In this interview for Help Net Security, Jason Oberg, CTO at Cycuity, talks about IoT devices cybersecurity, from production to usage, and how far have we come to securing these devices.
IoT has been part of our reality for quite some time, but what about the security of these devices? Is it becoming a priority?
We’ve seen the concern and prioritization of IoT security growing, this is due both to the growing popularity of these devices and the push we are seeing from the public sector to strengthen America’s cybersecurity. Most recently, the White House announced an initiative to develop labels for IoT devices so that consumers can easily recognize which devices meet the highest cybersecurity standards.
We’ve also heard a lot of talk on the importance of a software bill of materials, or SBOMs. While we’ve seen a push for securing the software of these products, the hardware security still remains a vulnerable factor that will need to be prioritized sooner rather than later, because software is only as secure as the hardware it runs on. As software continues to be set as a priority and the security strengthened, threat actors will work to find openings elsewhere, and their opening will be the gaps that lie within the hardware.
Where does security fit in the product manufacturing process?
As with any product development, fast time to market is critical. In the present day, many organizations are heavily understaffed but still have very aggressive schedules. While security continues to become a high priority for most organizations, the ability to execute a good security program while shipping a product on time with limited resources makes meeting security a challenge.
The conventional approach to security is to perform some added analysis at the end, just before the product ship. Today, this approach rarely works since getting the product out the door almost always takes priority. That said, we see a shift to making security a key component of the entire development process so that the approach is systematic, predictable, and scalable with the usual development schedule. This enables teams to plan for security more effectively without compromising their product release goals. This approach is particularly effective for hardware which often cannot be patched in the field. So getting it right the first time is really important, both for product functionality but also for security.
What about security after the devices have been deployed?
Due to the simplicity of many IoT devices, remote updates to patch security issues can be a challenge. This is further complicated if the security issues are in either silicon, boot ROM, or microcode, and cannot be updated remotely or updated at all. Since security issues will always come up, security resilience is important to ensure that any exploit can be resolved with minimal cost.
There is no perfect equation to manage this but being systematic in a security program can help ensure the overall security cost is minimal. This includes, understanding the threat model and the security requirements for the product, to tradeoff impact of an exploit in the field and the probability of an attacker succeeding. Building in the ability to update features that have a high impact on security, and have a high probability of exploitation, should be a core focus.
What’s making IoT attractive to cybercriminals?
While IoT devices tend to be very simple from an electronics perspective, the systems they are connected to have very high consequences. This makes them a logical and viable entry point for an attacker to compromise data on the network it is connected to. These compromises can violate consumer privacy or cause disruption to the integrity of critical infrastructure.
In addition, IoT devices often can be physically accessed by the attacker which opens up attack vectors that otherwise would not be possible only over the internet. The attacker can probe pins of chips for side channel attacks, attempt to read out memory contents to reverse engineer boot code, inject their own malware directly into the chip, and so on. All of these attack vectors can be leveraged to compromise highly valuable data on the networks they are connected to.
How do you see IoT evolving in the future, particularly security wise?
I think the IoT security market will evolve in a couple of ways. First, a lot more security features will be built into hardware to provide a baseline of security functionality across the IoT market. Enabling security features such as secure boot and remote attestation will help eliminate a lot of easy attack vectors.
Second, there will be more adoption of holistic and systematic approaches to security that ensure security requirements are properly implemented and verified throughout the development process. This will enable IoT device developers to ensure that they have the appropriate security features built and that those features are working properly and doing both in a way that enables them to meet their time to market goals without compromising security.