arthead - stock.adobe.com
With the proliferation of connected devices across nearly every imaginable use case, it's understandable that this unyielding rise in device use is accompanied by escalating concerns about security. A security breach in a smart speaker or vacuum is concerning; a security breach for devices that manage patient healthcare or industrial manufacturing can be disastrous.
Traditional device development processes aren't equipped for the rise of connectivity across all the ways in which consumers and businesses are becoming accustomed to using it. For decades, hardware development was ship-and-forget. Adjusting to vulnerabilities wrought by increasing connectivity is a major shift. With the absence of industry-wide security standards that provide guidance and clarity on device security and legislation that dictates specifics for compliance, the IoT device security landscape leaves a lot up to the individual vendors manufacturing devices.
The scope of the problem
Three years ago, OWASA released its IoT Top 10 list, which explains what developers and organizations must make sure they do not use when designing and implementing IoT systems. The list included:
- Weak, guessable or hard-coded passwords
- Insecure network services
- Insecure ecosystem interfaces
- Lack of secure update mechanisms
- Use of insecure or outdated components
- Insufficient privacy protection
- Insecure data transfer and storage
- Lack of device management
- Insecure default settings
- Lack of physical hardening
But just a cursory look at news from the last six months shows how an onslaught of hacks has compromised devices and underscores that the threat of the connected device landscape is only growing.
Addressing IoT threats
In an effort to address known IoT vulnerabilities, governments are working to come up with solutions. For example, the U.S. government signed The Internet of Things Cybersecurity Improvement Act of 2020 -- the "IoT Act" -- into law in December 2020. The legislation requires that any IoT devices used by the federal government must meet specific cybersecurity standards and guidelines. In Europe, the EU Cybersecurity Act was put into place in 2019 to classify IoT businesses under a common set of certification standards based on their level of security.
Both legislative examples are steps in the right direction. Even without binding regulation, moves like this set examples for the industry to follow and likely establish standards that will have a trickle-down effect on smaller manufacturers. These are steps toward strong IoT security. As the consumers, businesses and governments wrestle with the ever-expanding number of ways IoT affects us, three things are clear:
- The security vulnerabilities in the IoT ecosystem are serious, and the consequences of ignoring them are growing.
- The sheer number of IoT devices means the number of end users affected by IoT hacks and disruptions is exploding at a remarkable pace.
- Governments and regulatory agencies will be under increasing pressure to address these issues in a more formal and broader fashion.
These three trends are converging, meaning IoT development will inevitably come with increased security scrutiny and expectations from every direction.
Focus on device security
Adequately addressing IoT device security means developers must plan for security during the design and production process. Right now, far too many serious vulnerabilities can be found across operating systems, microcontrollers and connectivity stacks. However, because so little attention has been directed to these issues, it's simply a matter of time before a major scandal emerges. To create and release devices that meet modern security challenges and map to expected future regulatory measures, developers must adopt a more defensive approach for all their projects.
Developers who want to get ahead of industry requirements and customer demand can follow these steps to basic security that can serve as a foundation for adding more security layers in the future.
Devices must be updateable
Sending devices out into production without consideration for how they will be updated presents a serious security risk. A few critical elements for any IoT device include:
- firmware validation on a device;
- secure delivery and unencrypted in transit;
- anti-rollback mechanisms;
- notifications of security changes due to updates; and
- signing firmware updates.
Do not share secrets
Vendors make a huge mistake with their fleet security if they don't rotate secrets or use a master secret, that is, deploying the same private key to the entire fleet. A determined attacker will eventually be able to extract secrets from your device. The compromise of one device should not lead to the compromise of all. Instead, vendors should deploy a set of encryption keys or other secrets per device, avoiding a master secret, and have a mechanism in place to rotate those secrets.
Keep third-party libraries current
Third-party code is unavoidable. It's usually bundled with the chips we use and offers critical functionality like connectivity or device cryptography. But it also introduces new risks into the system if developers aren't vigilant about visibility into these third-party additions. IoT device developers must understand what third-party code they depend on, what license it's offered under and the support provided by its author. When vendors provide updates, it is important to look at security fixes and adopt them in a timely manner. Ultimately, as most third-party code is provided as-is, engineers should also understand what the code does under the hood, so they're able to step in to fix bugs as they inevitably come up.
Consider new programming languages
C and C++ offer strong application performance but are often impacted by memory management bugs, including unhandled null pointers and problems with de-allocating unused memory. Programming languages like Rust are less prone to this class of defects. Rust's type-checking and borrow-checking in its compiler also allow developers to catch potential security issues earlier in the development process, eliminating hours of debugging and patching in production.
The impact of IoT is demonstrated every day, but any advancement in innovation must be in lockstep with modernized and thorough security. Demands for more standardized, regulated and common-sense security in connected devices are only going to rise. Treating device security as a late-stage add-on is no longer an option. With a few key considerations, developers can build the best and most secure products before the industry requires it.
About the author
François Baldassari is the founder and CEO of Memfault, the connected device observability platform provider. An embedded software engineer by trade, Baldassari's passion for tooling and automation in software engineering drove him to start Memfault. Previous to Memfault, François led the firmware team at Oculus and built the OS at Pebble. Baldassari has a B.S. in electrical engineering from Brown University.