Monday, November 06, 2017
One year after Mirai malware hijacked more than 100,000 connected devices for its botnet and launched a denial of service attack — which briefly blocked access to popular sites such as Netflix, PayPal, Amazon and Twitter — IoT device makers are just beginning to get smarter about home security.
Security concerns reach deeper into the home than just the Internet gateway or a home router. They now touch everything connected to that home network, from computers and remote servers all the way to appliances such as washing machines and refrigerators.
“Someone can still remotely start your oven or stove, or start all the washing machines in a neighborhood and take the power grid down,” says Asaf Ashkenazi, senior director of product management in Rambus’ Security Division. “The system can’t distinguish between a legitimate user and a botnet that’s trying to connect. This becomes a threat to the entire Internet infrastructure.”
Distributed denial of service attacks can utilize a variety of approaches and entry points. The Mirai virus used an army of unsecured devices working together as a botnet to jam networks. That is why they can cause so much damage, and why they are potentially lucrative targets for attacks.
A Mirai attack scans a large number of IP addresses to find the IoT devices behind open SSH or Telnet ports, according to an Intel Security report. The scanner then determines the state of the ports and blankets them with common default usernames and passwords.
Despite the evidence and warnings about the dangers of unsecured smart home devices, “manufacturers have done next to nothing,” even when security steps are within reach, such as resetting default passwords, says Rhonda Dirvin, director of ecosystem marketing, embedded and automotive lines of business at Arm.
Why? There are several key reasons. First, the industry is moving so quickly that security has been an afterthought. Second, manufacturers look to keep costs down to entice consumers, and the common complaint is that security costs money but no one is willing to pay for it. And third, the chain of technology and connectivity involved in IoT makes security complicated.
“The industry is starting to get educated about the need for [better security],” Dirvin says. “Now they ask more questions about it and are willing to spend more time and effort,” but not always money.
Manufacturers of smart home devices typically haven’t had to think about security in the same way as a medical device maker or a manufacturer of industrial automation.
“It’s a whole new area for them, so they’re rushing to build connectivity and incorporate these devices into a broader IoT strategy,” says Warren Kurisu, director of product management in the embedded systems division at Mentor, a Siemens business. “The security, from a software perspective, is something they’re just now starting to realize that they need to do.”
This is especially true in the wake of the Mirai attack. The number of connected devices is expected to reach 20.4 billion by 2020, according to Gartner.
Using what’s there
So what can OEMs do now to bolster security? For one thing, they can turn on existing features that already are embedded in chips, says Dean Freeman, research vice president in Gartner’s IoT Center of Excellence. In addition to standard AES-128 encryption already in most chips, “most silicon has protected execution mode, a dedicated package security processor, encryption engines, random number generators, hashtag generators, and more,” Freeman says. “The question is, ‘Does the device manufacturer that buys the chip turn them on?’ For many device makers, it’s a question of time, money and understanding.”
This isn’t a new problem in the chip world. For years, chipmakers offered low-power features for cell phones that manufacturers ignored because they didn’t know how to write software that could leverage those features, or because they didn’t think they could get an adequate return on investment. Similarly, early IoT device manufacturers didn’t imagine the levels of security that might be needed to protect a device, and they basically ignored what was available in chips. But as awareness of both the problem and solutions, manufacturers could easily add security, says Freeman.
A good starting point is default passwords for home devices, which are easily found on a manufacturer’s website. Those need to be changed, and instructions for creating unique passwords must be communicated to device users, Freeman says.
Making security easier
Processor vendors are working to make security features easier for manufacturers to implement, as well. Arm, for instance, now offers easier encryption on its M Class processors, used in home devices with display pads such as Nest thermostats. It also added a feature on that partitions the system memory into a trusted area where sensitive data, such as keys and trusted boot codes, can be kept safe from malware.
For embedded software makers like Mentor, it’s about creating a hardware-based root of trust, and then using cryptographic principles, keys, and certificates to make sure that any software that gets loaded on the devices is authenticated to a publisher and validated that it hasn’t been modified or altered in any way, Kurisu says. “Once you can build a hardware-based root of trust, and build that complete software chain of trust, then you have some level of confidence that your system is secure.”
The connectivity conundrum
But home networks are comprised of more than one system. “As home appliances become even more connected, it’s no trivial matter to connect devices securely to software that knows how to provision the device and how to connect to a cloud service,” Ashkenazi says. “If I encrypt, (for instance), how does it connect now with AWS (Amazon Web Services) for IoT? It’s not that easy to do. Neither is connecting it to the platform in the cloud in a way that is not disruptive to the application that is running. [Device manufacturers] are looking for something that does not slow them down.”
Ashkenazi believes that the responsibility for security shouldn’t rest solely on device manufacturers. “You need to look at it from their side. They can’t break their financial model because they need to put in security,” he says. “It’s easy to say, but they will not be able to sustain their business. It’s a responsibility that we need to share” among all IoT components, including cloud providers and ISPs.
Still, how to solve this problem isn’t obvious. “We know that security is a good thing, but people don’t know what they should do,” says Richard Hayton, CTO of Trustonic. “And in an ecosystem that’s very complicated, how do you know the other guys are doing the right thing? People know what a product should be, but security is not what they’re selling that product for. It’s something they ought to be doing as a matter of course, but no one is holding them accountable. And because they’re developing secret IP, how do you even know what they’re doing?”
This isn’t just confined to the home, either. Even in corporate IT, where companies are willing to pay handsomely for security, products are often developed in pieces. When they are put together, not everything is as secure as the developer of some components expect them to be.
“A good example is a TLS (Transport Layer Security) stack,” says Mark Schaeffer, senior product marketing manager for security solutions at Renesas. “You have a vendor that says they have a TLS stack, but the provisioning of the keys and the storage of the keys is out of reach of what that vendor is responsible for. And most people don’t understand that.”
Savings vs. security
Still, there are some common attributes that secure devices need.
“The ideal [smart device] would have secure silicon, secure communication on devices, secure network where data is transferred to the cloud, and a secure cloud,” Freeman says. “Each one of those steps costs a couple of pennies, which costs the consumer.”
Device makers, however sensitive to consumer spending, may have no choice but to add security features to protect their brand. “There’s a growing recognition of the fact that they have to do it,” Dirvin says. On the bright side, smart home device makers may be able to take advantage of less-expensive security measures because the risks and payoff for threat actors is lower than for other device hacks. “If it’s not easy, it may not be lucrative for people trying to do something bad, so they’re not going to spend a lot of time and energy on it,” she adds.
In many cases, encryption, new passwords and partitioning could provide sufficient security, Dirvin says.
Kurisu believes that smart home device makers are finally getting the message about the importance of security. “But it will take a couple generations of these smart, connected appliances coming to market,” he says, before we see the benefits of the security measures they’re installing now.
Until then, the number of threats continues to rise, and connected home devices are now firmly represented in the threat map.
Copyright © 2017 CST, Inc. All Rights Reserved