Security Focus at the IoT Developers Conference 2016

I attended the 3^rd annual IoT Developers Conference (“DevCon”) last week. As an introduction, Markus Levy, the event chairman, wrote in the conference program and event guide:

Internet of Things: Hype versus reality? [It’s] clear that the IoT is so much more than just the ‘things’ – It has become a huge collaborative effort to bring all the pieces together so that the chain that stretches from the human to machine to the cloud can deliver real value. […] The Internet of Things Developers Conference. It’s about the reality – not the hype.

To show how “real” the IoT has become, the IoT DevCon featured two full days of keynotes, talks, and presentations, with an exhibition showcase open on both days featuring 44 companies. On Day 2 (Thurs, May 26, 2016), the day I was able to attend IoT DevCon, there were four parallel sessions comprising 6 different tracks. (See http://www.iot-devcon.com/agenda.php for the overall conference agenda, and http://www.iot-devcon.com/agenda_list.php for the presentation abstracts.) The tracks were:

• Security: Analysis and Methods
• Connectivity: Protocols and Standards
• IoT Gateway
• At the Edge
• Application Development Frameworks
• Data Management: Edge Nodes to the Cloud

I was interested in many talks from multiple tracks, but since I was unable to clone myself quickly enough, I was only able to attend 11 of the 42 talks. I spent most of my time in the morning and afternoon Security tracks, in which multiple talks mentioned the fact that security is acknowledged to be the #1 issue facing IoT’s broad adoption. (One speaker also referenced a good keynote that I missed on Day 1 by Underwriters Laboratory about IoT security, entitled: “No IoT Without SoT – The Security of Things!”)

As motivation, several talks mentioned recent IoT-related hacks in the news, including:

• the Jeep hack (https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/)
• a medical infusion pump hack (https://www.wired.com/2015/08/video-shows-terrifying-drug-infusion-pump-hack-action/)
• a baby monitor hack (http://www.forbes.com/sites/kashmirhill/2014/04/29/baby-monitor-hacker-still-terrorizing-babies-and-their-parents)
• a Wi-Fi-enabled sniper rifle hack (https://www.wired.com/2015/07/hackers-can-disable-sniper-rifleor-change-target)
• the Target hack (http://www.cio.com/article/2600345/security0/11-steps-attackers-took-to-crack-target.html)
• the Stuxnet worm

One talk claimed there are almost 1 million new hacker attacks identified every day.

In addition, the point was made that IoT security is different from cybersecurity:

• IoT security has an increased attack surface over cybersecurity (tens of billions of connected “things”)
• The “things” have greater accessibility to attack (e.g., light bulbs, thermostats, power meters)
• The “things” are often low-cost end nodes with perhaps low, or no, budget for security measures (like physical tamper-proofing) or for high processing power (which could limit encryption capabilities, though there are encryption chips as cheap as $1 now: http://embedded-computing.com/guest-blogs/robust-iot-security-costs-less-than-you-think/)

And those differences mean that perhaps a different approach and different security measures need to be taken when providing for IoT security than for providing traditional cybersecurity. For example, multiple talks pointed out that securing the IoT, or an IoT device, is an exercise in defense-in-depth, where multiple layers of security need to be considered. There’s no one, single, magic security solution: security depends on the device’s security model, which in turn depends on the identified threats and attackers to be protected against. A good categorization of attackers is provided by the ICS-CERT of the U.S. Department of Homeland Security (https://ics-cert.us-cert.gov/content/cyber-threat-source-descriptions):

• National governments – national cyber warfare programs
• Terrorists
• Industrial spies and organized crime groups
• Hacktivists – politically-motivated hackers with anti-U.S. motives
• Hackers – from script kiddies, to worm and virus writers, to security researchers and white hat hackers, to black hat and professional hackers

Identifying the potential attackers and their motives defines the threats that the device security model needs to handle, which then influences the types of security measures needed as measures. Several talks gave categorizations of such measures, essentially mapping out areas that IoT device manufacturers should take into consideration when providing security to their IoT devices:

• Device physical layer
• Make the system hardware tamper-proof
• Lock the debug interface
• Device communication layer
• Use secure wireless and wired technologies and protocols
• Encrypt data-at-rest and data-in-motion
• Use TRNG (True Random Number Generation) technology for good cryptology
• Use hardware-based security where possible (e.g., TPM, encryption engines)
• Device application layer
• Never use hardcoded (static) passwords
• Require the user to reset the default password, and disallow common / easy passwords
• Required a unique authentication ID on headless end nodes
• Device development
• Use secure design and security protocols from the start of development
• Secure the supply chain, from chip maker to device OEM manufacturer to applications providers
• Device deployment
• Ensure devices use a secure boot process
• Ensure secure provisioning of devices
• Realize that devices may have lifetimes of years or decades, and provide software and firmware updates, which are critical to maintaining security

It’s key to remember that the end device may not be the actual target. Though its manufacturer may not have thought it worthwhile to attack (and hence, to protect), it may actually be attractive to attack since, once connected to the IoT, the device becomes a gateway to the network, and thence the enterprise assets it’s connected to: the real targets.

Another talk mentioned the NIST Cybersecurity Framework for end-to-end security could be useful to follow when building security into your IoT device (http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf):

• Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities
• Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services
• Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event
• Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event
• Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event

Making sure IoT devices can protect themselves against identified attacks, detect such attacks in real-time, respond to them quickly, and recover appropriately (including updating software/firmware for on-going resiliency) will help make the IoT more secure and improve the speed of adoption (and thus, the path to profitability for IoT companies). To assist in this area, Wind River’s IoT Design Center can be contracted to perform an IoT assessment, which would ensure that the latest security best practices are used not only in the an IoT product, but also in the processes used by a company.

By properly designing security into the IoT, we can hope to avoid costly mistakes such as those that Jeep and Target may likely still paying for – if not financially, at least in damage control to their reputations. To paraphrase the UL presentation’s title: there won’t be an IoT without security.

For those interested, the proceedings of the conference will be made available here: http://www.iot-devcon.com/proceeding.php (not yet available as of this posting).