Security was a low-priority consideration in the early days of IoT deployments, particularly with consumer-oriented gadgets, and things haven't changed much -- security still often comes second to speed to market. But as more and more instances of IoT device hacking surface and IoT security legislation is proposed, device makers and enterprises are coming to accept that the time to rethink IoT security is now.
"One of the biggest challenges is that security is still an afterthought in many devices and it is not considered in the design process," said Lisa Green, director of people relations at Independent Security Evaluators. "In order to properly secure IoT devices, makers should begin to think like and understand the motivations of malicious adversaries."
Now, though, owing to a rise in well-publicized attacks, enterprises are beginning to address IoT device hacking challenges from a software development lifecycle approach that draws from DevOps and DevSecOps principles. This includes embedding security professionals into development teams, more comprehensive security testing and allowing encrypted security updates to be pushed out to compromised devices on a moment's notice.
Consider the attack surfaces of IoT devices
It is unrealistic to assume any IoT device is totally secure. Despite an organization's best efforts to identify and remediate security flaws, hackers will continue to bang away at them for both fun and profit. IoT devices are connected by nature, making them targets for launching various kinds of internet mischief. The stakes grow higher when IoT devices are used to protect cars, open door locks or run industrial equipment.
"Compute power and resources are the biggest challenge for security in IoT," said Alex Kubicek, CEO of Understory Inc., a distributed weather forecasting service. Encryption, firewalls and other protections require compute cycles, and, many times, embedded systems are already at their resource limit. Plus, in many cases, enterprises don't have physical access to the hardware. This can make it more challenging to determine an issue, especially around theft of a device. Kubicek said this is more of a problem in industrial IoT than consumer IoT deployments.
Leading software development organizations are realizing they can reduce development cycle time and mitigate the chances of IoT device hacking by embedding security experts onto software development teams. Rather than waiting until the end to test security, these experts can evaluate the different kinds of potential attack surfaces through which hackers could compromise an IoT device. This could include physical compromises, such as disabling a security device or replacing a chip; local network compromises, i.e., opening a car door by mimicking the owner; or power draining attacks, like flooding battery-operated devices with fake messages and requests.
Plan for updates
Lisa Greendirector of people relations, Independent Security Evaluators
One of the most high-profile IoT attacks was Mirai, which saw adversaries hacking IoT devices such as security cameras to form one of the largest botnets to date. It took advantage of the always-connected nature of IoT devices to launch a campaign of disruption. The FBI said this bot was initially formed by two hackers with a small Minecraft gaming service to disable the competition. But it was so successful that they kept going, launching click-fraud-as-a-service campaigns and disrupting traffic to some of the world's most resilient websites, such as Netflix, Twitter and Reddit.
One of the most important lessons that IoT device makers can take away from this attack is that it is critical to assume that even with well-planned security, backdoors may still beckon to attackers. In the case of Mirai, many IoT devices were never patched. A vigilante modification of the Mirai code called BrickerBot was launched to permanently disable compromised IoT devices. As a result, IoT device makers never got a chance to update their devices and save their brand image.
Sending out security patches to devices in the field is not as simple as patching a web server on AWS using a well-defined identity and access management infrastructure. IoT device makers need to ensure patches can be sent out via encrypted updates that reduce the risk that hackers could send out their own bogus patches.
Additionally, device makers must ensure there are ways to communicate and update devices remotely and easily. There are a host of DevOps tools that can work with IoT, such as SaltStack, Kubicek said, adding that these tools "make it easy to quickly apply critical patches on remote IoT devices and ensure every device gets updated."
IoT manufacturers need to have a functional way to update all deployed devices, and security updates need to be swift to minimize the time customers are vulnerable. Security processes should be built into the design phase all the way through release of the device and the support given after release. "A security team can be brought in during all these phases to constantly test device security after new updates are released or when a new threat vector is discovered," Green said.
Trust the hackers
Once an IoT device is ready, it's probably a good idea to let a trusted IoT device hacking team take it for a test hack. These experts will be able to spot security holes that the internal development team and automated security testing tools might have missed.
It's also a good idea to let these hackers tinker with the inner workings of the actual devices and their software using white box penetration testing approaches. This will make it easier for them to spot flaws that may be harder to identify using black box testing, in which the hackers are only given access to the finished product as a consumer or hackers might see it.
However, these methods require a level of trust, Green said, adding that, regardless, "having a security researcher going through and looking at each part manually is critically important, so as not to miss assessing every possible point of attack."
Include a risk assessment
For industrial companies, IoT devices are usually ruggedized field equipment with sensors that afford limited physical access. Conversely, these devices have had some level of data access for decades in the form of a supervisory control and data acquisition or distributed control system often using unencrypted industrial protocols.
"Industrial IoT now warrants that these sensor values can be fed into analytic models, either locally in edge computing devices or into a cloud computing model, returning business insights on a streaming basis often at higher frequencies," said Jeff Jensen, CTO at Arundo Analytics Inc., an industrial analytics service. Hence, the core security piece in these instances involves larger amounts of unencrypted data leaving the local site and, therefore, requires the use of virtual private networks, secure communications protocols or application level encryption using a checksum.
In some cases, newly instrumented devices use mesh working, Bluetooth or other wireless communication methods to move data from device to a gateway. Some of these protocols are not inherently secure, so must implement application level encryption and be appropriately managed by an administrator. "A key question for many people in this situation is the real risk assessment from IoT device hacking and whether it is catastrophic or relatively low risk," Jensen said.