How to Respond When Hackers Move Faster Than You
October 22, 2021
Most security discussions today are focused on either device application software, or the network systems connect to. But there’s a whole world of sensitive data that can be accessed from beneath those entry points: in the device hardware.
Indeed, Bob Blumenscheid, Senior Product Manager, Digi believes that "data security is not possible without hardware security."
This is especially the case for embedded edge devices that aren’t physically separated from would-be attackers. They are essentially "open" for manipulation, as hackers can easily compromise these systems if, for example, debug ports aren’t blown during manufacturing and other security features of modern hardware aren’t utilized.
"It is critical for the engineering team developing a connected device to use the tools included in the hardware components they are using, and to design their products with a goal to protect them from illicit access,” Blumenscheid says.
But what exactly are those tools? And once you identify them, where do you start?
As a baseline, Blumensheid suggests pulling the following strings to secure your connected products:
- Password-protect any device ports that could provide access to internal firmware
- Enable encryption features in memory regions where firmware, applications, and customer data are stored
- Implement hardware features to detect, log, and report tamper requests
- Use available hardware features to verify the authenticity of firmware updates before they are applied
- Continuously monitor deployed devices in an effort to detect and stop breaches before they lead to disastrous results
When Hackers Move Faster Than You
An inconvenient truth of IoT security is that “100% secure” is impossible. Therefore, all connected systems must undergo security analyses that examine the environment in which devices could be deployed, ways a hacker could conceivably gain access to them, and hardware and software security features that protect these vectors.
Because hackers are already working on ways to exploit new system designs, a critical part of this ongoing analysis is to constantly “monitor emerging security threats and vulnerabilities that are identified," Blumenscheid says. A good place to begin is by referencing the US Computer Emergency Readiness Team’s (US CERT’s) Common Vulnerabilities and Exposures (CVEs) database, which is updated with a list of the top routinely exploited vulnerabilities.
By doing so you can easily access fixes and updates to exploits in commonly used development tools and infrastructure. And soon, it may not be an option. Blumenscheid notes that North American and European governments are already moving towards – and in some cases, passing – legislation “that describe security requirements for new connected devices.” He cites the California IoT Devices' Security Law as an example.
Blumenscheid urges companies to start implementing security processes like this now to be ready for when such legislation becomes a requirement to ship new connected products. And as a way to stay ahead of hackers who are already moving faster than you.
To learn more about security best practices for IoT devices, attend Blumenscheid's session at the 2021 IoT Device Security Conference, “Three Key Focus Areas for IoT Security” on November 9th. Registration is free.