The Power of IoT is Limitless, But Threats Are on The Rise as Well

From 2016 to 2017, there was a 600 percent increase in attacks on IoT devices. Physical (Hardware) + Logical (Software) based device security is the need of the hour.

Curated by Vinay Prabhakar Minj 

It is expected that 75 billion devices will be connected by 2025. There’s no doubt about the potential that IoT holds, but sadly its security aspect is not keeping pace with the exponential growth of this connectivity of devices that are spread all across the ecosystem.

It is surprising to know that from 2016 to 2017, there was a 600 percent increase in attacks on IoT. The main countries that fell prey to it were China (21 percent), U.S (11 percent), India (5 percent) and Japan (4 percent). Most accessible and vulnerable targets continue to be routers (33.6 percent) and DVRs (23.2 percent).

More shocking was the fact that almost 49 percent of the attackers were new and had never been listed under the black-listed category.

Moving on to the networking side, around 24,000 malicious apps were blocked per day by service providers like Jio and Airtel in 2018. And there was a 55 percent increase in the number of spams (phishing through emails).

And lastly, the most vulnerable part that has been there in the PC industry since long is related to server-web applications. 1 billion requests with respect to the data that we enter in IoT, were analysed per day in 2018. Out of these requests, 1 in 13 lead to malware attacks. These malwares were in the form of cryptocurrency and ransomware. There was also a 92 percent increase in new download variant.

Solutions for end-to-end PC security

The TPMs or Trusted Platform Modules are kind of hardware for security and is present in many common devices such as mobiles and various embedded devices. On the network side, there is the NMS (Network Management Software), Firewall and Anti-virus apps.

Edge gateway has become the new interest area for the hacking community and it could be hacked either by a boot system or firmware or logging in to the network.

BY PUTTING A DEVICE IN THE IOT ECOSYSTEM WITHOUT KNOWING THE DEVICE’S INGENUITY CAN COMPROMISE THE SECURITY OF THE ENTIRE ECOSYSTEM 

Examples of IoT hacking and vulnerabilities in the past

• A DDoS attack called Mirai took place in 2016. All the gateways usually come with a default ID and password. So, the above botnet malware went into the network and compromised every gateway that was there using the default IDs. The effect was so huge that the whole internet went down globally and several online services came to a halt.
• In 2017, the U.S FDA (United States Food and Drug Administration) confirmed that the cardiac pacemakers manufactured by a medical device company called St. Jude Medical had been hacked that reduced its battery life, which was very fatal.
•  Connected vehicle telematics still continues to be the most vulnerable in terms of IoT hacking. This was demonstrated in 2015 where a team of IBM researchers remotely took control of the CAN (Controller Area Network) protocol and operated a vehicle called the Jeep Compass as per their own will.
• Private data from baby monitoring cameras made by a company called Trendnet, were made readable to an outsider by hacking its unencrypted IP addresses.

Potential security concerns

• IoT devices are usually deployed and operated in an unmonitored, hostile environment. Since monitoring of these will be remotely done by a trusted operator, it doesn’t mean that it can’t be also operated by someone else. This shows that the operational information can be accessed by someone untrustworthy. This calls for a defence mechanism such that each device on the edge has in-built security that helps in defending and protecting against malicious attacks.
• RTOS (Real-Time Operating System) consisting of Windows and Linux Kernel has millions of lines of coding, which can be accessed and modified by anyone. However, a malicious code written by a hacker into those same lines can make the entire RTOS vulnerable to a cyber attack.
• Currently, a lot of devices are getting connected. By putting a device in the IoT ecosystem without knowing the device’s ingenuity can compromise the security of the entire ecosystem.
• Standard PC services model of TPMs not exactly applicable to IoT devices.
• Due to a large number of connected devices, hackers can enter into your device and do actual physical harm.
• In the IoT world, physical access for the servicing of a deployed device may not always be possible due to factor such as remoteness

How to address these concerns/challenges at device level?

• Implement security at both hardware (TPM) and software (FW) level: At the hardware side, a device should not be physically accessible to anyone else other than the user. And on the software part, the device IDs should never be unencrypted.
• Hardware enabled challengeable device identity (device ID/UDS): This refers to having a unique ID that prevents a competitor OEM to clone a device and in turn does not affect the business.
• Unchangeable boot-up process at start-up: It simply means that in case of a reset (due to system hang), a user should know from where to re-start. The code for this reset is present in the ROM which cannot be changed.
• Strong isolation of sensitive code execution especially actuation triggers: This refers to having a baseline policy for sensitive data which can never be changed in the ROM.
• Capability to remotely evaluate device status: This refers to logging in from the cloud and interacting with the device.
• Crypto enabled Watch-Dog trigger if the device becomes unresponsive: If the device hangs, then one should be able to login remotely. It is useful in having a trigger that can automatically reboot the system.

 Why hardware support is important?   

These are a few problems with software-only solutions

• In software, the device ID is part of the Flash. And, if the Flash is readable, then the security is compromised.
• Another problem with software is that as malware has become smart these days, it has become difficult to trust software to report its own health, whenever it gets affected.

The above problems can be only solved if the user can access the firmware and investigate whether or not the system is lying.

Can existing hardware security solutions be used?

We have a standard TPM module that goes into hardware, it is present in your moblies. There is a PKI (Public Key Infrastructure), which is asymmetric encryption through which public/private keys go on into the application server.

A problem here is that the encrypted packets can be read over the network on which spoofing (attacking by masquerading oneself as a genuine data) can be done.

Therefore, a better solution needs to be devised to handle these challenges before implementing existing hardware security solutions.

TRUSTED PLATFORM MODULES WITH DICE FRAMEWORK CAN BE A VIABLE SOLUTION FOR DEVICE SECURITY

Device provisioning process

It consists of a device, a device provisioning service and an IoT hub (both of which are Azure components). So, once the private key/unique device key is enabled onto the cloud, then the device automatically generates its own key and is sent to begin communication with the IoT hub.

DICE: Device Identifier Composition Engine

This refers to the ROM process where a private key of the device (also known as unique device secret) is only accessible at the boot level. Using this, a new key is generated for the firmware that is known as the compound derived identifier. And that key becomes the key for the next layer of the firmware. So, each key is being put in each layer of the firmware. And if a malware also generates a key for a firmware layer, then the cloud will get to know that this key is different from the original one and will thus reboot the device.

Summary 

• Don’t let edge devices become new Trojan horses in IoT.
• Concerns related to device security, privacy and trust needs to be addressed properly.
• Physical (Hardware) + Logical (Software) based device security is the need of the hour.
• TPMs with DICE framework can be a viable solution for device security.

 About the author

The article is an extract from the speech presented by Aditya Kumar, Group Technical Specialist – NEC Technologies India Pvt Ltd, at the IOTSHOW.IN 2019.  He has 13 years’ experience in business and technical solution management in the field of IoT, Smart City, Safety & Survilleance, Smart Energy.