December 20, 2016 Volume 12 Issue 47
 

Designfax weekly eMagazine

Subscribe Today!
image of Designfax newsletter

Archives

View Archives

Partners

Manufacturing Center
Product Spotlight

Modern Applications News
Metalworking Ideas For
Today's Job Shops

Tooling and Production
Strategies for large
metalworking plants

OEMs: How to protect home devices and appliances from cyber attack

By David West, Engineering Director, Icon Labs

In July 2014, HP Labs did a study of 10 popular IoT (Internet of Things) devices and found security was shockingly bad. The researchers studied the devices, looking at end-to-end security capabilities including privacy protection, authorization, encryption, user interface protection, and code security. They found 70 percent of the devices had at least one major vulnerability.

At the end of their study, researchers identified over 250 vulnerabilities, an average of 25 per device. Security was clearly an afterthought or not considered at all. That's bad enough for an engineer to deal with, but much worse for the unprepared consumer.

An average consumer, or even a security-savvy consumer, has little ability to know which brand of IoT device has better security or any at all, leaving the primary responsibility for securing their devices squarely with the OEM.

A compromised consumer device may have little impact on the device's performance, and the consumer may not even realize their device was hacked.

Should the OEM care?

Absolutely!

On the surface, the hacked device may seem benign. But a device, like a smart refrigerator, may reveal Wi-Fi credentials to a hacker giving them a beachhead from which they can then attack other more critical devices on the network. So, it's about more than just protecting the device itself.

It seems moments after a solution against digital invasion is in place, someone finds a way to circumvent it. Security is in many ways an ongoing, never-ending arms race, and hackers are adept at finding ways to exploit security vulnerabilities. The key is to add appropriate levels of security making it more expensive for the hacker (in terms of time and computing resources) to exploit a device or system. Hackers usually go after the easy exploits and avoid the challenges that offer little financial or ego benefit.

The first step for the OEM is to evaluate their device's vulnerabilities, decide what to protect against, and determine how the economics of the device is impacted.

Vulnerabilities in IoT devices
Design vulnerabilities are weaknesses resulting from a failure to include proper security measures when developing the IoT device. Examples of design vulnerabilities in HP Labs' study include use of hard-coded passwords, control interfaces with no user authentication, and use of communication protocols sending passwords and other sensitive information in the clear. Other, less glaring examples include devices without secure boot or allowing unauthenticated remote firmware updates.

Security capabilities
Adding a few basic security capabilities can make IoT devices dramatically more secure, and greatly reduce the risk of falling victim to a cyber attack, including:

  • Secure boot,
  • Secure remote firmware update,
  • Secure communication,
  • Data protection, and
  • User authentication.

Secure Boot
Secure boot utilizes cryptographic code signing techniques ensuring the device only executes code produced by the device OEM or other trusted party. Use of secure boot technology prevents hackers from replacing the firmware with malicious versions, thereby blocking a wide range of attacks.

Secure Firmware Update
Secure firmware updates ensure device firmware can be updated, but only with firmware from the device OEM or other trusted party. Like secure boot, secure firmware updates ensure the device is always running trusted code and blocks any attacks attempting to exploit the device's firmware update process.

Secure Communication
Utilization of security protocols like TLS, DTLS, and IPSec adds authentication and data-in-motion protection to IoT devices. By eliminating sending data in the clear, it is much more difficult for hackers to eavesdrop on communications and discover passwords, device configuration, or other sensitive information.

Data Protection
Security protocols provide protection for data while it is transmitted across networks, but does not protect the data while it is stored on the device. Large data breaches often result from data recovered from stolen or discarded equipment. Encryption of all sensitive data stored on the device provides protection should the device be discarded, stolen, or accessed by an unauthorized party. For instance, most office, business, and personal printers have an integrated drive inside storing tens of thousands of documents.

User Authentication
Weak or non-existent user authentication recently resulted in thousands of IP cameras with well-publicized default passwords being enlisted in a high-profile Denial of Service attack (dubbed the Mirai botnet infestation). A strong user authentication method is a clear requirement for device security.

The Consumer
On an individual level, there is less we can do. If a company produces an insecure product the consumer can either live with it or not buy it. For those products with built-in security, users must enable appropriate levels of security, change default passwords, and use strong passwords.

The cameras used as bots in the Mirai botnet infestation could have been protected from attack. Secure boot, firewall, or intrusion detection each could have individually avoided the takeover of the cameras enabling the attack. These have the benefit of not requiring the user to remember passwords or unique logins. For as little as 1 percent of the price for the device, this public disaster could have been avoided.

Summary
Security is a requirement for all consumer IoT devices, no matter how small or seemingly insignificant. By adding a few basic capabilities, the security of any device can be significantly increased. These solutions, including Icon Labs Floodgate Security Framework, are effective in blocking cyber attacks and can be utilized in very resource-limited IoT devices.

Icon Labs was named a 2014 Gartner "Cool Vendor" and 2015 Gartner "Select Vendor," and is focused on creating The Internet of Secure Things by providing a security for even the smallest IoT devices. You can reach the author at david.west@iconlabs.com.

Published December 2016

Rate this article

[OEMs: How to protect home devices and appliances from cyber attack]

Very interesting, with information I can use
Interesting, with information I may use
Interesting, but not applicable to my operation
Not interesting or inaccurate

E-mail Address (required):

Comments:


Type the number:



Copyright © 2016 by Nelson Publishing, Inc. All rights reserved. Reproduction Prohibited.
View our terms of use and privacy policy