In a contributed article to Internet of Business, Asaf Ashkenazi, vice president of IoT security products at semiconductor and IP products company Rambus, says it’s time that IoT devices stopped leaving the door open to hackers.
“Woefully inadequate.” That was the verdict given last year on smart home device security by Dimitros Pavlakis of ABI Research. Connected devices are riddled with insecurities, badly coded APIs and poor encryption, Pavlakis wrote in a research note, providing an open door for unscrupulous operators looking to exploit them.
A year on, has anything much changed? Not really. The vast majority IoT devices still leave that door wide open. They’re vulnerable to a wide range of attacks. Clearly, connecting traditionally ‘standalone’ smart devices such as lights, appliances and locks introduces numerous cyber security risks.
For example, a connected home door lock is designed to collect and transfer data to the cloud about the entry and exit habits of family members. This could easily be exploited if the smart door lock device is compromised by cyber criminals.
Similarly, a smart thermostat that collects usage data for real-time energy optimization must be designed to protect information from unauthorized access that could indicate that a home is empty, making it an ideal target for burglars.
Despite the alarming lack of security, Gartner forecasts that IoT technologies will be found in 95 percent of electronics for new product designs by 2020. As analysts at the company recently explained: “The combination of smartphone management, cloud control and inexpensive enabling modules delivers sophisticated monitoring, management and control with minimal additional cost in the target device.”
“Once this technology emerges,” they continue, “buyers will rapidly gravitate to IoT-capable products and interest in and demand for IoT-enabled products will rapidly snowball. Every supplier must, at the very least, make plans to implement IoT technology into its products, for both consumer and business buyers.”
Fault remediation and recalls ahead
Perhaps not surprisingly, half of all security budgets for IoT through 2020 are expected to be allocated to fault remediation, recalls and safety failures, rather than to protection. According to Gartner, risks related to the introduction of IoT as part of projects or initiatives are substantially impacted by the unintended consequences presented when “pervasive digital presence” is introduced.
“The requirement to update devices periodically, as is done with mobile phones and other remote systems, is multiplied by numerous factors and the inability to perform those updates can result in massive product recalls,” Gartner analysts state.
“For industrial environments, scale and diversity may not be as significant, but the need to preserve safety for individuals, the environment and the rich regulatory regime that controls safety systems will ensure that the rapid expansion of use of IoT in those systems will result in regulatory impacts for securing those systems.”
A comprehensive IoT security solution
When it comes to IoT, there is no shortage of threats and available malware strains, designed to infiltrate devices and sometimes recruit them into botnets for subsequent mobilized attacks.
As such, there’s a significant need for comprehensive IoT security solutions (running from device to cloud) that do not disrupt a device maker’s profitability or time to market, but do offer protection for users connected to private and enterprise networks. In other words, it’s about allowing entry through the door to authorized data and users, but not to hackers.
A practical, simple, and secure solution that can be easily and widely adopted by original equipment manufacturers (OEMs) and services is more effective than a ‘super solution’ that fails to gain serious traction. Therefore, IoT security solutions should include the following capabilities:
- Secure boot technologies, which utilize cryptographic code-signing techniques and ensure that a device only executes code generated by the device OEM or another trusted party. Use of secure boot technology prevents hackers from replacing firmware with malicious versions, thereby preventing attacks.
- Mutual authentication, to ensure that every connection from a smart home device to a network is authenticated prior to the receipt or transmission of data. This provides some security by making sure that any data originates from a legitimate device and not a fraudulent source. Cryptographic algorithms involving symmetric keys or asymmetric keys can be utilized for two-way authentication. For example, the Secure Hash Algorithm (SHA-x) can be used for symmetric keys and the Elliptic Curve Digital Signature Algorithm (ECDSA) for asymmetric keys.
- Secure communication encryption, which protects data in transit between a device and its service infrastructure (typically, in the cloud), by preventing external actors from accessing transmitted data. For example, a smart thermostat that sends usage data to the service operator must be able to protect information from ‘digital eavesdropping’.
- Security monitoring and analysis, which captures data on the overall state of the system, including endpoint devices and connectivity traffic. By analyzing this data, it’s possible to detect security violations or potential system threats and, once detected, action any one of a broad range of security protocols, such as quarantining devices, based on anomalous behavior.
- Security lifecycle management, which allows service providers and OEMs to control the security aspects of IoT devices when in operation. Rapid over the air (OTA) device key replacement during cyber disaster recovery ensures minimal service disruption. In addition, secure device decommissioning ensures that scrapped devices will not be repurposed and exploited to connect to a service without authorization.
Security: A primary design goal
By viewing security as a primary design goal, rather than an afterthought, it’s possible to offer protection that prevents data theft, without causing disruption to the over-the air-updates (OTA) communications required for the normal functioning of the device.
Crucially, OEMs must begin to view the security of smart home devices not as an insurmountable hurdle, but as a positive feature of their products, one that improves profitability without impacting time to market.
With turnkey security solutions that can be easily implemented, maintained and upgraded to meet the evolving challenges of a dynamic threat landscape, the IoT will finally be able to realize its full potential and provide even more benefits for personal, business and industrial applications.
Coming soon: Our IoT Build events, taking place in London in November 2017 and San Francisco in March 2018 are a great opportunity for attendees to explore the platforms, architectures, applications and connectivity that comprise the IoT ecosystem.