General

Security for IoT Can’t Be an Afterthought

Earlier this week, in my presentation at CapArea.net on “Communicating with the Internet of Things” one of the points I emphasized repeatedly is the necessity to think about security early and often. Any time you are responsible for creating a device that can communicate with the internet, whether that be a home automation gateway, Wi-Fi-controlled light bulb, or and industrial control system designed for remote monitoring, you need to be sure you understand how that system can be attacked. As security MVP Troy Hunt likes to put it, you need to “hack yourself first.”

598413_99638977_Hacker_sm_5fd3b71b-07bc-4df3-bede-0c3250304c9e
photo credit: nwogen on freeimages.com

The reason I bring this up is that I had an exchange today with Cuno Pfister of Oberon Microsystems, who announced today the Limmat platform, a gateway device that bridges Bluetooth LE and HTTP, part of which was about how they’re securing the device. As part of his response, Cuno pointed to this article, which describes a recently discovered flaw in BMW’s ConnectedDrive system that could potentially expose 2 million cars to remote unlocking or disabling.

Two MILLION cars. Try to wrap your head around that number for a moment. BMWs aren’t exactly cheap cars, either, and you’d think that they would take great care to ensure that the onboard telematics could not be hacked. But if the article is accurate (and I’m not an expert in auto system security, so I can only take the reporting at face value), it sure looks like they missed some major red flags in their implementation of the communication with the cloud.

So what’s an IoT developer to do? Start thinking about security as soon as you begin planning your product or system. Put on your black hat, and think through how someone would attack your system. Or if you’re not confident that you have the expertise to do so, hire someone who does.

Connected devices have great potential, but with that potential comes risk. And every new hack, vulnerability, or flat-out poorly designed product will make it that much harder for consumers and industry to put their trust in IoT. Attention to security early on in the product lifecycle is key to preventing this outcome.

Comments

Comment by Bertrand Le Roy on 2015-02-26 22:46:00 +0000

Also, the firmware should update itself automatically and securely. Ridiculously few connected devices do that properly today.

Comment by devhammer on 2015-02-26 22:54:00 +0000

I think you’re right, but I think that’s a hard problem to solve. In order for the device to be able to update its firmware automatically, it needs to be able to grab firmware from the internet, install it, and reboot.

So far, so good. But what happens when an attacker manages to spoof the firmware update location? That’s just one scenario I can think of where bad stuff could result from automatic updating.

The larger problem, of course, is that the average user simply isn’t technical enough to update the firmware on their Wi-Fi light bulb, nor should they need to be. Perhaps what’s needed is the IoT equivalent of Windows Update. While it’s not been without it’s own problems, I think it’s fair to argue that Windows Update has made a substantial improvement in the security of Windows machines.

Thanks for the comment!

Comment by Bertrand Le Roy on 2015-02-26 23:26:00 +0000

Clearly not easy, but absolutely necessary. We shouldn’t be willing to keep on our networks devices that run unpatched distributions of Linux with known vulnerabilities. Which is the case of pretty much every IoT thing on the market today.

Comment by devhammer on 2015-02-26 23:36:00 +0000

The sad thing is that that’s probably true of many, if not most, home routers as well. I’m far more technically savvy than the average consumer, and I couldn’t tell you right now if there was a firmware update available for my router, at least not without logging in and finding the right place in the admin UI to look it up.

Totally agree that it’s necessary (hence the blog post), but I’m not entirely sure how we get from where we are to where we need to be, given the users we have, and the clearly inadequate state of security motivation among product manufacturers.

As for willingness, I think the issue is less about willingness than it is about ignorance. If more folks understood that they’re in essence running a Linux server on their network, perhaps more people would care. But until they do, it may be hard to convince the manufacturers to do more.

Comment by Bertrand Le Roy on 2015-02-27 01:56:00 +0000

It will probably only happen after a year or two of disastrous fiascos, but I think the industry as a whole could come up with a standard, and accompanying certifications. Little labels on the boxes would help people make the right choice.

Comment by K. Brian Kelley on 2015-03-10 16:32:00 +0000

But it will be an afterthought until the lack of security becomes cost prohibitive to these companies.

© 2011 - 2025 Devhammer's Den
Code, Community, and Coffee
Built with Hugo
Theme Stack designed by Jimmy