Even by the hysterical standards of the media, the past few months have seen an absolute avalanche of data breach stories. From hospitals to burger chains, credit bureaus to law firms, the headlines have been saturated with news of personal and financial data being lost, stolen or accidentally publicized. The big question is: Do we really care anymore?
While these cyberincidents certainly have major repercussions — for the breached organizations and their customers, we need to put them in perspective. Because there’s another, potentially much more serious security challenge facing us: The internet of things. And when we talk about IoT flaws, we’re not just talking about lost data. We could be talking about loss of life.
Google the words “data breach.” The results, going back just a short while, are incredible. Wendy’s, Kiddicare, Equifax, infamous Panamanian law firm Mossack Fonseca, Heath-Allen hospital in Iowa, the Ohio Department of Mental Health and Addiction Services, Chelsea and Westminster Hospital NHS Foundation Trust, and, ironically, even Google all suffered a breach or were hit with fines. And that was just a cursory online search.
Even more headlines were devoted to breach-related stories: ID Experts research claimed data breaches cost the healthcare industry some $6.2 billion; a FireEye study revealed incidents are destroying trust in brands; even the British government is getting in on the act, claiming 65% of large firms detected a breach or cyberattack in the past year.
There’s no doubt that raising awareness about breaches is important. The impact of information-stealing cyberattacks on privacy and the economy is undoubtedly huge. But for individuals, identity theft and fraud is not much more than an irritant and an inconvenience. And for organizations, it amounts to an economic and reputational hit, however major. But the fact still remains — none of these are life or death matters.
By contrast, reporting of IoT flaws has been relatively sparse, despite some major research appearing of late which has begun to shed light on the potentially life-threatening nature of security problems in embedded computing systems. The most famous case was Miller and Valasek’s demo at Black Hat which showed how hackers could move laterally inside the computing environment of a 2014 Jeep Cherokee, reflash firmware on a chip controlling the CAN bus and remotely control the brakes and steering wheel. It doesn’t take a genius to work out the potentially fatal repercussions of such a hack if carried out with malice.
There are four key problems at the heart of most embedded computing systems like the one in the Jeep, exposing them to hacking attempts. They are proprietary in nature, connected to the internet, the firmware is not signed — making it possible to reverse-engineer the code, modify, reflash and reboot to execute arbitrary code, and the silicon allows for lateral movement.
A tipping point
Be in no doubt, we’re at a tipping point here. These flaws haven’t been exploited on a large scale yet because they require a great deal of time and effort to exploit. But there are already signs this is changing. Governments in particular have both the time and resources. The power outage attack on the Ukrainian grid just before Christmas involved hackers overwriting firmware at multiple substations, rendering them unable to receive commands. It has been widely blamed on Russian state actors, although definitive attribution remains difficult.
It’s clear these IoT flaws are no longer theoretical. And that’s why we have produced new guidance to help the industry build more secure embedded computing devices. “Security Guidance for Critical Areas of Embedded Computing” outlines our new hardware-based answer to these fundamental weaknesses. The key to securing these systems lies in focusing on the silicon — because security becomes harder to interfere with at that level. So we’re espousing a root of trust anchored in the hardware, which means the firmware becomes tamper-proof. And hardware-level virtualization to keep critical components isolated and containerized, so even if one were compromised, it couldn’t allow lateral movement. The whole premise is based on open source and interoperable standards — to focus on the best quality code possible and force an end to “security by obscurity.”
Let’s not wait for the next major incident involving exploitation of these IoT weaknesses. We don’t want to see an airliner downed by a fleet of hacked and remotely controlled drones. Or key firmware inside a nuclear power station overwritten to carry out the wishes of a black hat group. It’s time to get serious about IoT security. This means changing the mindset at the development and manufacturer levels from “it works, now let’s try and secure it” to “if it isn’t secure, it doesn’t work.” Only then will have a connected world that is safe for all.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.