When it comes to device security, today's manufacturers make a lot of claims. Most will boast that their security measures are enough to meet the needs of the moment. Some might claim that their devices are so specialized they won't be subject to common attacks, which is rarely true; that their devices are not interesting enough for hackers to target, which is almost never true; or that perimeter security is sufficient to defend them, which is absolutely never true.
A closer examination reveals that manufacturers are still making things too easy for attackers. Many still use static credentials, weak symmetric tokens and patchwork solutions amid an inconsistent security framework, among other insufficient measures. The truth is that things like basic username and password combinations are no longer enough to protect these devices, a fact driven home by the bevy of attacks targeting IoT devices that have occurred over the past several years. Both manufacturers and users must recognize the advanced threats that these devices now face and have a plan to secure them.
The reality of today's IoT security challenges
IoT devices face a number of unique challenges. After all, IoT covers a wide range of devices, no two of which are the same. This can make standardization a problem. Many are built with low-cost processors and minimal memory to maintain a low bill of materials cost, resulting in devices with limited resources available to implement security measures. Traditional security solutions will not run on these devices because of the limited resources or the use of a specialized real-time operating system. The lack of an established security perimeter poses a further challenge, especially for devices housed in remote locations that may even be subject to physical or proximity-based attacks.
Attackers are savvy. They might steal a device or even buy one in order to take it apart and better understand how to attack it. For devices with firmware updates available from the OEM, they may download the firmware and attempt to reverse-engineer it to identify security keys, hardcoded passwords or other security vulnerabilities. The fact that attackers can physically obtain IoT devices to examine and probe makes them that much easier to attack than large-scale IT infrastructure located within a data center behind significant physical security barriers and multiple levels of cybersecurity.
The typical lifespan of IoT devices also poses an issue. While a manufacturer may claim that it has sufficient security controls now, will they hold up in five, 10 or 15 years? Connected cars might be on the road for more than a decade, while medical devices could be in use for even longer. Traffic or industrial control systems might not be retired for 30 or 40 years. Unfortunately, not all manufacturers are committed to maintaining those devices for that long, and even among those that do, maintenance can be a challenge. Not all devices can be taken offline to install updates, while others are physically hard to access. All these challenges make these devices attractive targets for would-be attackers.
What does IoT security really mean?
With IoT devices as both attractive and vulnerable targets for attackers, what do manufacturers and users need to know in order to achieve stronger devices security? In an IoT context, security means a number of things, starting with authentication and access control, or the blocking of unauthorized use and access. Understanding who can interact with certain devices or assets and what they are allowed to do goes a long way toward keeping a device secure. After all, not just anyone should be allowed to remotely log in to a traffic control system and change all the lights to green.
Protection from cyber attacks is the next step. Devices need protections in place to stop data from being easily stolen off the device and to ensure that communication is neither disrupted nor stolen. It is also critical to ensure that malware cannot be installed on the devices and that the operation of the device is not interrupted. Medical IoT devices are a good example. A compromised device could result in the theft of confidential patient health information or even stop a life-saving machine from performing its essential function. It's a worst-case scenario, but one that paints an accurate picture of the potential consequences facing poorly secured devices.
It is also important to avoid treating IoT devices as islands. They need to be integrated with security management systems capable of detecting and reporting potential cyber events. This is something that is often overlooked but is increasingly important. Suspicious activity like multiple failed login attempts or a user attempting to access ports that are not normally accessed on the device are likely precursors to a cyber attack and should be treated as such. If these activities are not reported to a central management system, security teams cannot take steps to remediate them.
Understanding the problem is the first step toward solving it
IoT security is and will remain a significant issue for both users and manufacturers, but it begins with understanding that the specific security challenges posed by IoT devices must be addressed in an equally specific way. Perimeter security measures will never be enough to protect IoT devices, many of which exist outside the network perimeter and outside of the physical perimeter. Because IoT devices are at greater risk of being stolen or acquired illicitly or otherwise, the ability to block unauthorized use and access on a device level is critical.
Attackers may be after a wide range of things when they target IoT devices. In some cases, they may be targeting data stored on the device, while in others they may simply be looking to gain an easy foothold into a broader corporate network. Whatever the case may be, users must be able to detect these incursions and remediate them, and manufacturers must ensure that the devices themselves are designed to facilitate this type of detection. When manufacturers claim that their devices are secure, users must be prepared to interrogate exactly what that means, or they risk putting their entire network in danger.
About the author
Alan Grau is the VP of IoT and embedded solutions at Sectigo, a global provider of automated digital certificate management and web security solutions. Alan has over 30 years of experience in telecommunications and the embedded software marketplace. Alan joined Sectigo in May 2019 as part of the company's acquisition of Icon Labs, a provider of security software for IoT and embedded devices, where he was CTO and co-founder, as well as the architect of Icon Labs' award-winning Floodgate Firewall. He is a frequent industry speaker and blogger and holds multiple patents related to telecommunication and security. Prior to founding Icon Labs, he worked for AT&T Bell Labs and Motorola. Alan has an M.S. in computer science from Northwestern University.