Security for the ‘Internet of Things’ (Video) posting an Slashdot provides one view to security of Internet of Things. What happens when your oven is on the Internet? A malicious hacker might be able to get it so hot that it could start a fire. Or a prankster might set your alarm in the middle of night. A hacker can use your wireless security camera to hack into your home network. Watch the video at Security for the ‘Internet of Things’ (Video) page (or read transcript) to get the idea what can happen and how to protect against it. Remember: There’s always going to be things that are going to break. There’s always going to be.
Mark: “So I think a lot of the system on chips that we’re seeing that are actually going in Internet of Thing devices, a lot of companies are coming up, take an Arduino or Raspberry Pi, very cool chipsets, very easy to deploy and build on. We’re seeing smaller and smaller scales of those, which actually enable engineers to put those into small little shells. We are obviously kind of at this early part of 3D printing. So your ability to manufacture an entire device with a couple of bucks is becoming a reality and obviously if you have a really niche product that might be really popular in Kickstarter, you could actually deploy tens of thousands of those with a successful crowd-funding campaign and never really know about the actual security of that product before it goes to market.”
484 Comments
Tomi Engdahl says:
Zombie-proof your IoT design
http://www.edn.com/electronics-blogs/eye-on-iot-/4442673/Zombie-proof-your-IoT-design?_mc=NL_EDN_EDT_EDN_weekly_20160915&cid=NL_EDN_EDT_EDN_weekly_20160915&elqTrackId=1ad8590d662b4778b5fb8196bee33184&elq=75898752bddb4b0e88cabca45300ae80&elqaid=33894&elqat=1&elqCampaignId=29626
When asked about security features, many IoT device developers still express reluctance to implement protections. “There’s nothing hackers would want from this device,” many rationalize. But without cyber-security, your device risks being forced to join a zombie army known as botnet.
While an individual device may not be particularly interesting to an abuser (aka, a bot-herder), an army of them can be very useful. Two of the most common uses for a botnet are distributed denial-of-service (DDoS) attacks and dissemination of spam emails.
A recent survey reported in Dark Reading found a botnet based on the BASHLITE malware family with more than one million zombies, 96% of which were IoT devices.
Without increases in security for next-generation IoT designs, such zombie armies can only be expected to grow.
The problem, as many developers exclaim, is that “Security’s too expensive!” It’s true that many of the traditional security processes and algorithms require many more compute resources than small IoT devices can provide. Further, these processes and algorithms don’t scale down effectively to match resource constraints. But if adding security into a design seems expensive, consider the cost of not having it.
Companies have already had their products tank and their reputations shredded, and sometimes been forced into million-dollar recalls, because their IoT designs had eschewed security.
Tomi Engdahl says:
Home> Tools & Learning> Products> Product Brief
Secure chip works with Amazon Web Services
http://www.edn.com/electronics-products/other/4442548/Secure-chip-works-with-Amazon-Web-Services?_mc=NL_EDN_EDT_EDN_consumerelectronics_20160914&cid=NL_EDN_EDT_EDN_consumerelectronics_20160914&elqTrackId=56085335422940c78d1cc39ea3dccbf6&elq=e47f2e9c0d4346b9b11a570b20ee8a61&elqaid=33853&elqat=1&elqCampaignId=29588
Jointly developed with Amazon Web Services (AWS), the Microchip AWS Zero Touch Secure Provisioning Kit helps designers develop IoT devices that comply with new AWS security regulations. These regulations state that a device must use mutual authentication with a remote server to be authorized on the AWS cloud.
The AT88CKECC-AWS-XSTK kit costs $249 each. Prices for the ECC508 IC start at $0.60 each in lots of 10,000 units.
AWS Zero Touch Secure Provisioning Platform
http://www.atmel.com/applications/IOT/aws-zero-touch-secure-provisioning-platform/default.aspx
All cloud-connected devices need a unique and protected identity that can be securely authenticated. There two main challenges to achieving this goal: providing a secure authentication method and managing the private keys in a large-scale production environment. The AWS-ECC508 meets these challenges by complying with AWS IoT just-in-time registration. While one-way authentication has commonly been used to secure systems, AWS IoT now offers mutual authentication between devices and the remote server. The AWS-ECC508 is an easy, flexible and cost-effective solution for adding this new, mutual authentication process to your device design. Simply solder the tamper-resistant AWS-ECC508 on your board and connect it to the host microcontroller (MCU) over I2C. The AWS-ECC508 is preconfigured to be automatically recognized by the AWS IoT service. All information is contained in a small, easy-to-deploy crypto companion device that is agnostic to surrounding hardware. This solution has been fully evaluated by AWS to comply with all of its security requirements.
Tomi Engdahl says:
Global Internet of Things Security Market to Be Worth $9 Bn in 2016
https://www.asdreports.com/news-18241/global-internet-things-security-market-be-worth-9-bn-2016?utm_source=IIoT+Newsletter&utm_medium=email&utm_campaign=Sept
This 246 page, now available on ASDReports, Internet of Things (IoT) Security Market 2016-2021: Cyber Security Forecasts for Medicine (Connected Health, Telemedicine, Hospital Equipment, mHealth, Health & Fitness Wearable Technology), Transport (Automotive, Connected Car, Connected Aircraft / Aviation, Maritime Vessels, Public Transport), Industrial Internet of Things (IIoT) (Industrial Control Systems (ICS), Critical Infrastructure, Buildings, Machine-to-Machine (M2M), Manufacturing, Retail, Utilities, Energy, Agriculture, Supply Chain Management), Connected Home (Consumer Connected Devices, Smartphones, Tablets, Fixed Line Broadband & Mobile Communications, Smart Appliances) indicates that the IoT Security market is set to reach from $9bn in 2016 as IoT enabled devices become a more ubiquitous part of global society.
The Internet of Things (IoT) Security Market 2016-2021: Cyber Security Forecasts for Medicine (Connected Health, Telemedicine, Hospital Equipment, mHealth, Health & Fitness Wearable Technology), Transport (Automotive, Connected Car, Connected Aircraft / Aviation, Maritime Vessels, Public Transport), Industrial Internet of Things (IIoT) (Industrial Control Systems (ICS), Critical Infrastructure, Buildings, Machine-to-Machine (M2M), Manufacturing, Retail, Utilities, Energy, Agriculture, Supply Chain Management), Connected Home (Consumer Connected Devices, Smartphones, Tablets, Fixed Line Broadband & Mobile Communications, Smart Appliances will be of impressive value to current, and future investors within the IoT Security market, as well as to companies and research centres who wish to broaden their knowledge of the IoT Security industry.
Tomi Engdahl says:
Do you think that activity bracelet data is protected?
Activity or fitnessrannekkeita were sold during the first quarter of the year over 20 million copies. They collect all sorts of information to the user. Unfortunately, the data is easy to capture on their way to the cloud.
Technical University of Darmstadt, cyber security now Professor Ahmad-Reza Sadeghi explained that almost all of the data is outside the bracelets to capture. The study included 17 different bracelets from large manufacturers such as Xiaomi and Garmin.
While all cloud-based solutions for transferring data wristbands encrypted protocols, such as HTTPS, only four of the wristband was done anything about it, that the data would remain protected. According to Sadeghin even these methods do not prevent a motivated hacker.
Sadeghin team was able to make the so-called. man-in-the-middle attack, or to manipulate the data the way to cloud services. For example, five bracelets saved data only raw text a smartphone, which is a big security risk.
Sadeghin by insurance companies and others who build services upon monitoring of the activity, should be given to information security professionals manage storage, transfer and verification of data.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5031&via=n&datum=2016-09-14_11:28:28&mottagare=30929
Tomi Engdahl says:
IoT Needs Security All the Way Down to the Sensors
http://www.designnews.com/author.asp?section_id=1386&doc_id=281498&cid=nl.x.dn14.edt.aud.dn.20160913.tst004c
Embedded applications are far more vulnerable to security risks than most engineers realize, an expert will tell attendees at the upcoming Design & Manufacturing Show in Minneapolis.
”You can’t just say, ‘The gateway is secure and the cloud is secure,’ and assume that’s enough,” Alan Grau, president and co-founder of Icon Labs, told Design News. “We’re trying to bring awareness to the fact that you need to have security all the way down to the end points.”
Tomi Engdahl says:
Chicago woman launches lawsuit against Canadian maker of app-based vibrator
http://ottawa.ctvnews.ca/chicago-woman-launches-lawsuit-against-canadian-maker-of-app-based-vibrator-1.3071873
An American woman has launched a proposed class-action lawsuit against the Canadian-owned maker of a smartphone-enabled vibrator, alleging the company sells products that secretly collect and transmit “highly sensitive” information.
to fully operate the device, users download the We-Connect app on a smartphone, allowing them and their partners remote control over the Bluetooth-equipped vibrator’s settings.
In particular, the app’s “connect lover” feature — which promises a secure connection
“(N.P.) would never have purchased a We-Vibe had she known that in order to use its full functionality, (Standard Innovation) would monitor, collect and transmit her usage information through We-Connect,” the statement of claim said.
The suit alleges that unbeknownst to its customers, Standard Innovation designed the We-Connect app to collect and record intimate and sensitive data on use of the vibrator, including the date and time of each use as well as vibration settings.
It also alleges the usage data and the user’s personal email address was transmitted to the company’s servers in Canada.
The statement of claim alleges the company’s conduct demonstrates “a wholesale disregard” for consumer privacy rights and violated a number of state and federal laws.
The lawsuit filed against Standard Innovation asks the court for an injunction prohibiting the company from monitoring, collecting and transmitting consumer usage information, damages arising from the invasion of personal privacy, and damages arising from the purchase of the We-Vibe.
Tomi Engdahl says:
In the rush to bring the IoT to consumers, security and privacy are often overlooked. Rambus’ Aharon Etengoff advocates for a new paradigm to provide secure foundations for connected devices.
Security is “often overlooked” for the IoT
http://www.rambusblog.com/2016/09/14/security-is-often-overlooked-for-the-iot/
The Online Trust Alliance (OTA) has determined that the overwhelming majority of publicly reported Internet of Things (IoT) vulnerabilities publicly disclosed over the last year could have been easily avoided.
According Craig Spiezle, Executive Director and President of the Online Trust Alliance, security and privacy is often overlooked in the rush to bring connected devices to market.
“If businesses do not make a systemic change we risk seeing the weaponization of these devices and an erosion of consumer confidence impacting the IoT industry on a whole due to their security and privacy shortcomings,” he stated.
The most glaring IoT security failures analyzed by the OTA included the omission or lack of rigorous security testing throughout the development process; the lack of a discoverable process or capability to responsibly report observed vulnerabilities; insecure or no network pairing control options and a lack of testing for common code exploits and limited transport security and encrypted storage for user IDs and passwords. Last, but certainly not least, the OTA found that a number of IoT devices lacked a sustainable and supportable plan to address vulnerabilities through the product lifecycle, including a dearth of software and firmware update capabilities, along with insecure and untested security patches and updates.
“Security starts from product development through launch and beyond but during our observations we found that an alarming number of IoT devices failed to anticipate the need of ongoing product support,” said Spiezle. “Devices with inadequate security patching systems further opens the door to threats impacting the safety of consumers and businesses alike.”
A new paradigm, designed from the ground up to provide secure foundations for connected devices, is clearly long overdue. Devices should be secured throughout their lifecycle from chip manufacture, to day-to-day deployment, to decommissioning.
According to Steven Woo, VP of Systems and Solutions at Rambus, the semiconductor industry is slowly beginning to realize IoT security is a critical goal that needs to be treated as a first-class design parameter. Nevertheless, software is often selected as the security medium of choice because it is relatively simple to deploy and layer on top of existing systems.
“It’s certainly no secret that software-based security can be hacked. However, a silicon-based hardware root-of-trust offers a range of robust security options for IoT devices. Enabled by Moore’s Law, integration of a silicon root-of-trust into IoT silicon makes a lot of sense. As more and more devices are brought online, the importance of heightened security will only increase. Providing hardware-based security via a root-of-trust is going to be very important going forward,” he added.
OTA Finds 100% of Recently Reported IoT Vulnerabilities Easily Avoidable
https://otalliance.org/news-events/press-releases/ota-finds-100-recently-reported-iot-vulnerabilities-easily-avoidable
IoT devices could be used as weapons if security and privacy best practices are not followed
The Online Trust Alliance (OTA), the non-profit with the mission to enhance online trust, today announced that every vulnerability or privacy issue reported for consumer connected home and wearable technology products since November 2015 could have been easily avoided. Specifically, OTA found had device manufacturers and developers implemented the security and privacy principles outlined in the OTA IoT Trust Framework, the recently reported susceptibilities would have never occurred.
“In this rush to bring connected devices to market, security and privacy is often being overlooked,” said Craig Spiezle, Executive Director and President of the Online Trust Alliance. “If businesses do not make a systemic change we risk seeing the weaponization of these devices and an erosion of consumer confidence impacting the IoT industry on a whole due to their security and privacy shortcomings.”
Tomi Engdahl says:
Where Are the IoT Security Startups?
http://www.eetimes.com/author.asp?section_id=36&doc_id=1330501&
You’d think that the dissonance between excitement over IoT opportunities on one hand and concern about IoT security on the other would yield a rich breeding ground for companies targeting IoT security.
Security is a broad concept even within a specific arena such as embedded systems. Basic security principles are applicable whether the asset to be protected is physical or virtual, so one can understandably question the appropriateness of confining a discussion about security to a particular market such as the Internet of Things (IoT).
The IoT is unique, however, in the way its assets stretch out broadly across both physical and virtual domains — encompassing individual devices and open communications channels at known sites as well as geographically dispersed data sets and application running on virtual servers. Rather than some nicely compartmentalized system, an IoT application is pretty much a security nightmare from end to end. Even so, you’d think that the dissonance between excitement over IoT opportunities on one hand and concern about IoT security on the other would yield a rich breeding ground for companies targeting IoT security. Yet, in its latest look at 60 noteworthy startups, EE Times identified only one security-related startup, which begs the question: Where are the IoT security startups?
From a security point of view, the IoT is different from nearly any other application segment. Few applications expose as many threat surfaces simultaneously. Industrial network applications probably most closely resemble IoT applications but have the distinct advantage of physical protection and isolation. Even so, closed industrial networks have been famously compromised. In contrast, a typical IoT application is open and easily accessible.
Where are the IoT security startups?
http://www.embedded.com/design/safety-and-security/4442732/Where-are-the-IoT-security-startups-
Not suprisingly, researchers have exposed security flaws in connected products including automobiles, closed-circuit cameras, and even light bulbs. Concerns understandably remain over zero-day vulnerabilities across the connected world.
That challenge, in a nutshell, is the easy answer to the dearth of IoT security startups: It’s really really hard. Yet, that very kind of challenge has always attracted some of the best minds in math, science and engineering. The true answers might have less to do with technology than with business factors. In its recent report, Cybersecurity Venture Investment in Pervasive Computing and the IoT, Lux Research looked at 77 IoT-related startups and found a remarkable shortfall in venture funding. According to Lux Research, the 77 startups it studied “…raised just $808.6 million in venture funding over the last 16 years — and 42 of them had little or no venture backing at all.”
It’s interesting to note that in both the EE Times list and in the Lux Research report, some of the companies have been around long enough to stretch the definition of “startup.” In terms of market presence, however, these companies are in a long-running battle for recognition. IoT security-solutions vendors face a cost-sensitive market and security is a cost that does not translate into a new, exciting feature for the user. Cybersecurity vendors often say that their products are like insurance — something nobody wants to pay for until it’s too late.
Along with the difficulty in proving commercial viability, third-party security-solution providers face a significant legal challenge. As Lux Research points out, the anti-circumvention rules in Section 1201 of the Digital Milennium Copyright Act prohibits developers from bypassing a device’s own code without permission from the rights owner of the device code.
here’s a quick list of 10 companies (arranged alphabetically) that have emerged relatively recently with solutions that could benefit IoT applications developers
Tomi Engdahl says:
Interest in the IoT yields interest in OT security
http://www.controleng.com/single-article/interest-in-the-iot-yields-interest-in-ot-security/82536b7c24b552c30b139535aa898e6b.html?OCVALIDATE&ocid=101781
The Internet of Things (IoT) is becoming more commonplace in the workplace, which has, in turn, increased interest in operational technology (OT) security.
The more an organization wants to raise productivity, the more its individual parts need to connect-devices to systems, machines to data, people to processes-to create increased automation. Heat sensors tell the system when to cool down. Instruments detect when medical tests are complete. Viscosity sensors keep oil running through pipelines. These man-to-man, man-to-machine, and machine-to-machine (M2M) connections on the industrial Internet increase productivity and efficiencies.
The industrial Internet represents a huge opportunity for growth and efficiency. To realize the full benefits of the industrial Internet, organizations have to connect to the Internet, to local and wide area networks, to information technology (IT) and to other control systems.
Today, the industrial world runs on critical physical assets and embedded systems known as operational technology (OT). Gartner, Inc. forecasts that 6.4 billion connected Internet of Things (IoT) will be in use worldwide in 2016, up 30% from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected every day.
However, this growing number of connected devices also greatly expands the attack surface. Every new connection adds to that which security professionals must protect.
Adding to the difficulty, those who attempt to hack into the industrial Internet tend to have a lower risk/higher reward dynamic than those who attack IT networks.
Compared to IT hackers who end up with data, OT hackers can cause immense havoc, such as disabling a factory or generating other debilitating disruptions.
Thus, there can be a false sense of security when protecting a network that does not have, and often has never had, an active unsecured connection. There are two major reasons why this is not possible:
1. If a system is operating in isolation, that doesn’t mean it can’t get attached. An employee simply accessing an email with a keyboard can breach the gap.
2. In today’s world, to raise productivity, a system must be connected. Somewhere along the connectivity chain, the system is going to become attached—either willfully or through a possible error. In fact, most CISO’s are more concerned over accidental activities by authorized users versus threats by external adversaries.
Raising OT cybersecurity awareness
It seems like every B2B trade publication has articles on the IoT. Although security concerns never seem to be the subject of the article, security directors are reading between the lines. And, although these articles don’t typically address the real problems inherent with protecting such systems, they are starting, at least, discuss the issues.
As the IoT continues to change the industrial control landscape, it will also change the very nature of industrial cybersecurity. Future industrial Internet security strategies will require a broader scope that includes cloud systems and remote devices, more emphasis on device-centric security and secure-by-design and a shift from security management silos to IT-OT security networks.
Tomi Engdahl says:
Kevin Hartnett / Quanta Magazine:
DARPA prevented hackers from taking control of an unmanned drone using “formal methods”, a technique that can verify whether programs are error-free — In the summer of 2015 a team of hackers attempted to take control of an unmanned military helicopter known as Little Bird.
Hacker-Proof Code Confirmed
https://www.quantamagazine.org/20160920-formal-verification-creates-hacker-proof-code/
Computer scientists can prove certain programs to be error-free with the same certainty that mathematicians prove theorems. The advances are being used to secure everything from unmanned drones to the internet.
In the summer of 2015 a team of hackers attempted to take control of an unmanned military helicopter known as Little Bird. The helicopter, which is similar to the piloted version long-favored for U.S. special operations missions, was stationed at a Boeing facility in Arizona. The hackers had a head start: At the time they began the operation, they already had access to one part of the drone’s computer system.
When the project started, a “Red Team” of hackers could have taken over the helicopter almost as easily as it could break into your home Wi-Fi. But in the intervening months, engineers from the Defense Advanced Research Projects Agency (DARPA) had implemented a new kind of security mechanism — a software system that couldn’t be commandeered. Key parts of Little Bird’s computer system were unhackable with existing technology, its code as trustworthy as a mathematical proof. Even though the Red Team was given six weeks with the drone and more access to its computing network than genuine bad actors could ever expect to attain, they failed to crack Little Bird’s defenses.
“They were not able to break out and disrupt the operation in any way,” said Kathleen Fisher, a professor of computer science at Tufts University and the founding program manager of the High-Assurance Cyber Military Systems (HACMS) project. “That result made all of DARPA stand up and say, oh my goodness, we can actually use this technology in systems we care about.”
The technology that repelled the hackers was a style of software programming known as formal verification.
“You’re writing down a mathematical formula that describes the program’s behavior and using some sort of proof checker that’s going to check the correctness of that statement,” said Bryan Parno, who does research on formal verification and security at Microsoft Research.
The aspiration to create formally verified software has existed nearly as long as the field of computer science. For a long time it seemed hopelessly out of reach, but advances over the past decade in so-called “formal methods” have inched the approach closer to mainstream practice. Today formal software verification is being explored in well-funded academic collaborations, the U.S. military and technology companies such as Microsoft and Amazon.
Block-Based Security
Between the lines it takes to write both the specification and the extra annotations needed to help the programming software reason about the code, a program that includes its formal verification information can be five times as long as a traditional program that was written to achieve the same end.
This burden can be alleviated somewhat with the right tools — programming languages and proof-assistant programs designed to help software engineers construct bombproof code.
Then came the internet, which did for coding errors what air travel did for the spread of infectious diseases: When every computer is connected to every other one, inconvenient but tolerable software bugs can lead to a cascade of security failures.
“Here’s the thing we didn’t quite fully understand,” Appel said. “It’s that there are certain kinds of software that are outward-facing to all hackers in the internet, so that if there is a bug in that software, it might well be a security vulnerability.”
By the time researchers began to understand the critical threats to computer security posed by the internet, program verification was ready for a comeback. To start, researchers had made big advances in the technology that undergirds formal methods: improvements in proof-assistant programs like Coq and Isabelle that support formal methods; the development of new logical systems (called dependent-type theories) that provide a framework for computers to reason about code; and improvements in what’s called “operational semantics” — in essence, a language that has the right words to express what a program is supposed to do.
“If you start with an English-language specification, you’re inherently starting with an ambiguous specification,” said Jeannette Wing, corporate vice president at Microsoft Research. “Any natural language is inherently ambiguous. In a formal specification you’re writing down a precise specification based on mathematics to explain what it is you want the program to do.”
The HACMS project illustrates how it’s possible to generate big security guarantees by specifying one small part of a computer system.
The team also rewrote the software architecture, using what Fisher, the HACMS founding project manager, calls “high-assurance building blocks” — tools that allow programmers to prove the fidelity of their code. One of those verified building blocks comes with a proof guaranteeing that someone with access inside one partition won’t be able to escalate their privileges and get inside other partitions.
Later the HACMS programmers installed this partitioned software on Little Bird.
Verifying the Internet
Security and reliability are the two main goals that motivate formal methods. And with each passing day the need for improvements in both is more apparent. In 2014 a small coding error that would have been caught by formal specification opened the way for the Heartbleed bug, which threatened to bring down the internet. A year later a pair of white-hat hackers confirmed perhaps the biggest fears we have about internet-connected cars when they successfully took control of someone else’s Jeep Cherokee.
As the stakes rise, researchers in formal methods are pushing into more ambitious places.
Over at Microsoft Research, software engineers have two ambitious formal verification projects underway. The first, named Everest, is to create a verified version of HTTPS, the protocol that secures web browsers and that Wing refers to as the “Achilles heel of the internet.”
The second is to create verified specifications for complex cyber-physical systems such as drones. Here the challenge is considerable.
Tomi Engdahl says:
OVH hosting hit by 1Tbps DDoS attack, the largest one ever seen
http://securityaffairs.co/wordpress/51640/cyber-crime/tbps-ddos-attack.html
The hosting company OVH was the victim of a 1 Tbps DDoS attack that hit its servers, this is the largest one ever seen on the Internet.
The hosting provider OVH faced 1Tbps DDoS attack last week, likely the largest offensive ever seen.
The OVH founder and CTO Octave Klaba reported the 1Tbps DDoS attack on Twitter sharing an image that lists the multiple sources of the attack.
Klaba explained that the servers of its company were hit by multiple attacks exceeding 100 Gbps simultaneously concurring at 1 Tbps DDoS attack. The severest single attack that was documented by OVH reached 93 MMps and 799 Gbps.
Unfortunately, this is not a novelty, in June 2016 security experts from Sucuri firm have discovered a large botnet of compromised CCTV devices used by crooks to launch DDoS attacks in the wild.
IoT devices, including CCTV, often lack proper configuration, it is easy for hackers to locate on the Internet systems with weak or default login credentials.
Recently security experts reported several Linux malware targeting IoT devices such as Luabot and Bashlite.
Earlier September, experts from Level 3 and Flashpoint confirmed the overall number of devices infected by the BASHLITE malware is more than 1 million.
The number includes compromised devices belonging to several botnets, according to the experts, almost every infected device are digital video recorders (DVRs) or cameras (95%), the remaining is composed of routers (4%), and Linux servers (1%).
Tomi Engdahl says:
Demand seen for filling IoT connectivity, security gaps
http://www.cablinginstall.com/articles/pt/2016/09/demand-seen-for-filling-iot-connectivity-security-gaps.html?cmpid=Enl_CIM_CablingNews_September262016&eid=289644432&bid=1538204
Internet of Things (IoT) devices are a critical component of the new digital economy, collecting and sharing information across myriad data nodes – from smart appliances, irrigation systems and shipping containers, to wireless energy meters and mobile healthcare devices.
“Of course, IOT introduces a number of critical challenges as well, not the least of which are, ‘how do we connect and manage so many devices?’ and ‘how do we secure so many devices and so much traffic?’”
He points out that it’s because most IOT devices are mobile, that they tend to connect to the network via wireless access points. “Since IOT wasn’t on the horizon when most wireless solutions were deployed, the growing volume of IOT and user devices is now overwhelming these access points,” continues Hutton. “In addition, because most IOT devices do not have security installed, the need to apply security inspection and monitoring is creating a bottleneck.”
1. Unlock IOT access and performance demands
IT teams face severe challenges scaling their wireless edge to meet rising access demands.
2. Protect IOT with Fortinet Security Fabric
“Since most IOT devices can’t run a security client, or even be patched, security needs to be applied at the point of access,” highlights Hutton.
3. Simplify management
“However, to make this all happen efficiently, we need to automate security and access operations,”
Tomi Engdahl says:
The Week In Review: IoT
http://semiengineering.com/the-week-in-review-iot-19/
The Industrial Internet Consortium releases a security framework; IoT deals made by Cisco and Salesforce, Bosch and SAP; privacy is lacking in connected devices.
Security
The Industrial Internet Consortium this week unveiled the Industrial Internet Security Framework, a set of specifications for connected health-care devices and hospitals, intelligent transportation, smart electrical grids, smart factories, and other cyber-physical systems in the Internet of Things. AT&T, Fujitsu, Hitachi, Infineon Technologies, Intel, Microsoft, and Symantec are among the companies contributing to the security framework.
INDUSTRIAL INTERNET SECURITY FRAMEWORK TECHNICAL REPORT
http://www.iiconsortium.org/IISF.htm
Tomi Engdahl says:
Where are the IoT security startups?
http://www.embedded.com/design/safety-and-security/4442732/2/Where-are-the-IoT-security-startups-
Despite the limitations and difficulties facing them, startups continue to emerge with technologies that address IoT security either directly or indirectly through fundamental mechanisms. For example, Intrinsic ID, the sole security-focused company named in the EE Times list of 60 noteworthy startups, offers technology for physically unclonable functions (PUF). As with any fundamentalliy sound security mechanism, PUF technology is application-agnostic and can harden security in any connected embedded systems design by hardening crypto key security — a vital security mechanism and perhaps even the most important according to Kerckhoffs’s Principle. Similarly, several startups are looking to replace the traditional security workstation with automated mechanisms for threat detection, identification and mitigation at the enterprise level. IoT applications can benefit from many security features geared to the enterprise, but generally encompass a different set of requirements (and are not included in the list of startups below).
With the caveat that the next security leader might well be creating the next great solution in stealth mode, here’s a quick list of 10 companies (arranged alphabetically) that have emerged relatively recently with solutions that could benefit IoT applications developers:
Argus Cyber Security targets security for connected vehicles with a multilayered approach
Bastille focuses on RF vulnerability and provides proprietary software and sensors to scan the customer environment to identify RF threats and RF-based data leakage
Bbotx offers a secure managed software platform for managing connected devices and data from those devices
Device Authority is targeting IoT security with a platform designed for secure registration, provisioning, and updating of devices
DoJo Labs targets smart connected home security with a home-based device that monitors the home network for threats
Power Fingerprinting (PFP) Cybersecurity analyzes power usage on devices to detect potential threats
Runsafe Security targets automotive security with hardware and software designed to block physical or virtual attacks in real time
Securithings focuses on analytics for threat detection, offering software agents designed to simplify integration with common IoT platforms.
Twistlock is not IoT-specific but is included here because it addresses container security.
Virta Labs offers managed services designed for the healthcare industry.
Tomi Engdahl says:
Sad reality: Look, no one’s going to patch their insecure IoT gear
‘Consumers are ready to roll the dice with their privacy every time they buy a gadget’
http://www.theregister.co.uk/2016/09/29/internet_of_things_security_patching/
If you think ordinary people are going to look out for and apply firmware fixes to patch vulnerabilities in the Internet of Things, you’re crazy.
It’s going to be down to manufacturers to secure IoT devices, Intel Security’s chief technical strategist says, because consumers will cheerfully give away their security and privacy in the name of convenience.
Scott Montgomery said time and time again non-geeks have shown little interest in the security of their IoT gizmos and were willing to put up with major security failings in things like home alarm systems and door locks in exchange for ease of use.
“Internet security and privacy are already tricky and industry hasn’t done a great job of making it more accessible and easier – that’s on us,” he told the Structure Security conference in San Francisco on Wednesday. “But consumers are very, very ready to roll the dice with their privacy every time they buy a gadget.”
A lot of manufacturers aren’t getting the message either, he noted, citing two particularly worrying cases.
Medical equipment was also singled out for his scorn. There are thousands of health-related devices that are connected to the internet, he said, but there was little reason to do so and the results meant that you can pick up their data online with very little effort.
“If you look at any dark web search engine you’ll be able to look at live MRIs going on right now,”
However, industry has got the message on IoT security very clearly, he said, citing Exxon as being a clear leader in the field. The oil giant has been conducting a massive infrastructure overhaul with the intention of adding in IoT sensors from oil wells to refineries.
As part of that, Exxon has told its suppliers to take a much firmer look at how these sensors can be locked down.
US Homeland Security launches IoT willy-waving campaign
Our policies are gonna be the best, ignore all the rest
http://www.theregister.co.uk/2016/09/22/homeland_security_launches_iot_campaign/
The US Department of Homeland Security has announced plans to make the internet-of-things just a bit more complicated – by trying to shove itself into the market with a new security framework.
On Thursday, assistant secretary for cyber policy at the DHS Robert Silvers told the Security of Things Forum in Cambridge, Massachusetts, that his department had decided to develop “a set of strategic principles” for IoT manufacturers that would ensure that security is built into future products.
While no one is going to disagree about the need for drastically improved security in this market, there are already a number of other government departments working on the issue, including the Federal Trade Commission (FTC), the Department of Commerce, and the Department of Transportation – begging the question why the DHS should get involved at all.
Tomi Engdahl says:
Pisspoor IoT security means it’d be really easy to bump off pensioners
Oi, digi-utopians. Start putting your house in order, says CW event speaker
http://www.theregister.co.uk/2016/09/29/cambridge_wireless_iot_event_regulation_security/
Two things are fixed on everyone’s minds when it comes to the Internet of Things: security and law. How does industry overcome the threats posed by these two hurdles?
Speaking at yesterday’s Cambridge Wireless IoT event in London, Max Heinemeyer from Darktrace was all in favour of automating away the security problems.
He advocated letting machine learning take the strain of countering IoT malware – precursors to the gigantic botnet that floored infosec journalist Brian Krebs’ website earlier this week – and the emerging threat of hijacks and botnets.
“When I think about these new technology solutions,” said Heinemeyer, “I think what can save us from the IoT problem is to let machines do the heavy lifting. If you’ve ever worked in a security operations centre with signature detection systems, it’s not possible to keep them up to date manually.”
I’ve told you about a problem, now here’s the solution
A former member of the Chaos Communications Club hacker collective in Germany, Heinemeyer was – conveniently – able to put forward a machine learning solution made by his employers which just so happens to be a solution to the IoT security problem. He emphasised how, once installed, it learns how the client’s network operates over a period of two to three weeks and then act on unusual activity from there.
“Earlier we heard of the DDoS attack against Brian Krebs with an IoT network. I jumped onto a client’s network and it took me three minutes to find an IoT device trying to attack Krebs,” said Heinemeyer, who identified the culprit device as a CCTV camera.
Infamous “security tools” outfit Hacking Team was infiltrated by an IoT device modified to exploit a zero-day vulnerability, continued Heinemeyer, who gave a similar example of how one of Darktrace’s customers was attacked: “It wasn’t an attacker from the internet. Someone used chodan.io to find a fingerprint scanner. What he did then was guess the default admin password – which was [username] admin, [password] admin – got access to the administration toolkit, then used this to pivot into the main network.”
Where does government and regulation fit in with the IoT, then? The 50-strong audience heard from Derek McAuley of the University of Nottingham, who left your correspondent with a vague sense of unease about the whole shebang.
“We already live in a world where there’s a massive amount of regulation,”
“There will be regulation on IoT in certain spaces,” he said. “We actually have to look at the individual sectors and the Things within these sectors and say ‘what regulation applies’?”
Highlighting the US Federal Trade Commission’s webpage on “what to know about webcam hackers” and talking about how the FTC cracked down on firms selling shonky webcams with little or no built-in security features, McAuley said: “The regulation that was applied was nothing to do with technology, it was to do with consumer protection. Sanctions were applied and many of those companies shut down the next day.”
He continued on this theme, highlighting how real-world regulations already apply to the Internet of Things – or rather, can be made to apply to it – and warned that the biggest challenge may not be impending regulation or security challenges alone, but also user confidence.
FUD? Not so much – hyperbole masks a real problem here
Showing the audience a schematic of someone’s connected house “pulled randomly from the internet,” complete with automatic garage doors, self-ordering fridge, the whole works, McAuley said: “What could go wrong with that?” The next slide was a news story titled “Automatic garage door openers: hazards for children,” and went on to explain a nasty incident where junior had got hold of a remote control and squashed himself in the garage door.
“Unlike privacy,” he said, “you’re not going to be able to get fuzzy at the edges here. There’s one thing that’s common across the whole world: if you kill children with your technology, people are going to get angry and they’re going to come after you.”
If you really take it to extremes, McAuley pointed out, you could even leverage the IoT as a real-world attack vector.
Tomi Engdahl says:
Consortium Forms Framework for Industrial Cybersecurity
http://www.eetimes.com/document.asp?doc_id=1330533&
The Industrial Internet Consortium (IIC) has released the initial version of its Security Framework for industrial Internet of Things (IIoT) development. The Framework, an adjunct to the IIoT Reference Architecture the Consortium released last year, seeks to initiate a process that will result in broad industry consensus on how to secure IIoT systems. The goal is to ensure that security is a fundamental part of an IIoT system’s architecture, not simply bolted on, and covers the system end-to-end including endpoint devices and the links between system elements.
“The Security Framework looks at IIoT security from three different perspectives,” Hamed Soroush, the IIC’s security working group chair, told EE Times in an interview. “Chip makers, equipment developers, and end users all have an important role in security for the IIoT, but often work without knowing one another’s perspectives. The Framework will help them talk to each other.” It also provides guidance to management on risk management when considering security, he added.
The Framework establishes a basis for discussions on how to address these needs. It also, Soroush pointed out, includes annexes that identify relevant existing security standards and best practices to guide developers. In addition, the Framework provides details on five characteristics — security, privacy, resilience, reliability and safety — that help define “trustworthiness” in the Information Technology (IT) and Operational Technology (OT) systems that overlap in the IIoT, as well as defining risk, assessments, threats, metrics and performance indicators to help business management protect their organizations.
The IIoT Security Framework is available as a PDF document for any interested party, not just Consortium members.
INDUSTRIAL INTERNET SECURITY FRAMEWORK TECHNICAL REPORT
http://www.iiconsortium.org/IISF.htm
Tomi Engdahl says:
KPMG Cyber reports that 31% of the consumers it surveyed are limiting their use of Internet of Things/connected devices owing to security concerns, and 61% of respondents said they would use IoT/connected devices more if they had greater confidence in their cybersecurity. Two-thirds of the 750 consumers questioned said they’re worried that IoT/connected devices could be hacked. “
Source: http://semiengineering.com/the-week-in-review-iot-20/
Tomi Engdahl says:
Stickers emerge as EU’s weapon against dud IoT security
Whitegoods-inspired security rating scheme under discussion
http://www.theregister.co.uk/2016/10/10/eu_commission_preps_iot_security_privacy_rules/
The European Commission is readying a push to get companies to produce labels that reveal the security baked into internet-of-things things.
The labelling effort is part of a broader push to drive companies to better handle security controls and privacy data in the notoriously insecure and leaky devices.
Deputy head of cabinet Thibault Kleiner told Euractiv the Commission may push companies to develop labelling for secure internet-of-things devices.
The stickers plan is modelled on labels applied to white goods and other domestic appliances, as consumers apparently understand this kind of labelling.
The risk posed by sloppily-secured things was demonstrated neatly by a recent DDoS attack, rated the world’s largest to date, which emerged from a large internet of things botnet.
Commission plans cybersecurity rules for internet-connected machines
http://www.euractiv.com/section/innovation-industry/news/commission-plans-cybersecurity-rules-for-internet-connected-machines/
The European Commission is getting ready to propose new legislation to protect machines from cybersecurity breaches, signalling the executive’s growing interest in encouraging traditional European manufacturers to build more devices that are connected to the internet.
A new plan to overhaul EU telecoms law, which digital policy chiefs Günther Oettinger and Andrus Ansip presented three weeks ago, aims to speed up internet connections to meet the needs of big industries like car manufacturing and agriculture as they gradually use more internet functions.
But that transition to more and faster internet connections has caused many companies to worry that new products and industrial tools that rely on the internet will be more vulnerable to attacks from hackers.
EU lawmakers want to dispel those fears by creating rules that force companies to meet tough security standards and go through multi-pronged certification processes to guarantee privacy.
“That’s really a problem in the internet of things. It’s not enough to just look at one component. You need to look at the network, the cloud. You need a governance framework to get certification,”
Kleiner said the Commission would encourage companies to come up with a labelling system for internet-connected devices that are approved and secure.
There are currently around 6 billion internet-connected devices in use worldwide, and that figure is predicted to soar to over 20 billion by 2020, according to research by consultancy Gartner.
The internet of things is a catchphrase that has caught on with Brussels legislators and lobbyists, who use it to describe devices that haven’t used internet connection up until now—but will in the future, like connected cars that predict traffic or calculate ways to save fuel, or refrigerators that alert a person when they’re running out of food.
The EU labelling system that rates appliances based on how much energy they consume could be a template for the cybersecurity ratings: Kleiner pointed to that as “something I’d apply to the internet of things”.
Some hardware manufacturers are sceptical of the Commission’s plans to require certification for different parts of internet-connected devices and instead want hardware like SIM cards to be approved as security guarantees that can be used with appliances, Kleiner acknowledged.
Tomi Engdahl says:
The Cloud Security Alliance’s new report, Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products, is available as a free download. Brian Russell of Leidos said in a statement, “We hope to empower developers and organizations with the ability to create a security strategy that will help mitigate the most pressing threats to both consumer and business IoT products.”
https://cloudsecurityalliance.org/download/future-proofing-the-connected-world/
Tomi Engdahl says:
https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/future-proofing-the-connected-world.pdf
Tomi Engdahl says:
The Internet of Things is ‘dangerous’ but UK.gov won’t ride to the rescue
Suck it up, folks, you’ll have to take responsibility for yourselves out there
http://www.theregister.co.uk/2016/10/19/internet_of_things_dangerous_no_legislation_any_time_soon/
The Internet of Things is “dangerous”, according to some bloke trying to rebrand it as the “Internet of You” – and the government ain’t going to pass new laws to sort it out.
According to a press release, one Jim Hunter of Greenwave Communications quite rightly warned the Broadband World Forum this morning that putting seemingly innocuous data
together with identifying details and wider context is dangerous.
Unfortunately, he then went on to say: “The IoT – or the IoY (Internet of You) – is about defining what those individual pixels are, which can build the stories which make sense. It’s then finding the part of the picture which gives the insight and information needed to provide a tailored personal blah blah…”
The government, however, is not in the mood to legislate on mandatory IoT security standards, with the Minister for Digital Fun* Matt Hancock merely mumbling something in Parliament about “cyber security research institutes”
Clearly, if industry doesn’t get its act together and start imposing its own requirements on IoT suppliers, the UK’s IoT offerings and networks are still going to be painfully insecure in years to come.
Tomi Engdahl says:
IoT insecurity: US govt summons tech bosses, bashes heads together
Everyone agrees: Our group has the best solution for patching bugs
http://www.theregister.co.uk/2016/10/19/us_govt_iot_security/
There are two things that everyone agrees on when it comes to the internet of things (IoT). First, security is a problem. And second, their approach is the best one.
The US government held a one-day meeting in Austin, Texas, today with the sole focus on a specific issue: the ability to upgrade and patch internet-connected devices.
It was this topic, noted staff from the National Telecommunications and Information Administration (NTIA) – an arm of the US Department of Commerce – that was top of the list of concerns when it held a public consultation on how and where the US government could and should help. It didn’t take long to figure out why.
Everyone – and we mean everyone – is worried about the fact that there are billions of devices that now connect to the internet, with billions more in the pipeline, and there is literally no agreed-upon security approach.
Fresh in people’s minds is the huge denial-of-service attack on security researcher Brian Krebs that knocked over his website even though he had Akamai protection. The culprit? A botnet made up of poorly patched webcams. It doesn’t take a genius to realize this is the beginning of a much bigger problem.
“The issue is urgent and it is complex,”
Follow me. No, me, not him
But just as big as the IoT security issue itself, is how to get people to agree on a solution. No one, from the chip manufacturers to the network operators to the device manufacturers, wants to be the one that will introduce new systems and approaches. As much as NTIA staff gently but repeatedly prodded the room to look at real solutions, the conversation quickly drifted back to identifying the problem and offering vague concepts of what needed to happen.
It wouldn’t be the internet of things without conflicting solutions to even the most intangible elements. In this case, it was a multitude of different frameworks for looking at the issue of IoT security.
The Online Trust Alliance outlined its principles (31, boiled down from 75) for how to start looking at the problem. A huge group people had taken 18 months coming up with it, and everyone loves it, said its chair Jeff Wilbur.
Agreement, in part
Despite the lack of any real progress in the morning session of the event, that collaborative approach does seem to be holding.
There is broad agreement that a key aspect to finding a solution would be working out how to convey any efforts to the consumer. Why? Because additional security costs money, and without some kind of market differentiation, people are just going to buy the cheapest product.
There is real agreement that there needs to be some kind of ability to flag up whether an IoT device needs patching – which can be hard when many devices don’t have a display.
There is also widespread agreement that there needs to be a way to deal with the billions of out-of-date devices that will soon cover the planet, whether they are no longer maintained by the manufacturer or if the manufacturer has gone out of business.
Multistakeholder Process; Internet of Things (IoT) Security Upgradability and Patching
https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security
Tomi Engdahl says:
Side-Channel Attacks Make Devices Vulnerable
http://semiengineering.com/side-channel-attacks-make-devices-vulnerable/
The number and type of attack vectors are increasing as more of the world becomes connected and vulnerable to hackers.
As the world begins to take security more seriously, it becomes evident that a device is only as secure as its weakest component. No device can be made secure by protecting against a single kind of attack.
Hypervisors add a layer of separation between tasks making sure that one task cannot steal secrets from another. Protection of the JTAG port is necessary to prevent access underneath the hypervisor layer and get to the bare metal of the system. Encryption and root of trust can add additional layers of protection. But even then, the system may not be secure.
Every electronic device emits information about what it is doing, and that information can be used to pry open its defenses. These types of attack are generally referred to as side-channel attacks, and they look at characteristics such as power, radiation or timing to infer what the system is doing.
“The industry is waking up to security and there are constantly articles in the news about some hack, breach or network problems related to malicious attacks,”
Differential Power Analysis (DPA). These types of hack require not only scanning the data stream but the use of statistical analysis methods to obtain the necessary data. The statistical functions perform noise filtering. DPA identifies correlated regions in a device’s power consumption and requires little or no information about the target implementation. “
Differential Fault Analysis (DFA). While not the focus of this article, encryption keys can be obtained by subjecting the device to faults, such as by changing the voltage, changing the frequency of operation, or any other form of non-typical usage.
This is not trivial. “Hackers will spend a lot of time trying to get specific data and will work through the security methods,”
“There are two problems,” Chen points out. “First, can I simulate it so that I could prevent this from happening and predict that I have a side channel issue? And second, what can I do during the design phase to mitigate it?”
There are differing opinions about the ability and effectiveness of analysis. The problem is the accuracy of the information that is available using simple RTL analysis. “In the digital realm, you can perform analysis using toggle information, but that may not be accurate enough,” explains Chen. “The model would require good correlation between the toggles and the power that is dissipated, including leakage and that other things do not matter. This could give you enough information to discern any differences, but for differential power you will have to run thousands if not millions of cycles.”
“When running on an FPGA prototype or emulator you still have toggle information, but the implementations on both of those are different because synthesis for an ASIC is different from an emulator,”
The only way to be certain would be to run SPICE simulation, but for large circuits that is very time consuming. This effectively means that you cannot perform analysis on this problem before the chip has been fabricated.
A growing problem
Devices such as SmartCards and phones that are enabled for financial transactions have been aware of these problems for a long time and have taken many countermeasures. Most of them have dedicated crypto engines for doing the sensitive operations. But newly emerging markets, such as home automation and Internet of Everything (IoT) are too cost sensitive and they are resorting to doing these functions on a generic processor. In addition, many of these devices are single function and that makes things worse. The more complex the device, the more obfuscation that comes for free.
“Nobody is paying attention to IoT and it is so full of holes that can easily be attacked,” says Chen. “However, it is not side-channel in the same way as stealing credit cards. “It is about enabling access. People are trying to make money so hard that they aren’t yet taking the time and attention necessary to prevent attacks.”
Tomi Engdahl says:
F-Secure’s development is delayed: the Internet of Things data security would already need
Security company F-Secure, a year ago, the Internet of Things uncover safety device development Sense has proved more difficult than expected. Fresh CEO Samu Konttinen rely on the product still to be completed.
A year ago, Sense, was presented to the media, and it was estimated conservatively to be completed in the spring of 2016. Then, perhaps, the target moved to the summer and autumn.
Sense is the Internet of Things security equipment for homes, through which F-Secure to protect all the computers in your home and the other linked to the wireless LAN equipment. Wireless connections have become more domestic appliances, entertainment equipment, TV sets, as well as, for example, ground source heat pumps. They often do not have any security.
However, the protection of all devices is not easy. Different types of devices do not have common interfaces, but the safety device should still be easy enough to use for ordinary people.
“We had to move the launch. We want a sufficiently high level of quality,”
F-Secure has increased the resources for product development. The device is expected to be completed by the end of the year.
Source: http://www.tivi.fi/Kaikki_uutiset/f-securen-kehityshanke-myohastyy-esineiden-internetin-tietoturvalle-olisi-jo-tarvetta-6590916
Tomi Engdahl says:
Future-proofing the Connected World:
13 Steps to Developing Secure IoT Products
https://cloudsecurityalliance.org/download/future-proofing-the-connected-world/
https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/future-proofing-the-connected-world.pdf
Tomi Engdahl says:
Data ethics in IoT? Pff, you and your silly notions of privacy
Children will die, companies will shout ‘sue me then,’ and you’ll still be using Facebook
http://www.theregister.co.uk/2016/10/26/iot_data_ethics_talk/
IoT World Congress The future of personal data sharing is that “everything will become as-a-service” and nobody will own any property outright ever again, a gloomy lawyer told a wide-ranging data ethics discussion at IoT Solutions World Congress this afternoon in Barcelona.
Painting this cheery picture was Giulio Coraggio of international law firm DLA Piper. He was sitting on a panel discussion about data ethics, along with half a dozen other speakers who all disagreed about the ethics of data use and privacy within the Internet of Things.
“With the digital innovation we will not own anything. We will not own our car, there will be car sharing; we will not own our house. Everything will become as-a-service,” cried Coraggio. “People who now don’t care much about their privacy, they will see their privacy as their main asset.”
Uplifting stuff, for sure. He makes a good point: the old adage about the user himself being the saleable product of free-to-use services holds true today, looking at social media networks.
“We should think about data ethics as an industry-wide obligation,” countered David Blaszkowski, a former regulator and the MD of the Financial Services Collaborative. “The IoT industry has the chance from the beginning to do the right thing.”
Tomi Engdahl says:
Good luck securing ‘things’ when users assume ‘stuff just works’
Making devices secure by design requires more effort than vendors currently allow
http://www.theregister.co.uk/2016/10/27/good_luck_securing_things_when_users_assume_stuff_just_works/
Every device – every desktop and laptop and smartphone and connected widget of any sort – must be secure enough against attack that we never need worry that we’re doing enough if we do nothing at all.
Is that hard? Maybe. Making devices that are secure by design requires more forethought than we currently allow in product development. That’s the first thing we need to change.
Does security make things more complex for the users? Probably. It’s harder to open my doors when the grates are drawn and locked. But that’s the tradeoff for security you don’t need to tinker with or even think about much. Locks just work, and so do devices that are secure by design. Is it necessary? Absolutely. We’ve reached a point on the BYOD adoption curve at which all of our data is everywhere. Even if we completely lock down the enterprise, there’s no guarantee all of its data stays within strictly patrolled bounds, nor any reason to believe that all the devices coming in daily from employee’s homes haven’t been exploited and weaponised.
Paranoia won’t help us much. Thoughtful security by design would go a long way.
Tomi Engdahl says:
A Security Foundation For Billions Of Devices
http://semiengineering.com/a-security-foundation-for-billions-of-devices/
What’s different about the Cortex-M23 and Cortex-M33.
Securing connected devices is a well-known challenge – and opportunity – at ARM. There are more than 10 billion units of Cortex-A based chips deployed in mobile devices that use ARM TrustZone technology to protect the root of trust from potentially distrustful software. ARM tasked some of its most talented engineers to optimize and transfer this security foundation into the very heart of a new version of the M-profile architecture. They have achieved this and ensured it fits within the tight embedded constraints:
Real-time, with fast transitions between security states
Deterministic
Still highly energy efficient
The outcome, the ARMv8-M architecture, was unveiled last year at ARMTechCon 2015, promising to bring advanced software isolation into the smallest of processors and devices using ARM TrustZone for ARMv8-Mtechnology. If you are looking for more information on this new architecture, Joseph Yiu’s great blog is the best place to get started.
Introducing Cortex-M23 and Cortex-M33
Today I am pleased to announce two new ARM Cortex-M processors built on TrustZone technology: the Cortex-M23, for the most area and energy constrained applications, based on the ARMv8-M Baseline profile; and the Cortex-M33, for the more capable systems, based on the ARMv8-M Mainline. Both profiles offer ARM TrustZone technology as their security foundation and provide an easier-to-use MPU programmers’ model, with the capability to restrict debug visibility, thus protecting the secure software confidentiality. The security concept is holistic, it goes beyond processor boundaries and encompasses the complete system: bus/interconnect, memories and peripherals, exporting the processor security state across the system using the AMBA AHB5 standard.
Whitepaper – ARMv8-M Architecture Technical Overview
https://community.arm.com/docs/DOC-10896
Tomi Engdahl says:
Do Automakers Still See Hackers as a Hoax?
http://www.eetimes.com/document.asp?doc_id=1330684&
Earlier this week, when the federal government’s automotive safety regulator laid out cybersecurity guidelines for carmakers, U.S. Transportation Secretary Anthony Foxx said that cybersecurity is “a safety issue and a top priority at the department.”
Clearly, the government’s agency hopes to get ahead of potential attacks on vehicles, well before cybersecurity blows up in the face of connected cars. There is fear among regulators that a cybersecurity failure could irreparably damage the future of highly automated vehicles.
But never mind the fed’s concerns.
As it turns out, some of the best minds in the automotive industry don’t believe hackers are interested in cars.
This perception is clear in survey results released Thursday by Ponemon Institute, the leading independent security research organization.
U.S. DOT issues Federal guidance to the automotive industry for improving motor vehicle cybersecurity
http://www.nhtsa.gov/About-NHTSA/Press-Releases/nhtsa_cybersecurity_best_practices_10242016
Guidance covers cybersecurity best practices for all motor vehicles, individuals and organizations manufacturing and designing vehicle systems and software
Tomi Engdahl says:
Security Becomes A Multi-System Issue
http://semiengineering.com/security-becomes-a-multi-system-issue/
Design teams will have to bake strategies in from the start, no matter how insignificant the device.
The fallout from the Mirai malware attack last week was surprising, given that it was published on the Internet several months ago as open-source. Despite numerous warnings, it still managed to cause denial of service attacks at Amazon, Netflix, and a slew of other companies that are supposed to be able to fend off these kinds of attacks.
The good news is that it more people talking about the issue. But the real challenge isn’t stopping one attack. It’s packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process.
Just as devices get more sophisticated, so do hackers. Being able to stop attacks with a thumbprint or a password isn’t realistic anymore. It now requires a rethinking of the fundamental architecture for any connected device, which is basically everything with a power supply these days. The good and bad of a connected world is that everything and everyone is connected. And the best way to deal with that effectively is at the system design level.
The reality is that security breaches can cause the same kinds of physical harm as a faulty wiring scheme, even with devices that in themselves are benign. Those risks increase significantly when they are connected together into systems of systems that are also connected to safety-critical systems. It’s time to look at this at a multi-system, multi-disciplinary level and to tackle it with the same kind of innovation that made complex semiconductor design a reality. Otherwise, we literally could be playing with fire.
Tomi Engdahl says:
What’s Next For IoT Security?
http://semiengineering.com/whats-next-for-iot-security/
With security, the little things can cause as much of a problem as the big things. As shown in the recent distributed denial of service attack (DDoS) on Dyn, which created waves of attacks using Mirai malware, connected devices of all sizes can be amassed into an army of bots that can bring even giants like Amazon and Netflix to a dead stop.
This attack was predicted and warned against by numerous security experts since it was published as open source code several months earlier, but that did little to stop its progression. And therein lies one of the key problems in security today. There are not enough layers of security being built into electronics to stop these kinds of problems, and no standard way of creating them.
What’s interesting here is that the most recent attack went well beyond the usual software and network breaches. It targeted the firmware inside devices that were secured by weak passwords. And most security experts believe this is just the beginning.
“This is a story that’s going to repeat itself a lot of times before it becomes old and stale news,” said ARM CTO Mike Muller. “There is no sudden, rapid fix. It’s not as if all the devices out there have appalling security. You can buy modern IoT devices that are secure and do handle security well. Everything has flaws. But one of the things we think is important for devices going forward is the ability to make them securely upgradeable in the field. Once you’ve lost control of an IoT device, it’s really important to be able to get that control back. You can do everything you can to try to prevent losing control. But if there is a flaw, you need to be able to securely re-flash a device even if you’ve lost control of the application at the top level. Architecturally, that’s one of the important things to press on.”
It’s also one of the pieces of design that needs to be automated to make sure it gets done right.
“There are three areas where we see EDA can help—side channel attacks, reverse engineering, and supply chain attacks,”
Software
What was different with the recent Mirai attack was that it focused on firmware, which basically is software that is embedded in devices to provide low-level control certain functions. In the past, most firmware attacks have focused on commandeering the BIOS of computers, either for ransomware or for espionage purposes. In contrast, the majority of the breaches that have made headlines involve networks or operating systems and/or middleware, as well as the apps that run on them.
Digging into firmware is more difficult because it requires access to software stored and, frequently, hidden within a chip. That’s why systems companies park their SSL keys there, along with a history of private keys that can work with those SSL keys.
“If the keys leak, your security is compromised,”
“If you can crack into a key, you can replace the software and remotely control the device. Keys are the Holy Grail for hackers.”
Many of these attacks require a physical component, such as a grinder, physical probes, and a scanning electron microscope.
There also are side channel attacks, which use a passive antenna to pick up electromagnetic activity and figure out the keys.
Setting standards vs. using them
Still, something has to be done, and given the recent spate of breaches, it needs to happen quickly and on a grand scale.
One of the big problems with security is a lack of consistent and current standards. Standards that do exist, such as Transport Layer Security, do little to secure a device such as a surveillance camera or a connected entertainment system, which the U.S. Department of Homeland Security identified as the culprits in the Dyn DDoS attack.
Homeland Security Secretary Jeh Johnson said in a statement last month that his department has been “working to develop a set of strategic principles for securing the Internet of Things, which we plan to release in the coming weeks.”
Still, even if everything works as planned, connected devices are not suddenly going to be secure overnight. For one thing, there are plenty of legacy devices in the market. For another, even where technology does exist it isn’t always used.
“It’s very hard to get that there’s no direct return on investment for a lot of these guys into implementing that next step of security. The potential downside they’re protecting themselves against is a pretty big downside – like, you don’t want to be on the front page of The New York Times with your product being hacked. People are becoming more aware of this, but definitely getting to the step where you recognize this and you build the capabilities to actually get the security into your product is a big challenge.”
The increasing complexity of devices such as microcontrollers is an issue, too.
“There’s always going to be bugs.”
Solving the problems
One possible solution involves what Chris Clark, principal security engineer in Synopsys‘ Software Integrity Group, calls “threat modeling” based on a security testing methodology.
“To do this it has to be future-proof, meaning it needs to be open to manufacturers so it doesn’t take a year to update,” Clark said. “It also requires tools that meet specific testing methodologies.”
“On the digital side, a lot of the teams are small, and focused on logic and processor capability,”
“Analog will continue to be art and black magic, and analog will continue to be more of a craftsman/artist approach.”
That has a direct bearing on security, as well, because security needs to span both worlds in a design, as well as others. In fact, IEEE’s plan to add general blueprints for vertical markets
Clearly, IoT device designers – whether new breed or old school – must be cognizant of multiple factors, including the concurrent development of software and hardware, architecture, subsystems and applications.
security needs to be a top priority at every step of the design process. If not, the little things that get overlooked will turn into very large problems that potentially could cause much more damage than a temporary denial of service attack.
Tomi Engdahl says:
Solving IoT Security – Pursuing Distributed Security Enforcement
http://www.securityweek.com/solving-iot-security-pursuing-distributed-security-enforcement
For many of us in the Security Industry, the possibility of using Internet of Things (IoT) devices as a launchpad for an attack has been mostly theoretical. However, information obtained after the recent massive distributed denial-of-service (DDoS) attack against the services offered by DYN.com appears to show that the threat is real and immediate.
The definition of IoT is often a little vague. Generally speaking, I consider any device with an IP address associated with it to be some sort of an IoT device, though not all of them are problems. The ones that are the largest source of concern are those that have the following characteristics:
• Have a statically configured administrative account
• Users can set and forget them
• Reach out to an Internet-located service for administrative control (i.e. cloud based management)
• Have no automated patch or update management
Essentially what I am really talking about when using the term IoT are devices with IP addresses where users don’t directly interact with the Operating System on a continual basis. I would argue that even devices like an iPhone or Android-based device are also essentially IoT, even though they don’t meet some of the criteria.
While we could try and find tools, techniques, and processes to address these issues, given the vast array of devices that qualify as IoT devices, that quickly becomes a daunting, if not impossible task. In reality, that will likely result in stasis setting and nothing getting done, leaving the current gaping security hole in place.
But what if we could actually embed security inspection right into the network itself? For any of these IoT devices to be effective as a malicious device they need to be able to communicate with other devices.
If we step back just a little bit, the concept of internal segmentation essentially means to deploy network based security enforcement technology throughout the extended network, even into the cloud, and not just at traditional edge and chokepoints between places in the network. For example, you could deploy network-based security enforcement at the point that the device connects to the network, such as the L2/3 switching layer for traditional wired systems (like in the Data Center), or the wirelessly connected systems now predominantly used by end-users, and then direct traffic into assigned network segments that can be monitored as well as control data that moves from one network segment to another.
This sort of internal segmentation strategy is especially relevant in the virtualization technology space
The big risk in a virtualized infrastructure is the rate at which malware and other attacks can spread, and the number of systems available to be compromised.
This challenge in the virtualization space provides a ready environment to begin putting internal segmentation practices to use. This is true in part because virtualized networks are often new deployments, but also because the physical effort required to deploy internal segmentation doesn’t exist – there are no firewalls or other enforcement products to physically install, transceivers to install, cables to run, etc.
For some deployments, secure segmentation is an area of critical need since another benefit of virtualization is the ability to keep legacy systems and operating platforms running longer. The challenge is that many of these systems and platforms don’t have current host-based security tools available to them.
When you are looking at designing your virtualization infrastructure, there are multiple ways that you can build internal segmentation right into the process.
It’s unrealistic to expect any distributed deployment to be homogenous, particularly when it comes to security solutions, so consideration of how your different vendors work or integrate with other solutions (without introducing cumbersome encapsulation technologies, like ICAP/WCCP, etc.) is also critical to deploying a functional internal segmentation solution. Wouldn’t be nice if your L2 switching layer could automatically segment a highly compromised device from all other devices to prevent local propagation of malware? For this to happen, your security devices need to be able to inform your transport devices to make a forwarding path change.
Here are some initial recommendations for solving your IoT security challenges:
• Look for palatable starting points. Virtualization, cloud deployments, and remote office locations are good and easy places to start.
• Look for products that support a multi-vendor enforcement fabric to share, synchronize, and automatically respond to threats, even across different network environments and domains.
• If you’re nervous about beginning with enforcement on day one, then start with visualization and then turn on enforcement by degrees – like transitioning from IDS to IPS.
Tomi Engdahl says:
There was no disconnect at IoT Planet
https://www.mentor.com/embedded-software/blog/post/there-was-no-disconnect-at-iot-planet-c8c51c0e-17cc-4d2e-aa7b-c0403579d2b5?cmpid=10168
This week in Grenoble at the IoT Planet® event there were two main conversations going on: Connectivity and Security. Both are proving to be key technologies
Depending on which prediction you believe, the rate of new IoT connections is growing at 30% per annum, and, according to Gartner, we will have 21 billion internet-connected devices by 2020.
The panel at IoT Planet agreed that security should be holistic, covering every stage of the IoT data path from the Edge Node, with appropriate security capabilities included in the silicon such as encryption and signed-communication, through to the data collection gateway, which itself should have a secure embedded architecture, and then to secure storage in the cloud. For sensitive applications, Public/Private key exchange is desirable at each stage in data transfer. There was some debate on the cost of security and in each use case the value of the data or process is different. If the application is health-monitoring, what is the value of the data on which a life may depend? For an industrial application, a hacker could take a critical production process off-line. Each case needs to be analyzed and the appropriate level of security applied – it will have a financial cost.
At the physical level, multiple communication options have emerged and the best choice will depend on the device and range required.
Once IoT Edge Node data has been communicated to a secure Gateway, it needs to be managed and processed, and Gateway architectures have emerged that can host “secure world” operations alongside “normal world” operations on the same device. This type of architecture has become important for ensuring both safety and security in real-time operations.
Tomi Engdahl says:
Regulation of the Internet of Things
https://www.schneier.com/blog/archives/2016/11/regulation_of_t.html
Late last month, popular websites like Twitter, Pinterest, Reddit and PayPal went down for most of a day. The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology. If we want to secure our increasingly computerized and connected world, we need more government involvement in the security of the “Internet of Things” and increased regulation of what are now critical and life-threatening technologies. It’s no longer a question of if, it’s a question of when.
First, the facts. Those websites went down because their domain name provider — a company named Dyn — was forced offline. We don’t know who perpetrated that attack, but it could have easily been a lone hacker.
Your security on the Internet depends on the security of millions of Internet-enabled devices, designed and sold by companies you’ve never heard of to consumers who don’t care about your security.
The technical reason these devices are insecure is complicated, but there is a market failure at work. The Internet of Things is bringing computerization and connectivity to many tens of millions of devices worldwide. These devices will affect every aspect of our lives, because they’re things like cars, home appliances, thermostats, lightbulbs, fitness trackers, medical devices, smart streetlights and sidewalk squares. Many of these devices are low-cost, designed and built offshore, then rebranded and resold. The teams building these devices don’t have the security expertise we’ve come to expect from the major computer and smartphone manufacturers, simply because the market won’t stand for the additional costs that would require. These devices don’t get security updates like our more expensive computers, and many don’t even have a way to be patched. And, unlike our computers and phones, they stay around for years and decades.
And, like pollution, the only solution is to regulate. The government could impose minimum security standards on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers, allowing companies like Dyn to sue them if their devices are used in DDoS attacks. The details would need to be carefully scoped, but either of these options would raise the cost of insecurity and give companies incentives to spend money making their devices secure.
It’s true that this is a domestic solution to an international problem and that there’s no U.S. regulation that will affect, say, an Asian-made product sold in South America, even though that product could still be used to take down U.S. websites. But the main costs in making software come from development. If the United States and perhaps a few other major markets implement strong Internet-security regulations on IoT devices, manufacturers will be forced to upgrade their security if they want to sell to those markets. And any improvements they make in their software will be available in their products wherever they are sold, simply because it makes no sense to maintain two different versions of the software. This is truly an area where the actions of a few countries can drive worldwide change.
Tomi Engdahl says:
To Bolster IoT Security, Think Holistically
http://semiengineering.com/to-bolster-iot-security-think-holistically/
Building the infrastructure for a secure IoT.
On Friday Oct. 21, a new phrase captured the public’s imagination: “script kiddie.” That’s what security experts suspect was at work when a denial-of-service attack slipped in through thousands of security cameras and home entertainment devices and brought much of the Internet to its knees.
What makes this one chilling is not just that it apparently came from amateurs but that it came in through IoT end points. It took years for the IT industry to build an effective infrastructure to cope with attacks on personal computers. But with IoT security, we’re in the early days staring at an infrastructure with potentially trillions of end points and vastly differently networking configurations.
Late last month, ARM contributed to the relentless IoT ecosystem work around security, announcing an IoT technology suite with a focus on just that: security.
ARMv8-M incorporates TrustZone, a security infrastructure that helps you partition Secure versus Non-secure worlds. TrustZone helps develop more open secure platforms.
IoT represents an enormous opportunity for amazing electronics innovation, and right now, for black hats.
Ed Sperling has written about unexpected security holes, and Jeff Dorsch recently wrote about some of the efforts to plug the holes here.
Unexpected Security Holes
http://semiengineering.com/unexpected-security-holes/
As more things are connected, security holes are showing up in places no one considered.
Security is emerging as one of the top challenges in semiconductor design across a variety of markets, with the number of security holes growing by orders of magnitude in sectors that have never dealt with these kinds of design constraints before.
While security has been a topic of conversation for years in mobile phones and data centers, commercial and industrial equipment is being connected to the Internet for the first time. This provides benefits such as remote management capabilities and alerts for potential failures. But it also increases the risk of data theft or remote tampering.
Securing The IoT
http://semiengineering.com/securing-the-iot-4/
Last week’s Internet outages highlighted the dangers of unsecured IoT devices and the need for a comprehensive set of standards.
Tomi Engdahl says:
Can Low-Power Devices Be Secure?
http://semiengineering.com/can-low-power-devices-be-secure/
Demand for low-power, high-performance devices also calls for security measures.
Successfully designing a low-power, high-performance chip design is an accomplishment, but effectively implementing cybersecurity in such devices makes it much more difficult.
Safety, particularly functional safety for automotive and military/aerospace applications, also can be a prime concern in creating low-power, high-performance integrated circuits and systems. When combined with security, it significantly complicates the checklist at the outset of a design project.
But those factors are becoming mandatory for a number of IC and system-level designs. In fact, they are becoming prerequisites for some designs to even be considered by system vendors, greatly adding to the complexity of chips and the amount of work required to design and verify them. Nowhere is this more vital than with embedded vision, which is becoming a key part of driver-assisted vehicles.
Microcontroller suppliers were on a panel at ARM TechCon, addressing the topic of IoT and security, moderated by Nandan Nayampally, vice president of marketing for ARM’s CPU Group.
“For IoT right now, we’re moving to a place where we’re going to get globally connected,” said Doug Gardner, chief technologist for the Security Technology Group of Analog Devices. “We’re moving from a space where we’re IT-centric to basically content-centric, so you kind of define perimeter as you try to protect things. If you really believe in the vision of IoT, you’re going to move to ‘connectivity-centric’, which means you have no more perimeter. It’s all open. You have machine-to-machine, you have interactions. You have no choice but to put security at your endpoint. You need that security to be based in a hardware root of trust.”
Gardner noted, “You really have to start moving to a multilayer security approach. It starts, of course, with the root of trust built in the hardware.”
That includes everything from home appliances to commercial and industrial applications. “One of the biggest hurdles we have is just getting people, even though there’s been so many hacks going on, to realize they really need security,”
Tomi Engdahl says:
F-Secure was surprised IoT miracle protection system complicated device – “There was no precise understanding of the problems”
F-Secure first device project, IoT security appliance Sense surprised the complexity, says the company responsible for consumer business director Kristian Järnefelt.
Sense is designed to solve the security problems in poorly protected IoT devices in the home network traffic guards at. F-Secure said last week that the Sense published until next summer, ie more than one year from the original schedule of late.
“Hindsight is always easier to wisdom. When looking back on when there are schedules, we have not had quite an accurate understanding of how the complex and demanding project is concerned, “says Järnefelt.
“When it started at, some time went to the fact that the entire project will grow and grow. Now we are in a situation where the open ends of yarn tied together, ”
Sense system is one of the last tests almost ready. Now the work is done the device security features, as well as terminal repertoire.
“We have strict standards in that kind of level of security, quality and reliability have to be.”
Sense is designed to protect the home network from connected devices against abuse.
It acts as a wireless local area network routers and firewalls, which analyzes the traffic passing through. It learns to recognize what are the actual network requests are and prevent malicious traffic that is different from expected.
Source: http://www.tivi.fi/Kaikki_uutiset/f-secure-yllattyi-iot-ihmelaitteen-tyolaydesta-ei-ollut-tarkkaa-ymmarrysta-6598069
Tomi Engdahl says:
The Week In Review: IoT
http://semiengineering.com/the-week-in-review-iot-26/
Last month’s distributed denial-of-service cyberattacks have put the spotlight on poorly secured or insecure Internet of Things devices. “The harsh reality is that cybersecurity is not even on the radar of many manufacturers,” said Trent Telford, CEO of Covata, an Internet security firm. “Security will eventually become more of a priority, but it may well be too late for this generation of IoT users.”
The Internet of Things is helping to reduce or eliminate corporate paperwork, while automating many functions, this analysis notes. “The advent of the Internet of Things is a catalyzing factor in the adoption of cybersecurity products,”
Cybersecurity experts want government regulators to address security issues with IoT devices, a subject that may not gain as much traction with the incoming administration. “The problems are not problems that markets can solve,” says Bruce Schneier, a security specialist affiliated with Harvard University. He likens DDoS attacks to air pollution – an issue that manufacturers were unwilling to tackle until government regulation forced their hand.
NXP Semiconductors this week introduced its Modular IoT Gateway Solution for large node networks, supporting multiple wireless communications protocols, such as Thread, Wi-Fi, and ZigBee. The gateway is based on an open-source Linux platform operating on NXP’s i.MX processors. The Modular IoT Gateway implements a number of security measures, according to the chipmaker.
Monument, Colo.-based yphi has introduced the fortiphi mobile and network management application to safeguard Internet of Things networks in homes and small businesses. The software runs on Android and iOS mobile devices, and also operates on routers with open-source firmware. “With all the recent hacks of consumer and corporate networks through IoT devices (i.e. thermostats, cameras, and other popular Wi-Fi enabled products), the market is pleading for a simple, affordable and effective way to connect, control, and protect the IoT world,” yphi CEO Chris Lundwall said in a statement. “The growth of IoT devices promised simplicity, but it’s delivered confusion and huge risk.”
Tomi Engdahl says:
Why Unidirectional Security Gateways can replace firewalls in industrial network environments
https://www.helpnetsecurity.com/2016/11/14/unidirectional-security-gateways-replace-firewalls/
In this podcast recorded at IoT Solutions World Congress Barcelona 2016, Andrew Ginter, VP of Industrial Security at Waterfall Security, talks about Unidirectional Security Gateways. They can replace firewalls in industrial network environments, providing absolute protection to control systems and operations networks from attacks originating on external networks.
Unidirectional Gateway solutions come in pairs: the TX appliance contains a laser, and the RX appliance contains an optical receiver. The Gateway pair can transmit information out of an operations network, but is incapable of propagating any virus, DoS attack, human error or any information at all back into the protected network.
Waterfall agent software gathers data in real time from operations servers inside the protected network. The software transmits that data to the external network, and populates replica servers with the data.
Waterfall provides out of the box replication capabilities for dozens of industrial applications, including process historians, process databases, control system servers, OPC servers, and low-level devices.
The server-replication process is transparent to external users, and has no effect on the original operations servers.
Tomi Engdahl says:
M2M within the IoT – Pushing Security from the Cloud Down to Every Last Endpoint
https://www.mentor.com/embedded-software/resources/overview/m2m-within-the-iot-pushing-security-from-the-cloud-down-to-every-last-endpoint-4e1c85af-e069-4b65-8b47-1b12b8290614?clp=1&contactid=1&PC=L&c=2016_11_14_esd_secure_iot_device_to_cloud_wp_all
When designing for the IoT, security needs to be addressed from the Cloud down to each and every edge device. Protecting data is both a hardware and a software requirement, as more data is being stored and analyzed in edge devices and gateways. This whitepaper examines the latest solutions for software and hardware security for today’s IoT designs. The paper provides an overview of security concerns for IoT, emerging hardware-based solutions, the latest in software-enabled approaches, and end-to-end IoT security solutions.
M2M within the IoT – Pushing Security from the Cloud Down to Every Last Endpoint
http://s3.mentor.com/public_documents/whitepaper/resources/mentorpaper_98535.pdf
Tomi Engdahl says:
IoT devices used in DDoS attacks
https://www.ibm.com/blogs/internet-of-things/ddos-iot-platform-security/?WOW_IoT_Sense_Newsletter_11142016_Atest_Winner%20remainder&spMailingID=15901620&spUserID=MzA4MTM5MjU5ODgxS0&spJobID=903398463&spReportId=OTAzMzk4NDYzS0
On Friday 21 October, unknown hackers used Internet of Things (IoT) devices to launch three Distributed Denial of Service, or DDoS attacks on Dyn. Dyn is a company that provides internet services, among them a Domain Name Service (DNS).
A DDoS attack uses multiple computers and Internet connections to flood a targeted resource, making it very difficult and sometimes impossible for the target to operate. Dyn estimates that 10’s of millions of IP addresses were involved
How important is security for IoT?
Security is a significant topic of debate around the IoT, with concerns that it opens new avenues of attack by extending the scope of information technology to everyday connected devices and things. IBM believes that security is fundamental to how the IoT must operate to the extent that IBM have recently published a new whitepaper providing IBM’s point of view on IoT Security.
While unable to comment on individual cases, the DDoS attacks on Dyn highlights the need for everyone involved with IoT to consider security by design. Security for IoT should be built into IoT devices and software, from manufacturers to end-users. There is no doubt that IoT significantly expands the attack surface for enterprises and the scope of enterprise IT. Just as enterprises are used to addressing security in their IT infrastructure they must do the same for IoT solutions and products.
How can I increase the security of my IoT landscape?
IoT security will be a big topic at World of Watson in Las Vegas this week and we are bringing to market three new offerings to assist clients:
1. IoT Security Assessment services offering – IBM IoT and Security experts visit clients and advise on the end-to-end security of IoT solutions for clients and make recommendations.
2. IoT Security Intelligence services offering – this enables enterprises to understand IoT security events in real-time. These use behavior-based solutions which detect deviations from normal behavior patterns and recognize new attacks or security issues
3. Advanced Security capabilities in the Watson IoT platform – a security dashboard, giving operators visibility to potential vulnerabilities and exposures across the network; an alert system for immediate notification, enabling enterprises to respond IoT Security events by understanding them in real-time; a visual policy management for enterprises’ IoT landscapes, allowing automatic identification of security events in accordance with best-practice policies tailored to your IoT environment; the ability to integrate Watson IoT Platform with Blockchain for trusted IoT transactions among a group of parties, improving business efficiency and security.
IoT security: An IBM position paper
https://www-01.ibm.com/marketing/iwm/dre/signup?source=mrs-form-9520&S_PKG=ov54480
Download this point of view which examines the security and privacy implications unique to a cognitive Internet of Things system. Leading edge Cognitive IoT research activities will be reviewed, addressing both challenges and opportunities. Best practices will be shared.
Tomi Engdahl says:
Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products
https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/future-proofing-the-connected-world.pdf
Tomi Engdahl says:
The Critical Need for Device Security in the Internet of Things
http://design.avnet.com/axiom/critical-need-device-security-internet-things/
Data is the foundation for enabling the Internet of Things (IoT) in terms of creating new value and optimizing performance in deployed systems. To achieve the desired results, developers have shifted their focus to capturing data, moving it efficiently through the system and utilizing it to anticipate and improve outcomes.
Hackers also desire this data for inappropriate, often illegal, purposes. The increasing number of data theft or manipulation events is hampering the realization of the growth potential IoT promises. At the root of many of these negative events are attacks on devices at the edge. According to the Online Trust Alliance (OTA) 100% of recently reported IoT vulnerabilities (were) easily avoidable.
Among the OTA’s recommendations thwarting the attacks on devices for the data they capture and transport is encryption. Encryption can be initiated within the device itself by integrating specific security components into the bill of materials or selecting processors that include encryption engines or the ability to be securely programmed.
A common method for secure key encryption is the Advanced Encryption Standard (AES). This is frequently used for privacy and confidentiality.
Public key encryption is useful for verifying the identity of the sender and ensuring the message sent is from them. In an IoT application, this could be between nodes at the edge of the deployment and the gateway or from the gateway out to the nodes. Elliptic Curve Cryptography (ECC), a growing algorithm found in IoT devices, is an example of public key encryption. What makes ECC attractive to IoT developers is the low overhead required from a processing and memory standpoint.
Hash algorithms are an encryption generated by the sender that are not decrypted and are used to validate that the content within a message has not been altered. The prevailing standard used for Hash algorithms is the Secure Hash Algorithm (SHA) and currently SHA-3 is the latest version being adopted. SHA-3 employs either a 256- or 512-bit character string and from an IoT device standpoint would be useful when the edge device has some processing capabilities that will require firmware updates or the delivery of software patches.
Integrating Encryption at the Device Level
Once a developer has determined the right encryption strategy for their application, they have several options for how to go about integrating the functionality into their design. They can choose between device level implementations or selecting a commercial-off-the-shelf (COTS) motherboard in a variety of form factors.
Chip level solutions range from encryption co-processors that offload the security management from the main processor to microcontrollers and microprocessors that have integrated encryption engines to programmable devices that enable the highest degree of customization along with industry standard encryption resources. There are also co-processors, referred to as Trusted Platform Modules, which ensure the code used to start the system is always authentic. All of these devices have options for AES, ECC and SHA and in some cases offer more than one option for more complex security requirements.
Investing in an end-to-end security solution, especially for protecting vulnerable edge devices, is a wise choice and well worth the nominal cost of inclusion. Not only will this investment protect valuable data generated by the system but also the company’s reputation with customers and the market by avoiding the negative publicity a data breach causes.
Tomi Engdahl says:
Futurist Warns, Don’t Get Paralyzed by Cyber Security Fears
http://www.designnews.com/cyber-security/futurist-warns-dont-get-paralyzed-cyber-security-fears/102557625146087?cid=nl.x.dn14.edt.aud.dn.20161116.tst004c
Engineers creating Internet of Things applications mustn’t slow the pace of innovation due to fear of cyber attacks, says hacker.
A noted hacker and futurist at the recent IoT Emerge 2016 show in Chicago warned that engineers creating Internet of Things applications mustn’t slow the pace of innovation due to fear of cyber attacks.
. “If we become digital Luddites and get paralyzed and fail to advance, then technology will pass us by,” Holman, who works at the Intellectual Ventures Laboratory , told an audience of about 200 engineers at the show. “It’s really important not to be fearful, not to be paralyzed by the potential for problems. We solve problems.”
While on stage during a keynote speech, Holman took a few seconds to pick a mechanical lock, and then noted that the lock is still popular among millions of consumers. “A few people care, and they go out and purchase a better lock,” he said. “But the rest of us don’t care enough to change it. It shows that if you have a need for better security, you’ll get it. There are people out there to help you.”
In a subsequent conversation with Design News, Holman cited recent high-profile cyber security failures, and concluded that the problems posed by those failures weren’t catastrophic. The recent distributed denial of service attack that took down websites at Amazon, Netflix and Twitter created fantastic headlines, but little lasting damage, he said. He added that news stories heighten public fear, largely because most people don’t understand what a distributed denial of service attack is. Similarly, he pointed to the infamous Y2K scare at the turn of the century, saying that the fears far outweighed the actual damage.
“If you don’t understand it, if you don’t know the bounds of it, it can create fear,” he noted. “People say, ‘If they can take out Netflix, can they take down the power grid? Are people on life support in hospitals going to die?’ Those are the kind of dark fantasies people have.”
IoT Security: One Size Does Not Fit All. The Internet of Things ranges from homes to cars to factories and jet engines. Clearly, the security requirements of these systems vary
Holman said that cyber attacks are inevitable, but added that engineers are always learning from them. Moreover, IoT engineers get to draw on the many years of experience provided by the PC industry. “We’re not starting from scratch here,” he said. “We have the benefit of hindsight. An IoT is just a little computer with sensors hooked up to it.”
The worst mistake engineers can make is to look at the security risks and decide that benefits of innovation aren’t worth the effort. “In the end, we haven’t seen a catastrophic problem yet that was so bad we couldn’t recover from it,” Holman said. “So we might encounter a problem, and it might be a little bigger than the last one, but we have to solve it and keep going.”
Tomi Engdahl says:
Experts to Congress: You must act on IoT security. Congress: Encourage industry to develop best practices, you say?
Schneier crap-storm warning falls on deaf ears
http://www.theregister.co.uk/2016/11/16/experts_to_congress_you_must_act_on_iot_security_congress_encourage_industry_to_develop_best_practices_you_say/
Congress provided a masterclass in selective hearing Wednesday when urged by experts to do something about the increasing risk posed by poor IoT security.
At a session of the House’s Energy and Commerce Committee into last month’s attack on DNS provider Dyn that caused widespread disruption to online services, several security experts highlighted the main problem as a lack of security standards and urged Congress to act. Their pleas were repeatedly rebuffed.
Chief security officer of Level 3, Dale Drew, warned [PDF] representatives that “the current lack of any security standards for IoT devices” was a big part of the problem, and said IoT manufacturers needed to “embrace and abide by additional security practices to prevent harm to users and the internet.”
He argued that “there may be a role for the government to provide appropriate guidance.”
Likewise, CEO of Virta Labs, Dr Kevin Fu, said [PDF] that “IoT security remains woefully inadequate, and the Dyn attack is a sign of worse pains to come.” Fu took a stronger line on government intervention, arguing that it needs to actively support agencies that were developing solutions to IoT security issues, including looking at establishing “an independent, national embedded cybersecurity testing facility.”
But it fell to security guru Bruce Schneier to argue outright [PDF] for legislation. “Like pollution, the only solution is to regulate,” he stressed. “The government could impose minimum security standards on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care.”
Benign – but not for long
In order to stress the importance of the issue, Schneier noted that the DDoS attack on Dyn, as disruptive as it was, was still largely “benign.”
“Some websites went offline for a while. No one was killed. No property was destroyed. But computers have permeated our lives. The Internet now affects the world in a direct physical manner. The Internet of Things is bringing computerization and connectivity to many tens of millions of devices worldwide. We are connecting cars, drones, medical devices, and home thermostats. What was once benign is now dangerous.”
Yeah whatever, expert
His arguments continued to fall on deaf ears.
Faced with all three experts saying that it was possible to encode some principles into law that would help fix the problem, Walden continued to stress he was worried about the possible impact on “innovation,” and again noted many IoT products are not made in the US.
“We don’t want this to be an innovation killer,” he said. “I don’t think I want my refrigerator talking to some food police.” Which is a response just mad enough to illustrate that any action beyond talking about how terrible the problem is will never get through a Republican Congress.
When Schneier tried for a third time to argue for a new agency, Democrat Eshoo told him flat out it was never going to happen. “They’re not great fans of that,”
In the meantime, government agencies continue to fight among themselves over who should be in charge of IoT and security. So far, we have:
The NTIA (part of the Department of Commerce) and its five working groups it created last month.
NIST and its new Special Publication 800-160 [PDF].
The Department of Homeland Security insisting it is the best source, despite having done literally nothing besides give a speech.
The Federal Trade Commission.
The Department of Transportation.
There may be others.
http://docs.house.gov/meetings/IF/IF17/20161116/105418/HHRG-114-IF17-Wstate-SchneierB-20161116.pdf
Tomi Engdahl says:
Telstra’s answers El Reg’s Smart Home security questions
It’s not quite an Internet of S**t, but nor does it come up smelling of roses
http://www.theregister.co.uk/2016/11/16/telstra_smart_home_security/
Telstra has, pleasingly, identified the vendors supplying its kit:
The platform is powered by Icontrol;
Cameras, smart plugs and door sensors are provided by Sercomm;
Motion sensors originate with Tyco Visonic;
Light globes are provided by Sengled;
Thermostats are provided by Zen;
The Smart Hub is provided by Flex; and
The Smart door lock is provided by Lockwood.
Third-party vendor patch management:
Telstra: “Telstra works with our smart home partners to follow industry best practices, with timely device patch management and secure platform configuration updates.
“Firmware used by vendors must pass a rigorous quality assurance process before being deployed to devices. Once updated firmware is available on the platform, all devices will be automatically updated.”
The Register: While it’s a good thing that the system won’t rely on consumers to patch products, Telstra’s automatic patch process had better be bulletproof.
Encryption
Telstra: “All communication from the home [Customer premises equipment] CPE and the app to the platform is encrypted, including transactional communication from the Smart Hub and all images and videos from the camera.”
The Register: This is pleasing news, but we also believe more transparency is needed – what crypto protocols, libraries, and certificate hashes are in use?
Configuration
Telstra: “Telstra Smart Home is designed to be simple for customers to use. Using the app rather than a desktop provides a better user interface experience, stepping customers through the set up process and allowing them to move around the house as they need, removing complexity from the set up process.”
The Register: We still believe that UPnP-plus-cloud should not be the only configuration option, because (a) UPnP is famously difficult to secure, and (b) if any connection fails, users can’t touch their systems (for example to adjust a thermostat).
Tomi Engdahl says:
Schneier: We Need a New Agency For IoT Security
https://yro.slashdot.org/story/16/11/16/202240/schneier-we-need-a-new-agency-for-iot-security?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
The recent DDoS attacks by the Mirai botnet against various targets, including DNS provider Dyn, have drawn the attention of congressional leaders, who say there may be a need for regulation of IoT device security in order to address the problem of vulnerable embedded devices. In a joint hearing on Wednesday, the House Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing, and Trade delved into the issue of IoT security and several lawmakers said that they were reluctant to get the government involved in regulating this problem, but it may be inevitable.
Lawmakers Ponder Regulatory Remedy for IoT Security
https://www.onthewire.io/lawmakers-ponder-regulatory-remedy-for-iot-security/
In a joint hearing on Wednesday, the House Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing, and Trade delved into the issue of IoT security and several lawmakers said that they were reluctant to get the government involved in regulating this problem, but it may be inevitable. The problem, of course, is that many of the embedded devices that make up the IoT aren’t manufactured in the United States, so regulation would have no effect on their security.
“While I’m not taking a certain level of regulation off the board, the United States can’t regulate the world,” said Rep. Greg Walden (R-Ore.), chairman of the Subcommittee on Communications and Technology.
Security experts have been lamenting the horrific state of IoT device security for many years, and recent events have only served to reinforce those feelings. Many embedded devices are designed to be cheap and functional, with little to no thought given to security. And few have a mechanism to receive updates, so when security issues are discovered, consumers have no real way to correct them. Kevin Fu, an associate professor at the University of Michigan, and CEO of Virta Labs, said the root cause of the problem is that there’s no consequences for vendors who sell insecure devices.
“There’s almost no cost for manufacturers deploying products with no security to consumers. Is there a tangible cost to any company that puts an insecure IoT device in the market? I don’t think so,” said Fu, one of the witnesses at Wednesday’s hearing.
“It will get much worse if these security problems remain unchecked. IoT insecurity puts human safety at risk.”
Tomi Engdahl says:
For all its promise, the interconnected world has a dark side, with critical vulnerabilities like Heartbleed and Shellshock reported more and more often. This white paper walks you through how Wind River combats reported security exposures, highlights statistical trends from our monitoring data, and explains different aspects you should consider as you create your security strategy
Securing Linux Systems in the Internet of Things
Four Essential Steps for Ongoing Threat Mitigation
http://events.windriver.com/wrcd01/wrcm/2016/08/WP-Securing-Linux-Systems-IoT.pdf
Tomi Engdahl says:
DHS Publishes Principles, Best Practices for Securing IoT
http://www.securityweek.com/dhs-publishes-principles-best-practices-securing-iot
The Department of Homeland Security recently published (PDF) its Strategic Principles for Securing the Internet of Things. It comprises six non-binding principles designed to provide security across the design, manufacturing and deployment of connected devices. It quotes, “there is a small — and rapidly closing — window to ensure that IoT is adopted in a way that maximizes security and minimizes risk. If the country fails to do so, it will be coping with the consequences for generations.”
The DHS document has been well-received.
“The principles put forth by the DHS are a good baseline for IoT security practices,” says Art Swift, president of the prpl Foundation. “While it may seem basic, these are exactly the things manufacturers and developers need to be doing to improve security in the Internet of Things.” But he adds, “The part that is not addressed by the DHS is to provide any practical guidelines on how to implement its recommendations.”
Those practical guidelines really need to start with the first principle: security by design. ‘Secure by design’ has been advocated for all computer devices for many years; but has not yet been achieved. It is clear from experience that if a device is not secure from the beginning, there will be security problems during its lifetime.
“Securing devices at the hardware layer is one of the most important ways the IoT is going to become more secure,” explains Swift, “but using open source software is also a key area. Manufacturers and developers should no longer rely on proprietary code that can be reverse engineered as it has been proven time and time again that this ‘security by obscurity’ approach is broken. By using open source implementations, which are open to review and hence inherently more secure, developers can agree to get basics right on security first and then compete on value-add market differentiators.”
STRATEGIC PRINCIPLES FOR SECURING THE INTERNET OF THINGS (IoT)
https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf