IoT innovation brings complexity and risk: Learning from past mistakes

Learning from our past

Learning from past mistakes is the best measure for preventing future IoT attacks. Take the example of the Jeep Cherokee attack of 2015 (and then again in 2016), in which security researchers Charlie Miller and Chris Valasek remotely shut down a vehicle on the highway. They used a hacking technique called a zero-day exploit, which targeted Jeep Cherokees and gave attackers wireless control via the internet, to hack thousands of vehicles. Attackers seek vulnerabilities in the automotive communication endpoints, giving them the ability to send commands through the vehicle’s entertainment system to control many functions, such as brakes and steering, all from thousands of miles away.

Practically all car manufacturers, not just Chrysler, are working hard to modernize automobiles so they are more like smartphones. From an attacker’s perspective, much of the innovative new technology being added to vehicles is an open invitation for hackers to try to gain access. All cars with IoT connectivity are vulnerable as long as people are able to identity a car’s IP address and gain access remotely, regardless of location.

The generic kill chain for most types of cyberattacks, like the Chrysler example, can be broken down into seven steps:

1. Reconnaissance: Harvesting email addresses, conference information, etc.
2. Weaponization: Coupling exploit with backdoor into deliverable payload
3. Delivery: Weaponized bundle to the victim via email, web, USB, etc.
4. Exploitation: Vulnerability to executive code on victim’s system
5. Installation: Malware on the asset
6. Command and control: Channel for remote manipulation of victim
7. Actions on objectives: With “hands-on keyboard” access, intruders accomplish their original goals

The Jeep/Chrysler attack is a perfect example of remote command and control being possible. However, if the defender can stop just one of the steps in the attacker kill chain, the attack fails.

Shortly after the Chrysler attack, the company recalled 1.4 million vehicles that had the potential to be affected by a hackable software vulnerability in its Uconnect dashboard computers. The manufacturer acted quickly and struck a deal with Sprint, the cellular carrier that connects Chrysler’s vehicles to the internet, adding security tools that can detect and block an attack on Sprint’s network.

With innovation comes complexity and risk. Unfortunately, this is the challenge for all companies — not just car manufacturers. Unlocking the value of innovation and new revenue streams and cost savings will also require a secure IoT ecosystem. In this case, automobile manufacturers and their supply chains need to implement security protocols to protect the critical internal domain of the car.

Last month, the FBI released a public service announcement warning about the importance of securing IoT and connected devices against cyberattacks. This warning showcases the real dangers of not properly securing connected devices. Since then, California has a bill awaiting Gov. Jerry Brown’s signature to set cybersecurity standards for web-connected devices. Continued use of self-signed certificates, shared keys and default passwords for IoT device security leaves these devices and networks increasingly vulnerable to imminent cyberattacks. The FBI’s warning further establishes the immediate need to secure connected devices and networks to prevent future IoT attacks.

Preventing future IoT attacks

It’s imperative that all stakeholders understand the current state of security challenges when it comes to IoT devices, which include:

• Devices are coming to market with weak or zero security pre-installed
• Security requirements are not being properly applied by the manufacturer
• “One and done” authentication certificates are not effective
• Managing hundreds of thousands, or millions, of devices and certificates is a struggle

Hackers operating in a digitally pervasive, connected environment are increasingly gaining access to IoT devices with no security embedded and exposed vulnerabilities.

A single, simple solution is the key to addressing these challenges and preventing future attacks: a secure, cloud-based portal that issues trusted third-party PKI (public key infrastructure) certificates for authentication. PKI, the infrastructure behind unique cryptographic-based identifies for devices, provides the basis for vital security tools such as mutual authentication, TLS tunnels and code signing. It is the best way to proactively disrupt the attacker kill chain.

PKI is a technology that has been trusted and used in IT for more than 20 years, and as encryption strengths grow, it remains a trusted method for authenticating people, devices and network access, and preventing attacks on secure devices. PKI is important for IoT security because without it an attacker can exploit the lack of strong cryptographic-based identities at the device level. Failure to use PKI certificates will continue to put manufacturers, network service providers and even consumers at risk to be the next headline.

Safety hinges on supply chain

With IoT here to stay, it is not the time to be lax in security protocols. Whether the technology is consumer facing or not, the repercussions for an IoT hack can be monstrous. As with all security measures, one person or organization cannot be solely responsible. It’s up to everyone involved in the supply chain of IoT devices to be diligent in security and ensure all vulnerabilities are properly secured or patched.

It’s important to note that you can’t have a proper security framework in place unless you have a physical device that can run the security software necessary to protect both the device and the network. To be better prepared for the future, it’s important to learn from the past. Understanding past attacks and learning how — and why — they occurred can help enable stronger protocols and a safer future.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.