Security Threats of the Past Persist in Today's IoT Devices

By Perry Cohen

Associate Editor

Embedded Computing Design

February 18, 2020

Story

When it comes to IoT devices, a very particular question needs to be asked, ?Are the security threats of today any different than they were 10, 20, or even 30 years ago??

When it comes to IoT devices, a very particular question needs to be asked, “Are the security threats of today any different than they were 10, 20, or even 30 years ago?”

The most recent hack that will come to people’s minds is the attack on the Ring Doorbell. But, this is a device that was created in 2012. Most wouldn’t think that even more commonly used devices like a wireless computer mouse or keyboard are considered IoT devices; by definition they are.

Yossi Appleboum, the CEO and cofounder of Sepio Systems, a company dedicated to rogue device mitigation, believes that root of many device security threats is directly related to its hardware.

“More and more people realize today that the state of their hardware is as bad as their state of their software 20 years ago,” the Sepio CEO said. “And while the industry did so much to protect ourselves against viruses, malwares, ransomware, and denial of service … we have so many measures against [those types of attacks].

“We have very little measures to protect our devices.”

The need to protect or defend hardware holds true to regular consumer products, like the aforementioned mouse, keyboard, and even Amazon Echoes, for example. But the necessity expands far outside of the home.

“The global market should be treating these devices the same way they treat their software,” Appleboum explained. “They need kind of a firewall and kind of an endpoint security in order to prevent this potential of damaged hardware of generating damage to their infrastructure.”

Device Identity

How could it be possible in the slightest to protect or defend IoT devices without an understanding of its identity?

Companies like GlobalSign rely on certification and identification to make for more secure devices. Lancen LaChance, the company’s head of IoT identity solutions, believes securing IoT devices is a challenge because of the influx of “new” technologies.

“When we look at the broader scope of IoT, the uniqueness and newness of IoT is the devices themselves,” LaChance said. “What we ended up having in IoT is a new set of technologies from the embedded side, and in the embedded development world, you're looking at new constraints on resources and processing power, capacity, bandwidth, all of those types of things that make embedded computing and connected embedded devices, different and unique.”

Still, even in the face of these challenges, Diane Vautier, GlobalSign’s IoT product marketing manager, acknowledges that, “Every IoT devices needs an identity, frankly,” she said. “Unsecured devices put the entire network and ecosystem at risk.”

Vautier points out that pioneering entities such as the State of California are recognizing the broader risk of unsecure device endpoints and are creating laws and regulations that state anyone providing connected devices to the government must have a certain level of security on them.

“What we have created is an IoT identity platform and that helps companies secure device identities to manage those identities throughout their entire life cycles,” she said.

GlobalSign’s IoT Identity Platform is a public key infrastructure-based (PKI-based) device identity management platforms designed specifically for OEMs, system integrators, and end users. In addition to facilitating digital certificate and key exchanges for resource-constrained connected systems, the platform includes additional features like certificate revocation that help prevent compromised endpoints from attacking or being used to attack other parts of an IoT infrastructure, ecosystem, and so on.

“In a PKI environment, we have a number of different players or components and what our identity platform does is it combines all of those core components,” Vautier said. “We have trusted root hierarchies, which is where you get the digital certificates from as sort of a certificate authority.”

She continued, “We're able to accommodate a number of different types of certificates, all of them common to the IoT world. We're able to customize the profiles on those certificates for their specific use case.”

A large part to the explanation of how identification adds security is the certificate revocation process. If there’s a loss of a key or a device theft, a certificate can be revoked, making it so a device can no longer access or communicate with other IoT devices and infrastructure.

This can be performed working off of a certificate revocation list or a hosted Online Certificate Service (OCSP).

The entire platform can help secure devices upon deployment, during programming, or during a device’s production. Even more important to note, security can go as far as being integrated at the chip level.

Industry Awareness

LaChance also touched on awareness and how we are informed, similarly to Appleboum’s points.

He noted that we’re seeing more professionals in higher-up positions that have a lack of information security experience. The problem is, many of these professionals and connecting devices that weren’t previously connected devices.

“Just by the fact that they don't have the skill set, they don't have the awareness potentially, so that's a big factor,” LaChance said. “Another factor is that the organizations aren't weighing the risk appropriately right now and weighing what the impact and magnitude of what a compromise is going to do.

“They're not necessarily weighing the cost or the investment into security appropriately. When this legislation starts really enforcing organizations, that's one mechanism that will make IoT security become a priority. A second, and this is where GlobalSign comes in with a lot of our technology partners, is to make it a native and natural part of the ecosystem or the tech stack that's going to be consumed.”

Currently, GlobalSign is working with IoT providers from the chip through the cloud to make IoT security “zero-touch.” GlobalSign has done extensive work with companies including Microsoft Azure in addition to IoT providers such as Infineon, Microchip, and Arrow Electronics. The collaborations focus on helping manufacturers produce products more securely.

When it comes to the security of IoT devices, knowledge is power. Appleboum disagrees with the notion that new problems arise; rather, older problems are at the forefront of security threats because of what we do today. He believes, in some instances, that 10-, 20-, even 30-year-old technologies are being exploited today because of weaknesses in modern infrastructure and lack of knowledge.

And as the Sepio CEO puts it, you can protect only what you know.

Perry Cohen, associate editor for Embedded Computing Design, is responsible for web content editing and creation, podcast production, and social media efforts. Perry has been published on both local and national news platforms including KTAR.com (Phoenix), ArizonaSports.com (Phoenix), AZFamily.com, Cronkite News, and MLB/MiLB among others. Perry received a BA in Journalism from the Walter Cronkite School of Journalism and Mass Communications at Arizona State university.

More from Perry