Securing the Internet of Things
This article is from the CW Journal archive.
An important attribute for enabling trust and data integrity is security and some of the biggest barriers to successfully protecting IoT can be overcome with common frameworks. Security breaches are no strangers to the connected world – probably the most well-known example is the breach on internet infrastructure provider Dyn using the Mirai botnet to launch a distributed denial of service (DDoS) attack. The attackers targeted IoT devices using default usernames and passwords and programmed them to flood the Dyn website with traffic, knocking many of its high profile customers offline. In another attack, a hacker compromised an environmental sensor in a US casino’s aquarium to gain access to the main IT infrastructure and stole the details of wealthy ‘high-roller’ customers.
|
Interested in our Security Special Interest Group? |
If IoT is going to reach a predicted one trillion connected devices by 2035, security must be central. There are similarities with product safety and quality challenges which can be solved by applying the correct processes and technologies – there is no point in having the best encryption money can buy if default passwords are used.
In 2017, the Department for Digital, Culture, Media and Sport (DCMS) set up the Secure by Design working group, bringing together security experts with people from tech companies and retail businesses. In October this year, DCMS published its Code of Practice for Consumer IoT Security, a set of 13 high-level guidelines (www.x.co/secureiot). These range from the obvious replacing default passwords, through vulnerability disclosure policies and keeping software updated, to validating input data.
Publishing this guide is an important step and the DCMS is considering introducing regulation to ensure IoT products and services meet a minimum standard to ensure all players share the cost burden of safety measures.
Two years earlier, the IoT Security Foundation (www.iotsecurityfoundation.org) was set up to avoid ill-considered regulation stifling the industry. Under the auspices of the National Microelectronics Institute (renamed TechWorks), industry players came together to devise a common industry framework for IoT security.
It has three main elements:
Firstly, it is a comprehensive set of requirements for a low-cost, accessible and readily-actionable system of self and third-party certifications to improve security in IoT products. The frame-work is intended to be a template which can be used by a company new to IoT to augment its quality assurance processes to include security. It includes a set of questions a company needs to ask when specifying, developing, making and marketing IoT products. It also covers suppliers, so is recursive in helping to build a trusted supply chain.
Second, a set of simple-to-use Best Practice Guides have been produced to guide everyday operations and reviews.
Finally, there is a test and compliance element – the IoTSF aims to operate a trustmark scheme for companies that follow its guidelines.
With such a wide spectrum of vulnerabilities and numerous security countermeasures, it can be difficult to understand the multidimensional security requirements for specific applications. To help demystify security design, Arm has devised its Platform Security Architecture (PSA), a framework for achieving layered security for connected devices. PSA was created for the IoT industry to offer a constantly-evolving framework based on a set of key principles and best practices, plus an holistic set of deliverables. The free initiative aims to make security simpler and cost-effective, even if the user is not a security expert, and overcomes many of the barriers discussed.
PSA comprises three phases (analyse, architect and implement) which guide developers through the security design process. Three main issues should be addressed at the beginning of a design:
- The use case of the application
- The value of the data
- The threats a device may face
Security will be built-in from the ground up if careful analysis comes at the beginning of the design process. This concept is called Threat Modelling and results in a Threat Modelling and Security Analysis document (also known as Protection Profile) security designers should complete. Following this process, developers and manufacturers will have a set of security requirements that match the threats and associated risk to their assets, effectively defining how robust a device needs to be.
The process can be a daunting to the inexperienced and Arm has detailed three example threat models for IoT devices to show how some common vulnerabilities might affect applications.
This is just the first part of PSA and there is similar guidance and information throughout the other stages of the framework. Anyone who is interested in PSA, can download all the resources, including the threat models, at www.arm.com/psa-resources.
|
GET CW JOURNAL ARTICLES STRAIGHT TO YOUR INBOX Subscribe now |
Like safety, securing products and systems can rarely be achieved by single players. Even if a company does all it can in its own designs, it can all be destroyed if, for example, insecure third-party software is used. Though every effort may have been made to secure components and shield the product, hackers will start to probe for hidden vulnerabilities in popular devices.
The entire industry needs to take security seriously and apply the right processes, just as it has previously taken safety and product quality to heart.
Welcome to a world where small computers are attached to fast links, and hackers regularly break into every instance of an insecure system after a couple of hours of internet scanning…
IoT is often extended to security cameras, video recorders and xDSL/cable modems, devices which are permanently sending and receiving data over networks (typically the internet, often with megabit or gigabit links). Manufacturers aim to reduce costs, to be first to market, and to assemble as much as possible from standard (often free) components. What could possibly go wrong?
Well we’ve got a little list:
Devices ship with default login credentials
Services are unnecessarily exposed to the open internet. The Simple Service Discovery Protocol (SSDP) was designed to be accessed multicast on a LAN but is usually implemented as a default-on, internet-facing UDP service – a handy vector for amplifying DDoS attacks
Features that should be securely configured aren’t – xDSL modems routinely ship with TR-069 functionality to allow ISPs to reconfigure them – but hackers can change the settings, and flaws in update processing allows them to load malware onto the devices.
Poor code with buffer overflows allow hackers in and is often found in off-the-shelf libraries, so products from dozens of manufacturers are affected. This exploit isn’t very common today because access using default passwords is so easy – but look for more of this in the future.
Devices are hard to keep up to date – an IoT camera can’t pop up a window to alert you to a new version. Even when you know an update is needed, finding it on a manufacturer’s website can be a challenge and then warnings about the risk of ‘bricking’ your system can deter all but the most determined.
Things will get better as software design and development improves; but what we need is a more aggressive legal and regulatory regime to force manufacturers to improve.
Richard Clayton, Director of Cambridge Cloud Cybercrime Centre, University of Cambridge
Andrew Frame (ARM)
