As more and more devices become connected, many industries that were previously secure are experiencing new threats or attacks to their devices and services.
In this podcast recorded at Black Hat USA 2018, Mark Hearn, Strategic Business Development Manager, IoT Security at Irdeto, talks about how IoT connectivity opens you up to new cybersecurity risks, and offers insight on how to protect IoT platforms.
Here’s a transcript of the podcast for your convenience.
Good afternoon. It’s Mark Hearn here from Irdeto. I’m currently the strategic business development manager for our initiatives into IoT markets, in particular looking at the security use cases related to industrial manufacturing, smart buildings, smart cities, etc. What are the challenges that companies that are getting into IoT are being faced with as they now increase their connectivity and take advantage of newer technologies. So, the topic of my podcast today will be on thinking like a hacker. How do we change the way in which we view the security requirements in a given product release.
One of the things that Irdeto has noticed is that many companies tend to look at security as something that’s an add-on to their development, or they view it as a set of specifications that they want to try and comply to, often thinking about these things after a release has been planned out or architected. Counter to that, what we are strongly starting to recommend to our customers and to others is the idea that you think about the security requirements as a part of the overall business planning. What are the risks that you need to worry about and how do you define those risks in the context of the business context. The easiest way to start is to think about your adversary. Most hackers these days, aside from maybe nation state type of attacks, but most attackers are looking to make profit. So, if you think about hackers not as, you know the boy in a hoodie in a basement, but rather think about them as a legitimate competitor to your business. You take a look at it and say “Okaym where am I vulnerable?”
If we think about the quote from Bruce Schneier a year or so ago after the Mirai botnet attacks, it’s about thinking of a business as a computer that keeps something cold instead of a refrigerator. Or think about a computer that’s driving you down the road, instead of a car. Bring back to that idea that it is a computer, and that is what a hacker will utilize. Identify the security requirements in terms of what they’re trying to get access to, and how would they possibly go about it.
Let’s think of it in the context of your neighborhood. You have a home and you want to keep a burglar out. So, you go to your local hardware store and you purchase a nice strong lock. The developer of that lock would have chosen the best of metal materials, they would have made sure the tumblers all line up, and in their view that lock is going to keep you safe. If you think about it from a higher level, well that guy is just going to go around the lock. So, let’s reinforce the door. OK, now the burglar can’t get in through that door because it’s been steel reinforced. But the window is open. We need to be thinking about things from that overall ecosystem. A hacker would drive down the street and he wouldn’t even bother with a door that’s nice and strong. He’s looking for the shed that probably has a ladder in it and the ladder gets him to the second floor, because most people don’t think to secure their second floor windows.
This is an example of going through the process and doing a threat risk assessment to understand how is the burglar in this case wanting to get into the house. In your case, how is a hacker trying to get into your business and make money off of your hard work. Working through a threat risk assessment allows you to identify a set of potential attacks that you can then work into your product release, one release after another, and develop an ongoing security strategy that is continually evolving, continually updating based upon your business, what you’re trying to gain, and what the potential attacks might actually look like.
So, if we take a step back from this and say “Okay, what are those security requirements?” Let’s think about this in terms of the different technologies that you would need to put into place. A key aspect will be to understand well how are they going to gain access, what types of communication protocols do you need to have protected, what are the different threats to the end device, are there passwords in place that are well protected, are you using the right levels of encryption to be able to communicate back up to the cloud? And the most importantly, most often overlooked, is what are you doing to prevent reverse engineering on that end device.
It’s funny how many security products are actually available on the market, and yet the actual code sits on the device completely readable as a book for a hacker who would be able to put on some type of debugger tool, and actually reverse engineer and follow the code. They simply look for where the encryption key is. They wait for it to be successfully passed, and then that’s where they hack in and gain access to the end device.
So, products such as what Irdeto and our Cloakware technology will do, is actually make that technology very difficult for someone to reverse engineer. You take some more advanced obfuscation techniques that are based upon code transformations that make it very difficult to follow the flow of the code. You use and to debug technologies that would try and get a sense of a hacker is stopping the flow of a program, and trying to break point their way through, and figure out the code. Code signing technologies that are able to determine whether or not the code has been tampered or modified in any way.
These are the types of technologies that over time make it very difficult for a hacker to break in, and essentially what you’re trying to do is take an attack that maybe would have been one hour, and it now takes them a day instead of it taking him a week, now it takes him a month. You’re constantly trying to raise that bar, make it more difficult for them, and essentially going back to my comment about thinking as a competitor, what you want is to increase their cost and reduce their profit, so that their business model doesn’t work and they move onto to another device.
In this way, what you’re doing is you’re thinking about it from a proper business risk perspective, rather than worrying about where a security flaw may have a scary impact to your business. You’re bringing it back to more business fundamentals with a risk mitigation strategy, looking at the security requirements that are involved.
Please check us out at www.irdeto.com/IoT and understand how we can help you understand your security requirements better, what are the threats to your business, and what are the technologies available to you today, to help make your business more profitable.