The Internet of Things (IoT) market is growing at an incredible rate: analysts have predicted that there could be as many as 30 billion connected devices worldwide within the next three years, and that this number is set to grow further to 80 billion by 2025. To break this down, this equates to around 4,800 devices being connected to the network as you read this; a figure that could reach 152,000 devices a minute in ten years’ time.
Combine this with a 15% projected increase in productivity in delivery and supply chain performance this year, and the market is expected to simultaneously transform multiple industries beyond measure. According to IDC, around 60% of global manufacturers will use analytics recorded from connected devices to evaluate and optimize processes.
Without a robust approach to security, however, it is impossible to truly maximize the potential of the connected world. After all, with greater rewards comes even greater risks.
Connected devices as an attack vector
Now, the use of malicious code on the IoT is now a reality. October 2016 saw the largest DDoS attack in history bring much of the internet to a standstill when the ‘Mirai’ botnet, built entirely from connected devices, overwhelmed DNS infrastructure provider Dyn.
In this particular case, most of the devices that made up the botnet were webcams but, with the right intent and wherewithal, it would be entirely possible for an attacker to gain control of a fleet of connected cars, or even introduce a malicious software update to a network of connected pacemakers.
It’s clear then, that security needs to be front of mind for everyone involved in the connected device business and, while stronger usernames and passwords are definitely needed, the implementation of code signing best practice would make connected devices far less useful to attackers.
Trust and integrity
Code signing is, essentially, a method of proving the origin and integrity of a file, ultimately protecting companies, brands, partners and users from the dangers of infected software. As the final step in the development process, code signing creates the actual user-facing files, and involves the use of public key infrastructure (PKI) and digital certificates to confirm the software’s author, and safeguard it from alteration or corruption following its signature.
In practice, once the code is published, users can then obtain the originator’s public key and use it to validate that the party purporting to have created the signature did in fact do so, and that the program has not been modified since.
The security community has long recognized the importance of code signing as a method of establishing trust and integrity and, given, the latest developments in the use of connected devices as an attack vector, there’s more reason than ever for software vendors (ISVs) and even ordinary users to adopt code-signing best practices.
Indeed, the significant benefits of implementing the technology mean that code signing is commonly deployed as best practice across various organizations, with major players in the tech industry such as Microsoft, Apple and Google already pushing other companies to adopt stronger code signing methods.
The dependency on this new approach, however, means that for code signing to be an effective measure for identifying trustworthy software, it must be completely secure.
Secure processes
When code-signing breaches do happen, they tend to be as a result of poor processes and management. Not signing your code, for example, or falling short on best practices, runs the risk that criminals will distribute malicious code through connected devices.
What’s worse, they can make it look like it came from you. Malware signed using stolen code signing credentials is becoming increasingly common these days.
By taking steps to ensure that the processes used to create these digital signatures are protected, maximizing code-signing security with a tamper-resistant, hardware-based solution, organizations will prevent attackers from using forged signatures to conceal infected code.
A secure code signing system requires developers to plan for encryption key management – using hardware security modules (HSMs) – and implementing cryptographic best practices, all of which must be enforced in both the development and code release processes.
As industry standard bodies increasingly recognize these practices as mandatory, and as the number of IoT devices continues to grow, it’s worth considering that implementing the correct lines of defense requires neither time-consuming nor arduous measures – only the right ones.
Staying one-step ahead of cyber-criminals will never be without its challenges, but with best practice in place, it is achievable. In today’s climate, more than ever, it’s necessary if we are to take advantage of the benefits the IoT promises to deliver.