When IoT Attacks – The End of the World as We Know It?

Excerpts of my interview with Phil Muncaster @philmuncaster

InfoSecurity Magazine Q4/2017, 4 October 2017

https://www.infosecurity-magazine.com/digital-editions/digital-edition-q4-2017/

Focus on the Firmware

A cursory look at OWASP’s IoT Security Guidance will highlight just how many elements in the IoT ecosystem could be exploited. Among others, these include the web interface, network, transport encryption layer, mobile app and device firmware. The latter is a key area of focus for the prpl Foundation, a non-profit which is trying to coral the industry into taking a new hardware-based approach to IoT security. Cesare Garlati, chief security strategist, claims that hackers could exploit IoT chip firmware to re-flash the image, allowing them to reboot and execute arbitrary code. “The issue with this kind of attack is that it gives the hackers complete control of the device and it is persistent; it can’t be undone via a system reboot, for example”, he tells Infosecurity. The answer is to ensure IoT systems will only boot up if the first piece of software to execute is cryptographically signed by a trusted entity. “It needs to match on the other side with a public key or certificate which is hard-coded into the device, anchoring the ‘Root of Trust’ into the hardware to make it tamper proof ”, says Garlati.

Worst Case Scenario

The prpl Foundation also points out that proprietary code is less secure than open source, that connectivity is often poorly engineered and that too many systems allow lateral movement at a chip level, ignoring the best practice rule of ‘security by separation’. The best way to mitigate the latter issue is via chip-layer virtualization, Garlati explains. The question is, beyond data theft and DDoS-related outages, what harm could deficient IoT security genuinely do to society? Pioneering work by Miller and Valasek into connected car security first showed us back in 2015 how a vehicle could be remotely hacked and consequently steering and brakes manipulated, potentially to catastrophic effect. Then Kremlin-linked attacks on Ukrainian power stations in December 2015 and again in 2016 highlighted how – in one instance – IoT firmware could be successfully hacked and reflashed to disrupt energy supplies for hundreds of thousands. “The pressure brought by consumer groups, lawyers and governments will force IoT makers to produce more secure kit” “From isolated incidents to widespread chaos that could be possible with the manipulation of the electrical grid, the potential for damage is huge. It’s almost limitless” As the IoT works its way into ever more critical computing systems, the potential for devastating attacks multiplies, according to Sean Joyce, US cybersecurity & privacy leader at PwC. “Even the US military is concerned about IoT risks,” he explains. “A recent Government Accountability Office report outlined several national threat scenarios in which IoT security risks might harm Defense Department operations, equipment or personnel. These examples include the potential sabotage of a mission or equipment, operations security and intelligence collection and the endangerment of leadership.” Attacks might be easier to launch than many IoT-manufacturers think. Munro claims that simply by hacking and remotely controlling home smart thermostats en masse, an attacker could take down the entire power grid.

What Can We Do?

Given the huge security challenges associated with current IoT systems, the market has clearly failed, despite 90% of consumers now believing security should be built into devices, according to Irdeto. However, governments are responding. In the US, senators have introduced the Internet of Things Cybersecurity Improvement Act, designed to improve baseline security in the market by tightening the requirements for government suppliers. In the UK, the government recently published guidelines for connected car manufacturers, in a bid to improve standards. However, Munro thinks the rightapproach should combine regulation and litigation. “Regulations take a long time,” he says.“It’s fantastic to see, but in the meantime we need to see more litigation [of the kind faced recently by] Bose and WeVibe. The pressure brought by consumer groups, lawyers and governments will force IoT makers to produce more secure kit.” Until then, it’ll be down to CISOs to mitigate IoT security risk inside the enterprise. Yet according to PwC’s latest research, only 35% of organizations plan to assess device and system interconnectivity and vulnerabilities across the business ecosystem. This needs to change. IT also needs to strictly monitor IoT device usage, enable security protection on all devices, segment devices onto non-critical networks, encrypt all IoT comms and educate staff about the dangers, says Context’s Higginson “From isolated incidents to widespread chaos that could be possible with the manipulation of the electrical grid, the potential for damage is huge,” warns prpl Foundation’s Garlati. “It’s almost limitless.

*   *   *

Read full story at https://www.infosecurity-magazine.com/digital-editions/digital-edition-q4-2017/

 

Embedded World 2017 – IoT coming of age.

Last week I had the pleasure of attending Embedded World 2017 in Germany as I was invited to give a couple of presentations on the pioneering work we have been doing at the prpl Foundation with regards to the prplHypervisor™ and prplPUF™ APIs for securing IoT. As it turns out, IoT was the top line at the conference that drew in more than 30,000 trade visitors – and the event solidified the notion that embedded computing is now synonymous with IoT.

Read more of this post

prpl Foundation Unveils the First Open Source Hypervisor for the Internet of Things

Debut of the prplHypervisor™ to Occur at the IoT Evolution Expo in Las Vegas

prplHypervisorTMSANTA CLARA, CA–(Marketwired – Jul 11, 2016) – The prpl Foundation today announced the upcoming debut of the prplHypervisor at the IoT Evolution Expo in Las Vegas. The prplHypervisor is an industry-first light-weight open source hypervisor specifically designed to provide security through separation for the billions of embedded connected devices that power the Internet of Things.

Read more of this post

Securing The Internet of (broken) Things: A Matter of Life and Death

Securing the Internet of broken thingsIf you’re like me you’ll probably be getting desensitized by now to the ever-lengthening list of data breach headlines which have saturated the news for the past 24 months or more. Targeted attacks, Advanced Persistent Threats and the like usually end up in the capture of sensitive IP, customer information or trade secrets. The result? Economic damage, board level sackings and a heap of bad publicity for the breached organization. But that’s usually where it ends.

Read more of this post