IoT Security: Why We Need to Develop Secure IoT Devices

Internet of Things (IoT) devices represent a wide variety of non-traditional, internet connected devices such as medical devices, cars, drones, simple sensors, and more. These devices often pose a security challenge due to their limited size and the inability to secure them with traditional security controls and methodologies.

Security professionals are often faced with the daunting task of providing a business case for expending funds to secure IoT products and systems. Providing a sufficient budget for IoT secure product engineering:

• Reduces the likelihood that an IoT product will be counterfeited
• Limits the ability of attackers to compromise your customers’ privacy
• May limit liability in the case of a compromised device
• May limit the ability for an attacker to cause damage or harm
• Reduces the likelihood of reputational damage

In the case of a compromised IoT product, the impact to the business is never positive. At a minimum, customers will hesitate to purchase the product based on knowledge that it leaves their systems or homes vulnerable. At worst, a compromised IoT product will invite legal action or cause physical damage or harm. Below, we further expand on some of the high level reasons IoT security is needed.

Compromised Privacy

Many IoT products used within the home, including wearable products, have been compromised. VTech, the manufacturer of high-tech educational toys for children, announced that it suffered a security breach in December 2015, exposing the personal data of 12 million people. Interestingly, the devices themselves were not compromised, but the online services that the devices connected with were not sufficiently secured. IoT devices do not operate in a vacuum, they are a part of a much larger ecosystem that must also be secured sufficiently.

What to Do:

• Encrypt all account registration using TLS.
• Implement software assurance techniques within your development team.
• Thoroughly review protocol specifications for security/privacy updates.

DDoS Attacks

The substantial quantities associated with IoT products makes them very useful to those wishing to perform a DDoS attack. Additionally, compromising IoT products for use in botnets does not have to be as complex as identifying an unpatched vulnerability and exploiting that vulnerability. Some IoT products ship with no password protections or use default passwords for local access.

What to Do:

• Implement software assurance techniques within your development team.
• Never ship IoT products without password protections.
• Do not share default passwords across a class of devices without requiring immediate password updates on first use.

Medical Devices are Especially Vulnerable

Concerns related to the security of connected medical devices are nothing new and have been around even prior to the popularity of IoT. In 2008, researcher Daniel Halperin and colleagues published the document “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and ZeroPower Defenses.” This document discussed wirelessly reprogrammable implantable medical devices (IMDs) that include pacemakers, cardioverter defibrillators, and implantable drug pumps. Vulnerabilities affecting pacemakers, drug pumps, and other medical devices are extremely dangerous and could result in life-threatening injuries or death.

What to Do:

• Implement software assurance techniques within your development team
• Authenticate access to all ports.
• Encrypt keys that are stored on devices.

Critical National Infrastructure

From a standpoint of interconnected smart cities or smart factories, we see that a connected smart grid of vulnerable things can have a direct effect on the functioning of a modern society. If we think of a typical Industrial Control System (ICS), we see that there are many areas of concern, including the connection of systems that were never designed to connect to the internet, the use of legacy protocols that have no security mechanisms built-in, and the fact that a cyber-physical system (CPS) can cause harm and damage if compromised.

What to Do:

• Begin a move toward upgrading legacy protocols to more secure choices.
• Incorporate safety engineering into IoT/ CPS product designs.
• Implement secure interface connectivity within your IoT products.

Next, learn some of the challenges security engineers face when dealing with IoT devices in Part 2 of this blog.

To learn more about IoT security, check out CSA’s IoT research publications.