Testing For Security

So far, the best solution appears to be a team of white-hat hackers. That’s not good enough.

popularity

Ever since the IoT became a household name, people have been strategizing about ways to utilize non-secure devices to mount an attack.

The first instances of using electricity to overload a device’s circuits, thereby neutralizing existing security features, came to light in some of the earliest car hacking incidents. These are basically side-channel attacks using what amounts to an electronic stun grenade.

The distributed denial of service attack on Dyn last October took this concept to a new level. Hackers mounted an attack on a secure site’s infrastructure using an army of non-secure devices infected with Mirai malware. This wasn’t totally unexpected. There had been numerous warnings in security circles about the potential dangers of Mirai two months prior to the attack.

So what can be done about this? The answer is plenty. Some steps already are being taken. Security clearly needs to be built into every aspect of a device, from design through to manufacturing and beyond. On the design side, authentication keys need to be hidden away, and most of the advanced hardware developed today already does this. In some cases that security is active, which requires power and adds to the overall cost. In others it is passive, which may include tamper-resistance that renders hardware useless if someone tries to grind away the package and insert a probe.

Software remains vulnerable, in part because that portion of a device is never completely finished. Even if over-the-air updates are safe, there are other weaknesses that can be compromised. It’s impossible to find all of them. Sometimes they are discovered by teams of white-hat hackers. The worst-case scenario is they don’t get reported for years because they are actively in use by criminals or teams of hackers with the deep resources of organized crime or nation states.

The third piece of the puzzle involves the supply chain. Counterfeit parts and IP are rampant. The danger isn’t just that someone will siphon off the revenue stream of legitimate parts. It’s that extra circuitry or software can be slipped into a device to do whatever the developer wants it to do—maybe after years of dormancy.

There are several steps required to address these problems. First, devices need to be tested to ensure they match the final spec. What is supposed to be in a device should be all that’s in there, and tests can be developed to ensure that’s true. Not every device needs to be tested, of course, but some do. Back doors are a very real threat, despite the fact that almost no one wants to talk about them.

Second, data needs to be reviewed after every breach to identify what went wrong. While companies such as Apple and Microsoft already do this, that data needs to be shared. Being hacked is no longer a one-company issue. As more devices are connected, it is a problem for all companies.

This is basically a big data problem caused by a triumvirate of complexity of hardware and software, an extended supply chain, and myriad use cases and connections. All of that data needs to be mined to identify anomalies so that simpler tests can be developed to avoid future problems.

And finally, hackers will always be the first one in the door, which puts security companies in a reactive position. That won’t change completely. But if information is shared more readily, it would allow technology companies to be more proactive because they will be able to spot trends that they cannot possibly see in isolation.

At present, the best solution is a combination of anti-virus software, extra code and circuitry developed to prevent hardware attacks, and a team of white-hat hackers to continually look for weaknesses. The pieces that are missing are the up-front verification of what is being developed and manufactured, and the after-the-fact deep analysis of what goes wrong at a systemic level. These are closed loops right now, and they need to be connected. Unfortunately, at this point there seems to be little effort to make that happen.

Related Stories
Side-Channel Attacks Make Devices Vulnerable
The number and type of attack vectors are increasing as more of the world becomes connected and vulnerable to hackers.
IoT Security Risks Grow
Experts at the table, part 2: Mirai, Shodan, and where the holes are in security; establishing a chain of trust from a solid root; how to future-proof security.
IoT, Architectures, And Security
ARM CTO Mike Muller discusses how markets and technology are changing in a very candid one-on-one interview.