In early January, the FTC sued D-Link, a manufacturer of home wireless routers and webcams, for failing to adequately secure its devices, which led to several hundred thousand devices being compromised by cyberattacks. One of these botnet attacks resulted in a major DDoS attack on the internet service provider DYN and took down thousands of websites, costing businesses millions of dollars in a single afternoon.
This lawsuit has brought to light several important issues related to the Internet of Things and our ever-increasingly connected world. For starters, with more than 25 billion devices expected to be connected within the next three to five years, the potential attack surface for cybercriminals is growing exponentially. While hackers may not be interested in controlling, say, your household lighting, they are interested in the access that a connected device can provide to higher value targets, like your financial or health data. Not to mention, connected devices, as we saw in the case of D-Link devices, can serve as a conduit for botnets that will attack other targets. The average consumer is unlikely to realize that their home router or security camera is being used in such a way, making them an ideal tool for the bad guys.
Another issue that the D-Link lawsuit has brought to the forefront is the fact that until recently, IoT security has, for the most part, been left up to consumers. While connected devices can be secured at least in some part via passwords and other protocols, many users simply don’t take the steps necessary to adequately protect their devices. In a majority of cases, they don’t even know how to secure their devices. One of the motivating factors for the FTC case, then, is to put more responsibility for security back on to device manufacturers.
With that in mind, embedded security for IoT devices is becoming a bigger priority for device engineers. While there are some challenges in this pursuit, there are also some innovations taking shape that will improve the overall security of the IoT.
What Is Embedded Security?
The idea of embedded operating systems is not a new one. For years, we have had devices that contain microprocessors to carry out specific functions. Because, for the most part, these devices were not connected to the internet, security wasn’t a major concern. The simple fact that devices were standalone – and the obscurity of the operating system itself — made them relatively secure.
Introducing a connection to the internet, though, removes some of that inherent security. Embedded security, then, is the overall term for protecting the software, hardware, and hardware systems in these devices. Essentially, since every point of communication is a potential path for hackers, engineers must consider the entire device and identify all of the attack surfaces in order to keep it secure.
Challenges to Embedded Security
Effective embedded security requires implementing both traditional IT defenses as well as addressing the physical security of the device itself. For example, within the realm of IT, designers must consider:
- The use of firewalls
- Password management
- Protections against malware
- Firmware and software updates, how and when updates will be released and communicated
- Application segmentation
- Encryption and key management
However, in addition to these technical issues, designers must also consider the physical security aspects of the device. For example, could a hacker potentially physically tamper with the device to access sensitive information or reverse engineer the device to spoof or clone a legitimate device? What about key authentication? By using cryptoauthentication, it’s possible to hardware-protect encryption keys, ensuring that hackers do not gain access to sensitive information.
Effectively securing IoT devices requires designers to conduct a thorough threat analysis to determine all of the possible attack points, and then implement security measures to protect against them. Keep in mind that not all hackers are engaged in crimes of opportunity, just trying to attack anything to see what they can accomplish.
It’s very possible that hackers could be engaged in high-level acts of espionage designed to steal intellectual property — or they are simply using an IoT device as a conduit to a larger payoff. Because any scenario is possible, embedded security is no longer a “nice to have,” but is now a “must have.” Relying solely on users to protect their devices is not only dangerous, but potentially costly to your business.