Security and the Internet of Things (IoT)
by Matt James
Simply put, IoT devices are everyday peripherals that have embedded electronics that can connect and exchange data with other devices, computers, and networks. The possibilities are extensive, and they generally provide a greater benefit than they do a detriment.
So what is all the commotion? There are several culprits.
Market Drives Production, not Security
In a competitive marketplace, manufacturers are on the hook for getting the next great device to the hands of consumers. Often times, this is at the expense of quality assurance testing, and most assuredly, proper security evaluations.
Surprising to many, this is a problem not just for IoT, but technology in general. Businesses often rush to get new capabilities deployed at the expense of proper system testing and evaluation. The quality of the project is held to a higher standard than the protections needed to guard consumers from unauthorized modification or access from malicious attackers.
Case Study – Onboard Computer Systems for Automobile Vehicles
A Controller Area Network (CAN bus) is a vehicle bus standard for allowing microcontrollers and devices to communicate with each other in applications without a host computer.
CAN does not inherently support security features, such as the use of encryption (leaving them vulnerable to communication interception). Most of the time, the expectation is that applications use their own security mechanisms. While passwords exist for some critical functions, such as modifying firmware, implementation of these protection mechanisms is rare.
Fixing the Problem
There are some basic steps you can take to protect yourself, but more pressure needs to be applied to manufactures and developers. Everything from home thermostat devices to your wrist-borne fitness guru all fall under the umbrella of IoT. How might this look?
- Standards development that will allow manufacturers and developers to follow repeatable secure processes.
- Test and Evaluation procedures implementation that evaluate the aforementioned standards. Organizations such as OWASP have started this process, but it needs to be widely accepted and followed.
- Certification is a crucial final step, with baselines and testing completed for verification.
This first appeared in The Havok Journal November 7, 2019.
Matt James (CISSP, CPT, CEH, CNDA, Security+) has more than 15 years of experience in cyber security and information technology. He has lead and performed numerous red-team activities against public and private sector entities, to include major Fortune 500 corporations and federal agencies. Medically retired from the Army after injuries sustained during combat operations, Matt resides in the Washington, D.C. area where he manages a cyber red team for a major telecommunication corporation.