BY DAVID WEST, Engineering Director
Icon Labs
www.iconlabs.com 

The IoT
is here, but we need to make it safe
, according to a recent article by editor
Paul O’Shea. This article takes it the needed one step further and tells you
how and what you need to do to protect your connected devices. 

 

In
July of 2014, HP Labs did a study of 10 popular IoT devices and found that security
was shockingly bad. The researchers studied 10 devices, looking at end-to-end
security capabilities, including privacy protection, authorization, encryption,
user interface protection, and code security. They found that 70% of the devices had
at least one major vulnerability. At the
end of their study, researchers identified over 250 vulnerabilities, an average
of 25 per device. Security was clearly
an afterthought or not considered at all. That’s bad enough for an engineer to deal with, but much
worse for the unprepared consumer.  

An
average consumer, or even a security-savvy consumer, has little ability to know
which brand of IoT device has better security or any at all, leaving the
primary responsibility for securing their devices squarely with the OEM. 

 

 

 

lockwebdevices-HiRes

 

 

 

A
compromised consumer device may have little impact on the device’s performance
and the consumer may not even realize that their device was hacked. Should the OEM
care? Absolutely!
On the surface, the hacked device may seem benign. But a device, like a smart
refrigerator, may reveal Wi-Fi credentials to a hacker, giving them a beachhead
from which they can then attack other more critical devices on the network. So
it’s about more than just protecting the device itself. 

 

It seems that moments
after a solution against digital invasion is in place, someone finds a way to
circumvent it. Security is, in many ways, an ongoing, never-ending arms race, and hackers
are adept at finding ways to exploit security vulnerabilities.  The key is to add appropriate levels of
security, making it more expensive for the hacker (in terms of time and
computing resources) to exploit a device or system. Hackers usually go after
the easy exploits and avoid the challenges offering little financial or ego
benefit. 

 

The first step
for the OEM is to evaluate their device’s vulnerabilities, decide what to
protect against, and determine how the economics of the device is impacted. 

 

Vulnerabilities
in IoT devices
Design vulnerabilities are weaknesses resulting
from a failure to include proper security measures when developing the IoT
device. Examples of design vulnerabilities in HP’s study include use of
hard-coded passwords, control interfaces with no user authentication, and use
of communication protocols sending passwords and other sensitive information in
the clear. Other, less glaring examples
include devices without secure boot or allowing unauthenticated remote firmware
updates.

iot-socket_securityneeded

 

Security
capabilities
Adding a few basic security capabilities can
make IoT devices dramatically more secure and greatly reduce the risk of
falling victim to a cyberattack, including: 

  • Secure
    boot
  • Secure
    remote firmware update
  • Secure
    communication
  • Data
    protection
  • User
    authentication

Secure boot
Secure boot utilizes cryptographic code
signing techniques, ensuring that the device only executes code produced by the
device OEM or other trusted party. Use
of secure boot technology prevents hackers from replacing the firmware with
malicious versions, thereby blocking a wide range of attacks. 

 

Secure firmware
update
Secure firmware updates ensure that device
firmware can be updated, but only with firmware from the device OEM or other
trusted party. Like secure boot, secure
firmware updates ensure that the device is always running trusted code and blocks
any attacks attempting to exploit the device’s firmware update process. 

Secure
communication
Utilization of security protocols like TLS,
DTLS, and IPSec adds authentication and data-in-motion protection to IoT
devices. By eliminating sending data in
the clear, it is much more difficult for hackers to eavesdrop on communications
and discover passwords, device configuration, or other sensitive information. 

Data protection
Security protocols provide protection for
data while it is transmitted across networks but does not protect the data
while it is stored on the device. Large
data breaches often result from data recovered from stolen or discarded
equipment. Encryption of all sensitive
data stored on the device provides protection should the device be discarded,
stolen, or accessed by an unauthorized party. For instance, most office, business,
and personal printers have an integrated drive inside, storing tens of thousands
of documents. 

User
authentication
Weak or non-existent user authentication recently
resulted in thousands of IP cameras with well-publicized default passwords
being enlisted in a high-profile Denial-of-Service attack. A strong user
authentication method is a clear requirement for device security.  

The consumer
On an
individual level, there is less that we can do. If a company produces an insecure product, the consumer can either live
with it or not buy it. For those
products with built-in security, users must enable appropriate levels of
security, change default passwords, and use strong passwords. 

 

The cameras
used as bots in the Mirai botnet infestation could have been protected from
attack. Secure boot, firewall, or intrusion detection each could have
individually avoided the takeover of the cameras enabling the attack. These
have the benefit of not requiring the user to remember passwords or unique
logins. For as little as 1% of the price for the device, this public disaster
could have been avoided. 

 

Summary
Security is a requirement for all consumer IoT
devices, no matter how small or seemingly insignificant. By adding a few basic capabilities, the
security of any device can be significantly increased. These solutions, including Icon Labs
Floodgate Security Framework, are effective in blocking cyberattacks and can
be utilized in very resource-limited IoT devices. 

 

More info at http://www.iconlabs.com/prod/how-protect-connected-home-devices-and-appliances-cyber-attacks
 

David
West is the Engineering Director of Icon Labs, a leading provider of security
software for IoT and embedded devices. Icon Labs was named
a 2014 Gartner “Cool Vendor” and 2015 Gartner “Select Vendor” and is focused
on creating The Internet of Secure Things by providing security for even the
smallest IoT devices. You can reach him
at
david.west@iconlabs.com.