IoT devices: six security tips
that could save your system
by Don Schleede, Information Security Officer,
Digi Inc.
I
n the past, we relied on
isolation to make sure that
our IT systems were secure.
We hid our big mainframes
away in rooms accessible only by a
select few, and if there happened to be
a network of some description, it only
lived ithin the single building, offering
wired terminal connectivity.
But with the advent of the Internet,
everything changed. The network
was now global, and while this meant
all hours remote access to the office,
and convenience for partners and
customers, it also opened up potential
security breaches. The cybersecurity
industry was born.
But with the advent
of the Internet,
everything changed.
With embedded technology, devices –
each with their own web address and
functions – have become empowered
with intelligence. And this development,
in turn, opened up a new range of
targets for bad actors internationally.
These bad actors include not just
cybercriminals as we usually think
of them, but also terror groups and
intelligence communities, as well as
curious amateur hackers up for a
challenge. Whatever their identity, and
whether maliciously or otherwise, these
players could steal, alter or otherwise
tamper with important content. So
how, then, to protect the devices that
make up the Internet of Things?
By their very nature – small, relatively
inexpensive and autonomous – the
8
PECM Issue 22
number of Internet of Things (IoT)
devices is going to be enormous. We’ll
find them in buildings, utilities, vehicles,
home appliances, and medical devices,
amongst all sorts of other infrastructure.
As sensors, they will be components
of a smart grid, able to collect, store
and transmit data, and will link up with
multitudes of devices globally iffering
in size and functionality, they’ll send
everything from large streams of realtime data to one off alerts heir one
common feature will be connectivity.
And where there’s connectivity,
there’s vulnerability. So in reality,
most – possibly all – IoT devices will
be ‘reachable’. But what happens once
they’ve been reached?
Challenges to devices
Attacks on embedded IoT devices can
come in many forms and from many
directions, including through wired
or wireless connection, and by direct
physical access. In fact, direct physical
access is a major problem for IoT
devices because of their sheer quantity
and ability to operate unattended.
Remote IoT devices need to be
trusted by systems. Systems need
to recognise them as legitimate and
that they have been accessed only
by trusted users – and that these
users have not attempted to alter
the device’s manufacturer code.
By visiting a manufacturer’s site and
do nloading their latest firm are, a
hacker could upload it to their own
device and then send fake data to a
system from what could appear to
be a legitimate, authorized device.
This fake data could include altered
or malicious code.
With hackers constantly on the
lookout for new ways to attack
systems, those systems rely on
regular updates to ensure they
are protected. But with the sheer
size of some large systems, with
o devices in many far ung
corners of the country or the world,
keeping pace can be difficult his
puts pressure on support teams
and systems, taking up time and
running the risk of falling behind on
important updates.
Another danger is that determined
hackers may be able to find the key
which decrypts stored data on IoT
devices.
An emerging threat is the hacker
who resembles a more old-fashioned
criminal: one who will physically
break into a device. This is an IoTspecific issue, because there are
devices located at large distances
from one another and often in
isolated geographical locations. The
hacker has several break-in options:
through Ethernet or network ports,
serial ports for admin, or the JTAG
hardware engineering port. While
this is a hacking option that takes
commitment, the damage can be
great. Currently some systems
provide their users with physical
keys to access ports, but this is
obviously time, labour, and resourceintensive.
Due to the size and relative lack of
expense of most IoT devices, some
security functions on t fit on its
main processor. So, with the need
for increased security inevitable over
time, that device’s system will need
to have a plan in place so that it is
clear where those security functions
and responsibilities will lie