By Brad Ree, CTO, ioXt Alliance
As the Internet of Things device volumes and consumer use continue to increase, there has simultaneously been an uptick of innovative and sophisticated attacks on this technology. As of December 2019, according to SonicWall’s 2020 Cyber Threat Report, there were 34.3 million attacks in total, and this number is only expected to rise. With newly manufactured IoT devices introduced to the market each year as well, an increase of attacks should not only be expected, but strategically planned for. It’s no longer a matter of if, rather, when they will happen.
With IoT devices still at serious risk, it’s important that industry stakeholders understand the current landscape of the technology, from identifying various potential vulnerabilities to knowing how to secure IoT devices from future threats and take action accordingly. Recently, the ioXt Alliance held an industry conference where leaders came together to share their insights on these topics, and discuss top-of-mind trends specifically related to hardware hacking, as well as the most effective ways to identify and secure devices against hardware hackers. Below are just a few highlights from the event’s sessions.
3 areas of security that are failing
During the Cold War, scientists created the internet as a new way for government leaders to safely communicate and share information. Fearful of an attack from the Soviet Union on the nation’s telephone system, the internet was developed to successfully withstand any nuclear weapons or missile fire – and physical access to the network was therefore limited to an invited and approved set of users. At the time, security — inherently — wasn’t as big of a concern for scientists for this kind of closed system and applications were installed on an as needed basis for any further security instead (versus including security from the ground up). According to Bruce Schneier, author, Schneier on Security, the consequences of this are still present in 2020, leaving long-standing security systems to fail as the World Wide Web and IoT devices become even more linked today.
One of the first areas that are failing according to Schneier is patching. Embedded systems, including computers and phones, have teams of engineers who do the best to secure these devices right off the bat, and when a vulnerability is discovered, this team quickly and efficiently works to build a security patch. Unfortunately, considering today’s competitive market pressures around consumer electronics devices combined with the exorbitant amount of devices per model and the long lifespan of each device – companies today can’t always justify the cost of employing an engineer to staff each of their security updates. This is especially true for low-cost embedded systems, such as DVRs and home routers, which continue to exist without any security teams associated with them and therefore no effective way to patch them. In fact, the only way to “patch” these devices is to essentially throw them out and get new ones.
Another area that is failing is authentication. Manual passwords barely work, two-factor authentication is good but not for every situation, and backup authentication is unreliable. Over time, there is going to be an increase of “thing-to-thing” authentication and it’s important that this is able to scale accordingly. For example, a smartphone (thing 1) will automatically sync with a car’s system (thing 2) when a user enters a car — but it’s important to note that this was originally authenticated manually by the user. This manual authentication is simple when there are few devices, but it’s nearly impossible when it reaches a larger scale of hundreds to thousands of devices.
Schneier’s last noted area was around how supply chain security is also failing, mainly since it’s incredibly difficult. Over the past few years, there have been concerns if certain countries and the equipment and software that they provide could be trusted. But where does that leave manufacturers? If a smartphone was sourced solely in the U.S., it would be incredibly expensive, yet manufacturers need to be able to trust their different forms of mechanisms, including distribution, updates and shipping.
However, the biggest conundrum is that manufacturers can’t trust anyone, but need to trust everyone in tandem. According to Schneier, this boils down to a policy problem, rather than a problem with trust. Since everyone uses the same devices, security must either be built for everyone or built for no one; adding backdoors are easier for those in the FBI to eavesdrop for the greater good, but it’s also easier for the everyday consumer to eavesdrop. Our systems are too fragile, so if security for systems is to be taken seriously in a world where consumer devices have national security implications, resilience must also be a leading factor.
Thinking like a hacker is key
In order to build better, more secure products, Ted Harrington of Independent Security Evaluators explained that manufacturers need to understand how to find vulnerabilities as part of an overall approach — which includes thinking as a hacker would. All attackers need to find is one – only one – weakness in a manufacturer’s product to wreak havoc, meaning manufacturers needs to defend against any and all attack vectors in order to be truly secure. One of the issues is that most manufacturers think of security as an automated process and solely rely on tools to detect vulnerabilities, assuming that a one and done scan will suffice. However, evaluating the true weaknesses of devices goes beyond a scan and is actually better suited as a manual process, often most successful when done by someone with the necessary skills and experience.
To be most effective, it’s critical to first understand what a developer was thinking when they created the hardware in the first place, and what they assumed – at the time – the consumer would and wouldn’t do with it. Combining this insight on flawed developer assumptions with analysis on how the device can be used maliciously, the resulting overlap highlights where the most critical security vulnerabilities sit and how they can be identified.
This is shown to be a common thread in various hardware hacking techniques, which Harrington identified as abuse functionality, chain exploits, and unknown unknowns. Abuse functionality is taking the way a system is built and using its features to sabotage itself and go against the way developers had intended, whereas chain exploits is linking multiple system exploits together to amplify its effects, and unknown unknowns simply means that it’s imperative to identify things we don’t even know we don’t know – not an easy feat but one that must be tackled.
The current landscape of physical security
Over the last 20 years, attacks on IoT devices predominately happened remotely through the internet or cloud, but according to Mike Dow, Senior Project Manager, IoT Security of Silicon Labs and ioXt Alliance board member, there has been a big shift towards local attacks on the physical device today. Since experts are becoming more aware of remote attacks, hackers have since adjusted their hacking methods to pursue other avenues, focusing more on things like operational technology (OT), such as fire alarm systems, building control systems, and MRP systems.
A high-rise in New York City could now be a prime target. If hackers are able to gain access to the building’s fire alarm and security systems, they can trigger the alarm and empty the building, despite there not being an actual fire. From there, they can even lock the doors to keep everyone from re-entering the building, only relinquishing control for a large ransom. This is, of course, just one example of this kind of exploitation, but it demonstrates just how far hackers have come and how sophisticated and detrimental their attacks can be.
But unlike 20 years ago, governing bodies and industry organizations are now going beyond just acknowledging these kinds of risks, and are actually starting to take action against it. States such as California and Oregon for instance are creating regulations around IoT security, and organizations such as NIST in the U.S. and ETSI in Europe have created security best practices and guidelines for connected devices.
While these are steps in the right direction, the insights shared above along with other session discussions has further exposed the great deal of work that still needs to be done when it comes to IoT security, especially for physical devices. It also further highlights the pitfalls of today’s fragmented and isolated tactics and the increasing need for harmonized, globally adopted and replicable IoT security standards — like those proposed by the ioXt Alliance and its participating industry leaders. As the industry continues to address these issues head on, this approach will be what sets companies up for real success, and why above all, technology leaders, manufacturers, and regulators must band together to keep brands and their consumers safe from cyber harm.
Brad Ree (CTO, ioXt Alliance)
Brad Ree is chief technology officer of ioXt. In this role, he leads ioXt’s security products supporting the ioXt Alliance. Brad holds over 25 patents and is the former security advisor chair for Zigbee. He has developed communication systems for AT&T, General Electric, and Arris. Before joining ioXt, Brad was vice president of IoT security at Verimatrix, where he led the development of blockchain solutions for ecosystem operators. He is highly versed in many IoT protocols and their associated security models.