In early January, D-link, a manufacturer of home wireless routers and webcams, was sued by the Federal Trade Commission (FTC) for not taking the necessary steps to secure their products, leaving them open to attacks such as the recent botnet events that compromised hundreds of thousands of home and enterprise devices. This suit will hopefully serve as a wakeup call to Internet of Things (IoT) device manufacturers about the ramifications of building and deploying poorly secured systems.
It’s obvious to my colleagues and I that there’s an enormous knowledge gap in the vendor community around IoT device security. One of the most frightening aspects of IoT security is how IoT devices can be used to attack other devices and networks, as we experienced with the Mirai botnet. As a result, vendors are now being held accountable for attacks not only on their devices but also via their devices. Therefore, it’s critical that device vendors are educated about these possibilities so that, even if they believe their devices are unlikely to be attacked or are unworthy of attack (including a connected toothbrush manufacturer), they understand the reality is that a lack of security on their part may lead to other devices and networks being compromised.
To mitigate this lack of awareness, the security of Internet-connected devices requires more regulation on behalf of consumers. When comparing regulations around electromagnetic compatibility (EMC), we recall that regulators were instrumental in establishing rules that prevented chaos. A similar approach to IoT security is required, and the need for coordinated security certification of IoT devices needs to be promoted.
Key questions in the absence of IoT security certification
The truth is that device security is hard. Manufacturers must plan for threat scenarios such as physical tampering and over-the-air (OTA) update attacks that they largely do not appreciate today. At Kudelski Security, our laboratories regularly see devices overloaded with traditional IT defenses (such as host-based firewalls and application segmentation), but lacking fundamental physical device defenses (such as encryption key rotation and firmware protection). We have learned through the experience of testing these devices that you cannot treat an IoT device like an IT system – the threats are different and the defensive mitigations required are more complex.
Clients often ask for product security requirements for IoT devices. Those conversations usually begin with several critical questions that every device manufacturer should be thinking about:
- What can someone do with this device if they have physical access?
- Can the chipset security mechanisms be deactivated or bypassed?
- What sensitive information can be accessed through reverse engineering?
- Can physical security countermeasures be circumvented with lab equipment?
- Key management:
- If one device is compromised, are other devices at risk?
- Can secret keys be easily removed from the device?
- How are secret keys provisioned and loaded onto the device to prevent leakage?
- How are keys securely rotated?
- Device management:
- How is device firmware and software securely updated?
- How are devices de-provisioned when under attack?
Effectively building these capabilities is not easy, forcing many manufacturers to incorporate third-party security technologies, such as secure elements (SEs). The integration of a known and validated SE into a device lifts much of the security burden from the vendor, but operational aspects and constraints such as power consumption, context of use, and product evolution need to be taken into consideration as well. These product-specific realities often create a situation where there is unlikely to be a one-size-fits-all security solution.
Companies specializing in embedded device security can assist original equipment manufacturers (OEMs) and device vendors with integrating security into the design and architecture of their products. At Kudelski, thewas launched earlier this month as a conduit for sharing lessons learned in the design, building, testing, and management of devices at scale in a connected world. Since the announcement of the center and the news regarding the D-Link FTC suit, we have been working with device manufacturers to close many of their devices’ vulnerabilities, and hope, through a how-to approach, to move industry closer to coordinated security certification for systems that are quickly joining the IoT.