The proliferation of IoT devices within not only the consumer, but also the commercial management space, is now becoming astounding. While various IT tools exist for the management of endpoint devices in business, little attention is given to the security of the devices themselves.
For devices explicitly provisioned into an organization’s network ecosystems, it is crucial that the resiliency of the devices is understood to prevent systemic security issues in the future.
Devices and their management
IoT ecosystems are necessarily made from devices, but the actual control that the security team has over the device is frequently at the mercy of the manufacturer. In B2B relationships, these customer companies frequently have influence over the device manufacturer’s feature roadmap simply due to their purchasing power. This is also true with standard security features.
In order to ensure the security of their device endpoints, it is crucial for organizations to establish security best practice standards for their device manufacturers and create basic controls to ensure that these are being adhered to.
Security features and their accessibility
Given that best practices need to be defined for device security, it’s important to establish what the core features are that we expect from our devices? Each device implementation is of course application specific, however, the following provides a set of features a reasonable security professional can expect of endpoints.
Application Code Signing – At the core of any secure device implementation lies a code signing mechanism. The software developer for the device generates a digital signature of the code prior to release and the device is designed not to boot if the signature doesn’t match. Proper code signatures prevent the device from being re-purposed via malware for other malicious intent.
Secure Boot – In order for the code signing to be effective, it must occur within an environment that cannot be tampered with by a potential hacker. A secure boot process starts up the device, verifies the code signature and permits boot only once the image is verified. The secure boot code itself is frequently embedded within a secure micro to prevent access to common debugging tools.
Secure Micro – A secure micro is usually a sub-processor of a standard system on a chip (SOC). This secure region is not accessible to standard code running on the processor and is designed specifically to run sensitive operations such as encryption/decryption, signature verification and key handling.
Hardware Root of Trust – In order to run an effective IoT ecosystem, each device within it must have a unique and immutable identity. Through the use of the secure micro a unique root of trust is established within the device allowing for not only authentication, but targeted provisioning of firmware and secrets in the field.
Device threats and their impact
Given this list of security features, the question is exactly what threats are we protecting against? Hacking attacks have focused primarily on personal computers and servers so far, however IoT devices are quickly becoming a ripe target for potential attackers. This is due to the sheer numbers being deployed and the ease with which control is gained over them.
Data Privacy – IoT devices generally collect data via the device, transmit it to a server for some form of processing, then return some result to the device for display to the user. Whether the device is deployed for consumer use or within a B2B environment, this data is likely to be valuable. Many devices protect the link via TLS or the like, but do not adequately secure the device leaving the data wide open to compromise.
Access to Backend Services – An extension of data privacy is the access the device can get to backend services such as customer or corporate data. A hacker can hack a single device and get data from it, but if they can extract the APIs and credentials to your backend services they can access your entire ecosystem’s data. Again, failure to secure the device serves as the primary entry point.
Device Disablement or Malfunction – Most devices are designed to do something and as such the consumer expects the device to operate as expected. By injecting malware into the device or modifying the existing code, the behavior of the device can be modified. In a simple system this may be an annoyance, but in safety critical systems, this can cost lives.
Ransomware Attacks – While popular in the media for their attacks on PC based systems, ransomware attacks are of critical concern to IoT ecosystems. A potential attacker has the ability to compromise an entire type of device, and a ransomware attack can be used to disable the system. For large ecosystems with a significant customer dependence this could be a costly attack as well as bad PR for the organization.
As is rapidly becoming apparent, the IoT landscape has a bit of a Wild West feel to it, with usability a primary concern and security being considered at some later date. While businesses may be excited by the potential of IoT, for organizations deploying IoT ecosystems within their own networks, it is crucial to understand the security features and functionality of the devices deployed.
As the proliferation of devices continues, they will become an increasingly viable attack surface for attackers, meaning that business must undertake any IoT deployment with an awareness and appropriate measure of preparedness for the threats involved. Without proceeding with this caution, businesses could very well see this brave new world end in disaster.