In the realm of IoT security vulnerabilities, there’s been a lot of talk about the open source Mirai botnet software, but it only leverages the low hanging fruit. Mirai works because some DVRs, routers and similar devices ship with default passwords that users are not required to change. While this will continue to plague us in the internet security industry for years to come, it is a solvable problem that will gradually fade.
A newer, potentially much bigger issue results from the ever lower-level focus of industry researchers and criminals alike – security vulnerabilities in the RAM, ROM and circuitry of widely used hardware chips. See for example the recent exploit of a Broadcom Wi-Fi SoC by Google Project Zero researcher Gal Beniamini.
A new frontier awaits. Computing devices will continue to get smaller. Smart dust is on the horizon. Connected devices across many verticals will pack increasing numbers of modular single-purpose systems on chips (SoCs) into a single product. This has both benefits and drawbacks. Modular systems with clearly defined interfaces are the hallmark of good system architecture and are easier to audit. That said, such subsystems are often trusted with little verification, leaving greater room for undiscovered vulnerabilities.
SoCs are increasingly becoming high-value targets for attacks due to their massive scale. Broadcom alone has sold at least “3 billion units of Wi-Fi/Bluetooth combo chips” since 2008.
Clearly the Project Zero team is aware of this risk profile, and their mindset should cause every security-conscious leader and engineer to take note. The scrutiny on the security properties of previously ignored embedded SoCs must increase. Criminals often get ahead by exploiting vulnerabilities in the places we forget to look. So what should CIOs and CSOs do now to address these concerns?
A Three-Step Plan for Technology Leadership
1) Inspire R&D teams to evaluate components they’ve bought, not just ones they’ve built
Engineers will begin shifting focus toward lower level languages and technologies. The history of computer science is largely one of abstracting away the hardware further and further. Thus, most developers in the past decade have had very little idea of the precise intersection between the code they write and the physical chips that code runs on. Embedded C/C++ and assembly have become esoteric. This creates a unique demand on current engineering teams that aren’t used to thinking in terms of hardware security. Yet the massive scale and deep impact on everyday life of the IoT will bring these deep skills back into high demand.
Technology leaders should inspire their teams to make security a chief concern and to evaluate the components they bought, not just the ones they built. Ask security questions about embedded SoCs. Understand that engineering teams won’t have answers in the short-term, but encourage them to start thinking about it. Change mindsets by making the invisible visible.
2) Encourage engineers who are curious about reverse engineering to develop the skill
The skills specific to exploiting embedded hardware vulnerabilities are highly specialized, and because of this, the process of improving security will largely be one of reverse engineering. When available, open source firmware makes audits significantly easier, but some amount of deep quality assurance (QA) work should be expected.
Additionally, amid growing concerns over kleptography and backdoors, technology leaders can no longer be satisfied with the implied security of mass-produced chips. They must be comfortable with their teams diving into the underlying functionality of SoCs and attempting to expose their vulnerabilities. More forward-thinking managers should keep an eye out for ambitious members of development or QA teams who want to learn the art of reverse engineering. This is a skill the world sorely needs more of, and an exciting differentiator from the typical engineering career path.
3) When hiring security firms for audits and penetration testing, press them to look beyond the big computers at the smallest ones
Vulnerabilities in cloud services – including the very DDoS attacks SoCs could enable – naturally continue to be a threat, and the security service industry is well equipped to ensure that enterprises are reasonably secure. However, such firms will need to expand their resources and expertise in the embedded realm.
Even when an agency has firmware and reverse engineering expertise, they will by default not focus any energy on third-party chips. Make sure that such audits take account not only of the firmware written for the application processor by your team, but also spend some effort questioning the SoC code written by hardware vendors. Open source obviously makes this process easier.
Conclusion
The success of many IoT initiatives depends on low cost hardware, which in turn depends on the massive scale of underlying components like Wi-Fi modules. If you can build with the same chips that are in smartphones and gaming consoles, then you get the cost benefit of their finely tuned supply chain and economies of scale. The dark side of this constraint is that the vast distribution also makes such chips a juicy target for would-be attackers, but if technology leaders follow a few simple best practices, they’ll find that this new frontier of potential security threats is much easier to navigate.