The Internet of Things makes a lot of promises.
Smarter houses that light up when you return home and adjust the temperature before you can even say, “I’m cold.” Autonomous vehicles that get you from point A to B while you catch up on today’s headlines. Medical devices that can speak to your doctor in real time and help fill an information deficit around chronic diseases.
The IoT and its developers are already hard at work trying to fulfill the promises they’ve made about making the world a smarter, more efficient and automated place. But the arguably more important promises--the ones they rarely, if ever, make--are always around security.
Wendy’s wants to know, “where’s the beef?” We’re asking the IoT space, “where’s the security?!”
Security, or the lack thereof, in IoT is confounding for many observers of the space.
On the one hand, IoT developers know just how important security is to winning market share both today and, especially, in the future.
Indeed, the unfortunate reality remains that today’s buyers have a cost-conscious mentality. When given the choice between a secured product and a lower-cost option, the latter almost always prevails. And this is despite well-known and documented security failures in the space, such as these three important examples:
- Attackers stole a casino’s high-roller database through a thermometer in a lobby fish tank. The internet connection in the thermometer was supposed to make it easy for casino staff to remotely monitor the temperature of the water, and activate the appropriate heating systems based on that information. Instead, it served as a new access point for nefarious actors, expanding the attack surface and exposing the casino’s network. Attackers used the thermometer to gain a foothold into the network and once they identified the high-roller database, were able to pull that information off the system, through the IoT device and up onto the cloud.
- Medical device manufacturer Abbott recalled some 350,000 implanted defibrillators to protect them against cyberattacks. The implanted devices are often used in collaboration with pacemakers to automatically resuscitate a patient when their heart begins to fail. Their internet connectivity is supposed to make it easy for doctors to adjust the device without requiring an invasive procedure such as surgery. A firmware update that takes but three minutes to install is all that was needed to prevent an attacker from gaining unauthorized access to the device and using it as a killswitch in their target.
- Cyber experts have warned airlines that their planes, while in flight, can be hacked and diverted, from the ground. While airplanes aren’t necessarily IoT devices in and of themselves, they are jam-packed with them. These sensors, gauges and other devices are connected to the internet through satellite communications and help guide the plane and connect it to ground control. These same devices act as access points to the rest of the aircrafts equipment and controls, and allowed researchers to prove how bad actors can take command of an airplane and divert it off course.
As if these examples aren’t enough, I recently came across the perfect example of a buyer prioritizing costs over security when a major university buyer and I were having a discussion about a recent purchase they made for security cameras that would be installed throughout the campus.
While discussing how they went about choosing a vendor and model security camera, the buyer for this public university couldn’t help but boast about how they had saved the school--and by extension, the taxpayer--some $100,000 by purchasing a product with the same functionality and reliability as competitor models, but that came in at a 20 percent lower price point.
As far as frugality is concerned, this is a purchase worth boasting about.
But once security is brought back into the picture, we have reason to pause and reconsider the wisdom of the purchase.
As I mentioned to this buyer, while they might have saved local taxpayers a nice chunk of change, they’ve also created a potentially greater liability for the university in the form of cyberattacks--specifically of the ransomware variety.
I reminded this buyer of the 2016 Dyn attack that shut down large swaths of the internet across the United States by compromising the same types of security cameras they had just purchased. All of a sudden, that $100,000 doesn’t look so much like a savings as it does a risk, or a bet.
A bet that, at a lower price point, these security cameras won’t turn into security vulnerabilities.
Coming Soon: IoT Security Solutions
Unfortunately, even when pricing isn’t an issue, and the demand for secure products exists, it can still be pretty difficult to actually go and build a secure IoT device. This is primarily due to a lack of ownership of security design in vendors’ organizations.
Typically, those responsible for the hardware design will look at the issue of security and claim it’s a problem that the software team must solve. “After all,” they say, “security has historically been implemented in software.”
While it may be true that experts recommend embedded devices be secured through software, this idea of security is inherently flawed. That’s because the overwhelming majority of network-based cyberattacks are launched through vulnerabilities in applications and operating system software.
And, if we know one thing about software it’s that, on average, every piece of software contains about 15 bugs per 1,000 lines of code. According to the FBI, about two percent of these bugs can actually be turned into exploitable vulnerabilities.
So it’s not just that hardware teams across the planet are pointing their fingers at software teams when it comes to the question of “Who’s responsible for security?” It’s that even if it were the software team’s responsibility, then that responsibility lies with a team whose solutions will always be inherently flawed.
Because fixing a security problem that’s caused by software, with software, is like trying to bail out a sinking ship with a sieve.
Luckily, there’s cause to believe that IoT vendors are ready to ditch the sieve for a bucket. Here are three reasons I believe the IoT security landscape is about to change … and dramatically so:
- Changes in Buyer Attitudes: While vendors continue to be cost-conscious, buyers are now willing to pay for security solutions. Forward thinking vendors such as NXP are realizing this and investing in hardware security technologies for their embedded MCUs because they know their customers are willing to pay for it. I’ve heard customers say that they are willing to pay double--sometimes four-times more--for a product that has proven and reliable hardware security solutions. I expect you’ll be seeing many more announcements like the recent one from NXP regarding their plan for integrating Dover’s CoreGuard™ to provide an unprecedented level of hardware security for their users. Developers who don’t secure their hardware are surely going to fall behind vendors like NXP, who have committed to securing their IoT products.
- Approaching Federal Regulations: When buying new electronics, do you worry that it will damage your home’s electrical system when you plug it in--or do you assume it’s safe to use? Of course, consumers expect the manufacturer to have certified their product to work reliably when plugged in. The same expectation should hold true for customers adopting IoT devices. And fortunately, despite the current political climate in the US, four senators have reached across the aisle to work in a bipartisan manner to implement security legislation for the IoT. The IoT Cybersecurity Improvement Act of 2017 would require that IoT devices purchased by the U.S. government meet certain minimum security requirements. This bill will surely be adopted by states, cities, counties and municipalities all across the country and should result in a safer IoT ecosystem for everyone. And for developers of the IoT? If they wish to sell their products in significant markets like federal, state and municipal governments, then they better start designing with security in mind now, not later.
- Growing Availability of Security IP: One reason security is often kicked to the curb during design is because vendors often lack the expertise, budget, manpower, and time to build security features from scratch, and then implement them into their processors. In fact, in most circumstances, barriers like the ones just described mean security requirements never even make it into the SOC or ASIC design spec to begin with. Luckily, these needs have been recognized by the industry and now a number of organizations are offering security solutions in the form of IP that vendors can easily take advantage of and incorporate into their products.
Solving The IoT Security Problem Requires a Solution Built in Software & Hardware
Even though there’s no way around the inherent flaws of software, it nonetheless plays a critical role in the future of securing IoT devices. But the piece of the puzzle that continues to be missed by the large majority of vendors lies in hardware.
Hardware, unlike software, cannot be easily manipulated remotely. If IoT developers use this to their advantage--for example, using hardware to act as checks and balances on the security functions of the software--then building a secure device becomes more possible.
While we’ll touch on how vendors can go about securing their embedded processors in a future post, you can learn more today about advances in this space by reading up on CoreGuard, here.
Learn more about CoreGuard and how it can help secure IoT devices, today.