Check these boxes before deploying IoT devices

By Brandon Lewis


Embedded Computing Design

August 10, 2016

Check these boxes before deploying IoT devices

There was a time when isolation helped ensure IT system security. Mainframes lived in glass rooms accessible to a few carefully screened attendants. I...

There was a time when isolation helped ensure IT system security. Mainframes lived in glass rooms accessible to a few carefully screened attendants. If there was any kind of network, it existed within the building and provided wired connectivity for a flock of dumb terminals.

The big change came with the arrival of the Internet. Suddenly, the network covered the planet, and the same web that provided 24/7 access for remote offices, customers, partners, and friends substituted once-secure physical walls for loose affiliations open to any interested party that cared to visit. It made security a critical issue and spawned an entire industry.

With the advent of embedded technology, intelligence continued migrating from fortified data centers to millions of devices, each with its own functions and place on the web. This spread presented a target-rich environment for bad actors around the world. These weren’t just criminals, though there are plenty of those; they consisted of anyone from state actors and terrorists to curious individuals simply looking for a challenge or a place to play. Whoever they may be, these individuals could maliciously or even unintentionally alter, steal, or otherwise tamper with content.

With Internet of Things (IoT) nodes showing up in home appliances, medical devices, kiosks, vehicles, buildings, utilities, and other sorts of infrastructure, the number of IoT devices will be huge. They’ll be sensors collecting, storing, and transmitting data and components of a smart grid. They’ll send anything from occasional alerts to large streams of real-time data and will link vast arrays of unattended devices into networks. They’ll differ in size and capabilities, but the one thing they will all have in common is connectivity. And in reality, if it’s connected, it’s vulnerable. The big question today is, how do we protect the growing number of small, relatively inexpensive, autonomous devices that make up the IoT?

The challenges

Embedded devices in IoT applications face assault from many directions and in many forms. Being connected devices, they can be reached via wired or wireless connections. And they can still be attacked “the old fashioned way” by direct physical access, which is a greater problem than ever because there are so many of them in so many places and because they usually operate unattended.

Before deploying an IoT device, consider these issues first:

  • Systems on the IoT must be able to trust their remote devices, recognize that those devices are legitimate, trust that any access to the device has been by legitimate users, and trust that although users may be able to put data/images on the device, they haven’t tinkered with the device’s manufacturer code.
  • Systems receiving IoT data can be fooled by a device that pretends to be authorized, but is actually controlled by a hacker sending malicious or altered code. To do this, the hacker would only have to go to a manufacturer’s website, download a copy of firmware, upload it to a device he or she controlled, and send spurious data from what appeared to be an authorized device.
  • Like ants at a picnic, hackers are always looking for new ways to attack legitimate systems. Systems, in turn, require regular updates to patch chinks in their armor. Updating a single system can be easy, but with large numbers of scattered IoT devices, keeping up can be daunting. The risk is that systems either fall behind on critical updates or require large amounts of support time to stay up-to-date.
  • IoT devices often store data, which is typically protected by a key. In many cases, a hacker who gains access to the device can also, with a little added effort, find the key needed to decrypt the stored data.
  • With devices spread across the globe, often in remote locations, a hacker can actually physically break into a device, plugging in to gain access through the JTAG hardware engineering port, through serial ports for admin, through network ports, or through an Ethernet port. It’s a little more work for the hacker—typically not an option for an amateur hacker—but the damage can be just as great. Systems can currently provide users with keys to securely access ports, but this typically must be done on a labor-intensive, user-by-user basis.
  • Because most IoT devices will be made as small and inexpensive as possible, there’s security functionality that just won’t fit on a device’s main processor and, over time, security demands will continue to grow. Systems need a road map defining where increased security capabilities will reside in the foreseeable future.

The checklist

  • To ensure that only legitimate users access the device, the system should authenticate every time it starts up or is accessed. This is done via a manufacturer-supplied certificate that customers must present when accessing the device and to which hackers won’t have access.
  • To prevent hackers from creating counterfeit devices to send their own version of data to the system, every legitimate device must have its own unique digital signature. This isn’t available in downloadable firmware and can’t be faked, so only data from genuine devices will be accepted.
  • To prevent falling behind on firmware updates or placing an unnecessary burden on users, a system should regularly initiate a check for updates and, if any are found, automatically download them to ensure that the device is as thoroughly protected as possible, preventing both delay and burden on the user.
  • To keep hackers from accessing stored data, the system must put the decryption key in a secured lockbox. This is a second level of security beyond simply requiring a key to access stored data. In many cases, keys can be easily found by anyone who can access the data itself, which is like locking your door and hiding the key under the mat. Second-level protection is like the lockbox a real estate agent hangs on a property’s front door; the lockbox requires a code of its own to access the door key.
  • To protect against hackers who can physically access device, a system should challenge anyone who attempts access through any of its physical ports. This can be achieved through the same authentication process used with access over a network.
  • IoT technology is still in its early stages and will almost certainly face greater security challenges than it does today. To maintain the highest level of security and long life without overburdening devices’ main processors, systems will begin to incorporate hardened co-processors dedicated to security functions. And since IoT devices are, by definition, connected, additional security features will have to be provided over, and resident in, the cloud. In short, today’s best security won’t be sufficient tomorrow, and you’ll need capacity to accommodate new and better protection.

The bottom line

Unfortunately, perfect security doesn’t exist. Witness recent break-ins at well-protected government and corporate sites and the FBI’s highly publicized hacking of an iPhone. The goal isn’t to make interference impossible, but rather to make it difficult. IoT systems and devices may be tempting for hackers, but they aren’t Fort Knox or the Bank of England’s vault, and successful security may simply entail using the toughest available protection and counting on rational hackers to look elsewhere for a softer target.

Donald Schleede is the information security officer at Digi International, a Minnesota-based manufacturer of embedded systems, routers, gateways, and other communications devices for machine-to-machine systems.

Donald Schleede, Information Security Officer, Digi International

Brandon is responsible for guiding content strategy, editorial direction, and community engagement across the Embedded Computing Design ecosystem. A 10-year veteran of the electronics media industry, he enjoys covering topics ranging from development kits to cybersecurity and tech business models. Brandon received a BA in English Literature from Arizona State University, where he graduated cum laude. He can be reached at [email protected].

More from Brandon