Curated Tech Content

Whether we are publishing our own original content or helping our partners get the word out about their technologies, we bring you the latest news, market trends and product innovation.

THE SECURITY OF THINGS

An 11 year old boy, his teddy bear and a room full of security experts – what’s the connection? In a live demonstration at a cyber security forum in The Hague recently, a 6th grader from Texas used cloud WiFi and the Bluetooth functionality of his teddy bear to receive and transmit messages between audience members and his teddy bear, stunning audience members unaware they were being hacked. A demonstration of the power and potential peril of the Internet of Things.

The ability to connect, communicate and remotely manage many networked and automated devices to the internet is accelerating at an alarming pace. We are reliant on intelligent and interconnected devices to the internet, the Internet of all Things (IoT). We are now able to operate our household appliances, our heating or lights with our Smartphone. Even the fridge can be of service, telling us to reorder our food. With this transformation of increased connectivity, there may be opportunities for unauthorised access. So with our washing machines, coffee machines, thermostats, and even children’s toys connected to the internet, should we be worried about the Security of Things?

THE MOTIVATED HACKER

Many probably don’t know about the actual state of security in IoT devices. Also, at the time of writing, a major cyber-security attack, referred to as the Petya ransomware attacks, had hit several Australian businesses, including legal firms, courier companies, and even Cadbury. News media said it had started in Russia and the Ukraine, and then spread to other Countries. The ransomware hackers seized computer systems and demanded payment of Bitcoin for its release.

Hacking is not just the domain of bored teenagers or small groups of motivated hackers, but when the stakes are high enough, cyber-attacks are multi-phased, where multi-year efforts are carried out by large, well-funded teams of hackers or even nation states. The motivated hacker could cause more damage with IoT devices, where taking over medical x-ray systems, or a control of a motor vehicle.

DATA CONFIDENTIALITY

Protection of data has been an issue since the first computers were connected to each other. With IoT, security concerns expanded to cover personal privacy, financial transactions, and cyber theft. Whether accidental or malicious, interference with the controls of a pacemaker, a car, or a nuclear reactor poses a threat to human life. Security controls have evolved in parallel to network evolution, from the first packet-filtering firewalls in the late 1980s to more sophisticated protocol and application aware firewalls, intrusion detection and prevention systems IDS/IPS), and security incident and event management (SIEM) solutions.

These controls attempted to keep malicious activity off corporate networks and detect them if they gained access. If malware breached a firewall, antivirus techniques, based on signature matching and blacklisting, would kick in to identify and remedy the problem. Later, as the universe of malware expanded, methods for avoiding detection advanced.

As more devices started coming onto corporate networks, various access control systems were developed to authenticate both the devices and the users sitting behind them.

The concerns over the authenticity of software and the protection of intellectual property gave rise to various software verification, and confirmation often referred to as trusted or measured boot. The confidentiality of data has always been a primary concern. Controls such as Virtual Private Networks (VPN) or physical media encryption, such as 802.11i (WPA2) OR 802.1AE (MACsec), have developed to ensure the security of data in motion. But applying these in the IoT world requires reengineering to address device constraints. With so much potential for a breach, putting safety first is a must as there is no room for lax IoT security.

SECURITY OF “THINGS” – SECURITY DEVICE CYCLE

The variety of IoT applications poses an equally wide variety of security challenges. Security must be addressed throughout the device lifecycle, from the initial design to the operational environment. Here is the Security Device Cycle –

Secure Booting

When power is first introduced to the device, the authenticity and integrity of the software on the device is verified using cryptographically generated digital signatures. The foundation of trust has been established, but the device still needs protection from various run-time threats and malicious intentions.

Access Control

Different forms of resource and access control are applied. Mandatory role-based access controls built into the operating system limit the privileges of device components and applications, so they access only the resources they need to do their jobs. If any component is compromised, access control ensures that the intruder has minimal access to other parts of the system as possible.

Device Authentication

When the device is plugged into the network, it should authenticate itself before receiving or transmitting data. Deeply embedded devices often do not have users sitting behind keyboards, waiting to input the information required to access the network. So the authentication allows the user to access a corporate network based on username and password, machine authentication allows a device to access a network based on a similar set of credentials stored in a secure storage area.

Firewalling and IPS

The device needs a firewall or deep packet inspection capability to control traffic that is to terminate at the device. Deeply embedded devices have different protocols, distinct from enterprise IT protocols. The “smart energy grid” has its own set of protocols governing how devices talk to each other. This is why protocol filtering and deep packet inspection capabilities are needed to identify malicious payloads hiding in non-IT protocols.

Updates and Patches

Once the device is in operation, it will start receiving hot patches and software updates. Operators need to roll out patches, and devices need to authenticate them. Software updates and security patches are to be delivered in a way that conserves bandwidth and intermittent connectivity of an embedded device and eliminates the possibility of compromising functional safety.

THE SECURITY OF INTERNET OF ALL THINGS (IoT)

Security is paramount for the safe and reliable operation of IoT devices. The security and privacy of IoT-enabled devices is a favourite topic amongst connected car manufacturers, smart-home developers and connected wearables. Network Firewalls and protocols can manage the high-level traffic travelling through the Internet, but how do we protect deeply embedded endpoint devices that usually have a particular defined mission with limited resources available to accomplish it? Perhaps compress twenty-five years of security evolution into the tight tight-frame in which next-gen devices can be delivered to market. But there is no silver bullet that can mitigate every possible cyber threat as Reuben Paul, the 11 year old from Texas and his teddy bear demonstrated.  Even things we think benign in the home can be weaponised or used to do harm in the wrong hands. The IT security controls of the last twenty-five years can be effective for IoT, provided that we can adapt them to the unique constraints of the embedded devices that will increasingly comprise networks of the future. A serious challenge that was the stuff of science fiction only a few decades ago but is now part of the reality of the world we live in.

 

By Nathan Lowe.