The Internet of Things (IoT) development lifecycle is a complex process. When the complexities increase, problem areas also rise up proportionately. In an IoT product lifecycle, security could be termed as a problematic area which needs unparalleled focus. Even a flaw at the early or later stage of development in the code or the device itself could pave the way to security vulnerabilities. This article is written based on the insights given by Jitendra Kumar, IoT Security Researcher, Sumeru on how to secure IoT devices.
Many a time, it is only after an IoT product reaches the market, security flaws are realized. Traditionally, the approach to solving this problem was to ensure that the crucial component or the codes follow standardized norms in its developmental phase. The game has changed now. If security was an afterthought, it is to be expected that attacks could come at the door step in the most unexpected way.
Some “expensive” insights to building secure IoT devices
The IoT market is lucrative and everyone is rushing to put their product into it. IoT Market size is estimated to grow to about 457 billion dollars according to CAGR report. This looks lucrative and is definitely a fast-growing market. It is often said that in haste a lot could be missed and overlooked. At the pace at which products are released, the security infrastructure in IoT devices could be put to a debate. When building a hack-resilient product, one must realize that there are new types of attacks that are threatening the whole ecosystem. One such is the “Reaper botnet: which can compromise the security by creating DDOS or Distributed Denial of Service (DDoS). If you are driving and your pacemaker suddenly goes to a stop, that is the type of attacks we are talking about.
Some interesting scenarios
As we all know that cyber-attacks are carried out without actual weapons and looks like IoT has made it easy. It is now easy to sniff out devices, install malware and flash malicious firmware into chips. It could start from one point of vulnerability, compromising the whole ecosystem.
Let us take a look at various scenarios that we can come across. “In IoT ecosystem, some devices update the software over the air. Sometimes the binary file could be intercepted and complete code of this file can be modified. This is done by monitoring networks for spikes in data usage etc. The hole in the wall is not because of the IoT devices or the communication channels. It is because they are made up of different components. Most commonly, the attacks happen through the interfaces where users interact of which some are popular. Some of the attackers are always behind finding vulnerabilities and trap doors.To be precise, we are ten years behind the actual maturity of preparing more secure IoT devices in many cases. Let’s put it this way when product development team falls short of some security protocol installation due to time and budget constraints of the project, possibility of attacks may double up”, says Jitendra.
Threat modeling phases in a nutshell
Originally popularised by Microsoft, threat modeling first analysis the data flow and the pathways of IoT ecosystem. To begin with, different kind of known issues could be tested on the device during requirement elicitation and in the design phase. Further, the analysis of features presently vulnerable is discussed with the experts and developers from security field. This fulfills the basics of security infrastructure.
In the Implementation phase, the developers need to be educated as the embedded developer, mobile app developer and code implementers should be on the edge to understand the code vulnerabilities. At the functional testing phase, maximum bugs are searched for and changes including design changes are done here. At the deployment phase, privileged access is set and sent out to further testing. If security issues are reported, Incident response team will work to fix bugs and loopholes.
The best key to increasing the security factor is to Introduce complexity. Using cryptography, which is complex will make it harder for the attacker. Various security standards are usually adopted. The reason being there are many dedicated and reputed organizations who create security structure while giving a win-win situation to corporations in this rebellion against attackers.
They have dedicated platforms (both hardware and software) to make secure IoT devices and often reward or appreciate people who help in finding vulnerabilities for giving their feedbacks
For more such interesting stories, read more.
To know more, watch Jitendra Kumar’s talk on “ANYTHING & EVERYTHING ABOUT SECURE IoT PRODUCT DEVELOPMENT LIFE CYCLE“ at EFY Conferences 2018 video bundle.