BY ALAN GRAU, ICON LABS
With the building wave of IoT products, services and media coverage, it’s no surprise that IoT security continues to make headlines. Some of the headlines are positive – companies announcing security solutions or standards groups beginning to address security issues; while others are negative – stories of IoT systems being hacked or of IoT device vulnerabilities.
One message that is often lost in the noise is that there are solutions to IoT security, even for the smallest of IoT devices. Security, in many ways, is an arms race; security vendors continue to develop better security solutions while the black hats continue to discover new vulnerabilities. On the other hand, the vast majority of security vulnerabilities in IoT devices are the result of manufacturers failing to include basic security in their products.
Design vulnerabilities are weaknesses that result from a failure to include proper security measures when developing the device, and are the focus here. Examples of design vulnerabilities that have resulted in security breaches include use of hard-coded passwords, control interfaces with no user authentication, and use of communication protocols that send passwords and other sensitive information in the clear. Other, less glaring examples include devices without secure boot or that allow unauthenticated remote firmware updates.
Adding a few basic security capabilities can make IoT devices dramatically more secure and greatly reduce the risk of falling victim to a cyber-attack. These capabilities are:
• Secure boot
• Secure remote firmware update
• Secure communication
• Data protection
• User authentication
Secure boot utilizes cryptographic code signing techniques to ensure the device only executes code that was produced by the device OEM or other trusted party. Use of secure boot technology prevents hackers from replacing the firmware with malicious versions, thereby blocking a wide range of attacks.
Secure firmware updates ensure that device firmware can be updated, but only with firmware from the device OEM or other trusted party. Like secure boot, secure firmware update ensures the device is always running trusted code and blocks any attacks attempting to exploit the device’s firmware update process.
Utilization of security protocols such as TLS, DTLS, and IPSec adds authentication and data-in-motion protection to IoT devices. By eliminating sending data in the clear, it is much more difficult for hackers to eavesdrop on communications and discover passwords, device configuration or other sensitive information.
Security protocols provide protection for data while it is being transmitted across networks, but do not protect the data while it is stored on the device. Large data breaches have resulted from data recovered from stolen or discarded equipment. Encryption of all sensitive data stored on the device provides protection should the device be discarded, stolen or accessed by an unauthorized party.
Weak or non-existent user authentication has resulted in several high-profile device vulnerabilities including FDA reported medical devices with hard-coded passwords. A strong user authentication method is a clear requirement for device security.
Security is a requirement for all IoT devices, no matter how small or seemingly insignificant. By adding a few basic capabilities, the security of any device can be significantly increased. Solutions, including Icon Labs Floodgate Security Framework, exist and are tailored for use in very resource limited IoT devices. These solutions are effective in blocking cyber-attacks. Strong passwords, basic authentication and ensuring the device is running authentic code go a long way to protect IoT devices from cyber-threats.
Des Moines, IA