities

 

Adding a few basic security capabilities can
make IoT devices dramatically more secure, and greatly reduce the risk of
falling victim to a cyber-attack including:  

 

  • Secure
    boot
  • Secure
    remote firmware update
  • Secure
    communication
  • Data
    protection
  • User
    authentication

 

Secure Boot

 

Secure boot utilizes cryptographic code
signing techniques ensuring the device only executes code produced by the
device OEM or other trusted party.  Use
of secure boot technology prevents hackers from replacing the firmware with
malicious versions, thereby blocking a wide range of attacks.

 

Secure Firmware
Update

 

Secure firmware updates ensure device
firmware can be updated, but only with firmware from the device OEM or other
trusted party.  Like secure boot, secure
firmware updates ensure the device is always running trusted code and blocks
any attacks attempting to exploit the device’s firmware update process.

 

Secure
Communication

 

Utilization of security protocols like TLS,
DTLS, and IPSec adds authentication and data-in-motion protection to IoT
devices.   By eliminating sending data in
the clear, it is much more difficult for hackers to eavesdrop on communications
and discover passwords, device configuration, or other sensitive information.

 

Data Protection

 

Security protocols provide protection for
data while it is transmitted across networks, but does not protect the data
while it is stored on the device.  Large
data breaches often result from data recovered from stolen or discarded
equipment.  Encryption of all sensitive
data stored on the device provides protection should the device be discarded,
stolen, or accessed by an unauthorized party. For instance, most office, business,
and personal printers have an integrated drive inside storing tens of thousands
of documents.

 

User
Authentication

 

Weak or non-existent user authentication recently
resulted in thousands of IP cameras with well-publicized default passwords
being enlisted in a high-profile Denial of Service attack. A strong user
authentication method is a clear requirement for device security. 

 

The Consumer

 

On an
individual level, there is less we can do. 
If a company produces an insecure product the consumer can either live
with it or not buy it.  For those
products with built-in security, users must enable appropriate levels of
security, change default passwords, and use strong passwords.

 

The cameras
used as bots in the Mirai botnet infestation could have been protected from
attack. Secure boot, firewall, or intrusion detection each could have
individually avoided the takeover of the cameras enabling the attack. These
have the benefit of not requiring the user to remember passwords or unique
logins. For as little as 1% of the price for the device, this public disaster
could have been avoided.

 

Summary            

 

Security is a requirement for all consumer IoT
devices, no matter how small or seemingly insignificant.  By adding a few basic capabilities, the
security of any device can be significantly increased.  These solutions, including Icon Labs
Floodgate Security Framework, are effective in blocking cyber-attacks and can
be utilized in very resource limited IoT devices.

 

More info at http://www.iconlabs.com/prod/how-protect-connected-home-devices-and-appliances-cyber-attacks

 

 

David
West is the Engineering Director of Icon Labs, a leading provider of security
software for IoT and embedded devices.
 Icon Labs was named
a 2014 Gartner “Cool Vendor” and 2015 Gartner “Select Vendor”, and is focused
on creating The Internet of Secure Things by providing a security for even the
smallest IoT devices.  You can reach him
at
david.west@iconlabs.com.