IoT device security – 5 key measures
for device manufacturers
With the increasing adoption of IoT technologies, the security of these devices poses a significant challenge. Hackers have a massive playground to exploit, and numerous examples have demonstrated the vulnerability of IoT devices. This vulnerability also necessitates a more robust approach to security than traditional IT devices.
This article suggests 5 key security measures for device manufacturers, including investing in hardware-based security measures, using the ‘Secure Boot’ security feature, and securing firmware updates, storage, and communication, to help manufacturers ensure device security. While not every measure needs to be adopted, manufacturers can benefit from using at least one of the measures mentioned, to appropriately secure connected devices and their ecosystems.
According to a report from the International Data Corporation (IDC), the number of connected devices worldwide will reach 41.6 billion by 2025. This figure is expected to climb even higher, with Statista predicting over 75 billion connected devices online in 2025. These staggering numbers are a clear indication of the widespread adoption of IoT technology. With every smart building, connected home, and self-driving car, we gain new tools to improve our lives.
As the interconnectivity of IoT devices continues to grow, ensuring their proper security poses a significant challenge. For hackers, the IoT ecosystem is an ocean of opportunities, with billions of interconnected devices sharing data and creating a massive playground that can be exploited to its limits.
There are already multiple examples of IoT devices being hacked. Let’s look at a few:
Innocent intentions took a sinister turn when a group of gamers created a botnet called Mirai — to profit from hosting Minecraft game servers. The botnet's first strike occurred in September 2019, causing French cloud computing company OVH to crash. The botnet's source code was then released online, allowing anyone with tech skills to exploit vulnerable IoT devices. As a result, home routers, security cameras, baby monitors, internal lighting and ventilation units, and home PCs were all hacked, leading to massive DDoS attacks that took down significant portions of the internet across Europe and America.
In 2019, countless users of the smart camera Ring reported hackers were watching and even talking to them via their in-home cameras. Despite the company's denial of any security breaches, hackers were able to infiltrate Ring cameras and gain access to linked accounts. The issue was since resolved by the company, but succeeded in proving just how vulnerable smart devices can be.
In May 2019, Applied Risk, an industrial cybersecurity firm, discovered nearly 100 vulnerabilities in management and access control systems, including the Nortek Security & Control (NSC) devices that were used by industry leaders. The Nortek Linear eMerge E3 devices had critical flaw that allowed hackers to easily take control of the devices, hijack credentials, install malware, and launch DoS attacks. Despite the warning, the company took no action for an extended period, despite having installed these devices across various industries such as commercial, medical, industrial, retail, banking, and hospitality. The company's patch came too late, resulting in tens of thousands of daily cyber-attacks recorded across 100 countries where these devices were installed.
These are just part of the many cyber-attacks that demonstrate the vulnerability of IoT, while forcing us to revaluate the importance of IoT security.
How do IoT devices differ from traditional IT devices?
IoT devices are like computers, but not quite. These devices operate in specific contexts and environments such as homes, buildings, or factories. Typically, an IoT ecosystem is composed of embedded devices and sensors, cloud infrastructure, mobile applications, and network communication protocols. There are also significantly more types of IoT devices and types of networks than enterprise IT devices. And because IoT devices typically have low compute memory and storage capabilities, they have limited opportunities for realising security.
The growing interconnectivity of devices necessitates that IoT security be far more robust than traditional IT security measures.
Key security measures for device manufacturers
IoT device security involves a robust hardware-software partnership. Hardware, software/firmware, and connectivity interfaces — all need to be secure for IoT devices to work effectively. Device manufacturers must ensure that security measures are implemented thoroughly and throughout every stage of the product life cycle.
Invest in hardware-based security measures
Hardware-based security solutions are often a better choice, offering highly secure encryption and decryption systems and a tamper-resistant environment where sensitive information such as keys or random number generators can be hard-coded into the hardware-protected components.
Today, most mass storage devices such as flash modules, etc., have inbuilt functions with complete encryption and security technology. Of these, the most common — and popular — is the Trusted Platform Module (TPM), a chip used in all computers, from personal laptops to business computers, to industrial panel PCs, in order to secure hardware with integrated cryptographic keys. Another common tool is the Root of Trust (RoT) set of functions that systems can use as their base to ensure complete security of the connected device.
Use the ‘Secure Boot’ security feature
A security feature available on most modern devices, ‘Secure Boot’ ensures only authenticated software runs on the device by preventing unauthorised software like malware from taking control of the device/system at boot-up. Secure Boot validates digital signatures of boot loaders, key operating system files, and unauthorised option ROMs, ensuring that all software is a legitimate manufacturer version that has not been tampered with.
As stated earlier, The Root of Trust, a hardware-validated boot process, would be ideal for the Secure Boot process. ‘ARM TrustZone’ and ‘Intel Boot Guard’ are two examples of RoT supported by ARM and Intel respectively.
Securing firmware updates
Firmware updates might be great at fixing annoying bugs and introducing new features to the operating system, but it also leaves connected devices open to attack. Malicious software updates can be pushed by potential attackers and accounts can be hacked into by vulnerabilities in the updates.
Device manufacturers can protect against this risk by verifying the integrity and authenticity of any new firmware. Before performing the firmware update, the firmware image should be validated and should also be signed with a digital signature at the production level. Signature verification can identify whether a given firmware update was provided by the authentic manufacturer or if it is a tampered image. A combination of hash functions, and symmetric and asymmetric encryption algorithms can offer optimum protection from external attempts for misusing the image by decoding proprietary code, protocols, or algorithms through reverse engineering techniques.
Securing storage
IoT devices continuously collect an immense amount of data from a wide range of devices and sensors, all of which is stored in cloud infrastructure or on the device itself. For the security of connected IoT devices, mass storage devices like flash modules have built-in encryption and secure storage models. However, device manufacturers need to take extra precautions for storing credentials like encryption keys, digital certificates, and even passwords. Secure credential storage mechanisms can be used to store these critical credentials.
Some microcontrollers or microprocessor vendors provide different mechanisms for storing of TPMs like SNVS, among others, which can then be enabled only for the program executing it. This extra layer of security means sensitive data can be stored at this secure credential without worry.
Securing communication
Inter device ‘communication’ is the core feature of IoT ecosystems – they literally cannot function without speaking to each other. How else would they indicate their status, potential downtimes, and more to connected devices? This definitely enables seamless functioning of the system, but also leaves all devices open to attack across multiple points. Securing this communication thus becomes paramount.
Strong encryption techniques supported by communication technologies like Wi-Fi and Bluetooth, and validation of digital signatures are a must to ensure confidentiality, integrity, and authenticity of data coming from each communication channel. The encryption keys’ strength can further be governed by standards like RSA, AES-128, and Diffie-Hellman. Moreover, most application protocols like HTTP and MQTT that use communication protocols like TCP/IP and UDP can benefit from security measures applied to the latter, as they automatically apply to the application protocols.
Another method to secure communication includes allocating each device a unique identity via digital certificates or private keys, which helps optimise authentication and offers better protection. This enables manufacturers to share firmware updates and data to specific devices securely, and assists in the authenticity verification of incoming data from the devices.
It is time to get serious about IoT device security!
IoT smart devices are everywhere and are becoming more mature every day. IoT security needs to catch up to the current trends, and at the same pace.
Multiple global security breaches that have impacted organisations and end-users have shown us that the time for innovating IoT security is now. And with the advancement in hardware and software-based IoT security solutions, this demand is not impossible to meet for device manufacturers. Based on their requirements, risk factors, and security exposure, manufacturers can adopt any and all measures mentioned here, to protect the integrity, confidentiality, and authenticity of their IoT ecosystems and their data.
When implemented correctly and throughout every stage of the development and product life cycle, IoT device security can help organisations to bring innovative IoT devices to the market that include the strongest promise of all — the promise of complete security!
If you’re looking for digital solutions with comprehensive IoT security measures, Softdel is who you call. .