Perils of Trivialising IoT Security

3105

Curated by Vinay Prabhakar Minj 

SECURITY IS NOT JUST ABOUT CONFIDENTIALITY. SECURITY IS ALSO ABOUT INTEGRITY AND AVAILABILITY.

Broadly, Internet of Things (IOT) refers to a network of Internet-connected devices that are capable of gathering and sharing electronic information. It could be consumer goods, industrial equipment, traffic lights, construction equipment, healthcare devices and so on.

The data is the blood of IoT devices. So, it is important to manage and protect the data. But how do you ensure that the integrity of the data is managed well, or things are interconnected? These are some of the complexities and problems one may face from the security as well as the functional point of view.

Again, there are a multitude of IoT protocols like ZigBee, Zwave, RF and 4G, which means multiple options to choose.

So, the question arises: Are too many standards too much? Or are too many standards an indication of having no standards that are good enough for security purposes?

IoT Ecosystem – Engineer’s View

If you look at the IoT ecosystem from an engineer’s perspective, there are four parts to it – the devices, the mobile (which may or may not exist in some form factors), the Cloud and all the networking aspects of it (including the protocols).

The form factor devices (gateways, nodes, EDGE) are small devices of varying sizes. Depending on the functionality, they might be collecting just sensor data and sensor values.  Among these, the gateways will have a much richer stack in the sense that they will be sending all the collected information back to the cloud. But the architectures may vary depending on the use cases and the hardware. In some cases, you will see mobile phones acting as a conduit or a channel.

For example, in the case of a fitness tracker, you will first install an app on Android or iOS, create an account and then start pairing the device and pushing all the data into the backend. On the cloud side, typically, you’ll have AWS, GCP or any other type of private cloud. It will be just an implementation like a backend web service, hosted on a server.

The cloud, the third component, is a much richer stack. This is where all the data is processed, managed and presented in a way that is useful to the customers and businesses.

Why Care About IoT Security? What Should You Secure?

One of the problems with IoT, particularly in India, is that it is broadly done by small and medium-sized businesses.

Many companies feel that as they are paying the supplier for hardware/software, security is not their responsibility and blame the supplier for any security bug.

Also, many vendors talk about not needing security as they do not store confidential information. But security is not just about confidentiality. Security is also about integrity and availability.

Security is often an afterthought in the design process of IoT devices. Many companies think of shipping the product first, and only worry about its security when it gets hacked.

Unfortunately, nobody is 100 percent secure in this industry and attacks on IoT are happening actively. IoT devices in automotive and healthcare sectors have been attacked in the past by hackers. The consequences of such attacks could be data loss, danger to physical safety and damage to online reputation.

Example, the cryptocurrency firm, Bitcoin was shut down after a massive data attack.

So, if you are a vendor or a product manufacturer, then don’t just think the security of the end users of your products, but also the security of your own firm.

IF YOU ARE A VENDOR OR A PRODUCT MANUFACTURER, THEN DON’T JUST THINK THE SECURITY OF THE END USERS OF YOUR PRODUCTS, BUT ALSO THE SECURITY OF YOUR OWN FIRM.

As mentioned above, an IoT product architecture includes the gateway, nodes, mobile, cloud and protocols. You have to secure all these things. There are security best practices that offer security by design for each of these solutions.

IoT Security Being Trivialised

Security is often seen as zero ROI (Return Of Investment). This is partly true because a lot of time, energy and money are invested in getting product security validated, but it is not helping to get more sales. Adding security sometimes impedes prototyping and delivery.

Also, many of the vendors think that consumers will buy anyway even without the addition of a security feature. Poor awareness and lack of options apparently contribute to this buying behaviour.

Moreover, the liability laws are not iron-clad. This means if a vendor does zero security and someone gets hacked, he can’t sue the vendor or get compensated.

If you are still wondering about why you should care about security? Some of these cases should be considered before doing so.

Our company (Deep Armor) recently worked on an IIoT solution which used a ZigBee-like 802. 15.4 based communication protocol. The use case for this was logistics and asset management. To demonstrate how spoofing can be done of a valid node in a wireless IoT sensor network and send rogue data for temperature values, we used some market hardware (which can be easily bought from online stores) to masquerade as a node, a gateway and an attacker. Then, for example, if the whole unit is transporting medical vaccines (and having a lot of nodes), then the entire package can be destroyed without the gateway suspecting about what just happened. If you are transporting vaccines and the temperature is dropped, then that could turn toxic and have completely undesirable effects. The cost of the attack was almost Rs. 10,000 which is nothing in terms of a high-value attack.

Secondly, we worked on consumer IoT in the wearable space using the BT/BLE protocol. We wrote a malware application which was hooked onto the Bluetooth service and then started extracting data. So, basically, when you have an application, all it requires is Bluetooth and Bluetooth admin permissions. And when that malware is installed, it can keep sniffing everything in the background. It can also send values and commands to that wearable device. That means your wearable can be broken in a second. Cost of the attack is Rs 0. It just needed some know-how on how to write Android applications.

THE SOONER A BUG IS FOUND AND FIXED, THE PRODUCTS ARE GOING TO BE EXPONENTIALLY MUCH CHEAPER.

Challenges in Securing IoT devices  

IoT is a bag of parts. There is no one manufacturer or one vendor who makes everything. You don’t do your cloud service; you don’t write your own SSL libraries or implement your own crypto-algorithms. Instead, you will buy hardware from China and software from Europe, and then put all these things together.

Another challenge is that the existing security development life cycle (SDLC) frameworks can’t be applied easily. Rampant reuse of open source software, nascent security research and hardware/software size restrictions are other challenges in terms of securing IoT devices.

Regulations – The Future

In terms of regulations in the future, the first step was taken in California in the US, where a Senate bill was passed stating that “all connected devices should have reasonable security feature”. This statement was a bit vague. Reasonable security can mean anything, it can mean using just TLS (Transport Layer Security) and you are good, which is not enough. But the positive part is that it also says connected devices, which are very broad and can include any type of IoT device.

Unfortunately, it won’t change the world because it limits security features to just not setting the wrong admin/password. Also, it is only in one country. It needs to be rolled out for the rest of the world too.

In the meantime, IoT businesses can implement defensive security best practices and put security into their products. The sooner a bug is found and fixed, the products are going to be exponentially much cheaper.

About the author:  

This article is an extract from the speech delivered by Sumanth Naropanth, Founder and CEO, Deep Armor, at IEW/IOTSHOW.IN 2019. Deep Armor offers security consulting, vulnerability testing, SDL and training services for emerging technologies. 

Before starting Deep Armor, Sumanth had worked with Intel, Palm/HP, Sun Microsystems in a variety of security roles.