Global Sources
EE Times-India
EE Times-India > EDA/IP

4 security threats to the Internet of Things

Posted: 19 Oct 2015     Print Version  Bookmark and Share

Keywords:Internet of Things  IoT  connected systems  proprietary software 

Technology can make our lives easier, but it can have adverse effects as well. In the case of the Internet of Things (IoT), it is here to help us be more productive at work, safer in and out of the home, and even happier. However, it is also growing so fast that it threatens to exceed our capability to adequately secure it.

A piece of software hasn't been written yet that didn't contain mistakes. After all, we're only human. But with non-IoT security experts designing and building connected systems the risks grow ever greater. So what can be done?

In my last blog, I highlighted the potentially disastrous consequences that could result from several serious, publicly disclosed vulnerabilities in IoT systems. All of these cases share commonalities that we can use to explore some of the key security challenges facing our industry.

1) Proprietary software evil

All of the IoT security flaws previously referenced were discovered thanks in part to reverse engineering of proprietary software. Hackers Charlie Miller and Chris Valasek did this to expose vulnerabilities in the Uconnect 8.4AN/RA4 system running in a 2014 Jeep, allowing them to remotely control its steering and brakes. Runa Sandvik and her husband Michael Auger did it to hack a smart rifle, enabling them to potentially fire it at a target of their choosing. Billy Rios reverse engineered Internet-connected Hospira drug infusion pumps, enabling him to find flaws that allowed for the possible tampering of dosage volumes.

What do these cases tell us? If security researchers can do this, then the bad guys, in theory, can too. In the past too many programmers have relied on 'security by obscurity,' hoping that their 'secret' proprietary systems would be beyond the reach of most hackers. This simply won't do today. Firmware binary code is usually available online if you know where to look. If it is not, hardware debugging tools such as the JTAG can be used to extract a copy of the software from the device itself. And interactive disassemblers like IDA can generate assembly language source code from machine-executable code. In combination with other tools and techniques it is becoming easier than ever to reverse engineer a binary image, work out what it does, then determine where its vulnerabilities are and how to exploit them.

In short, over and over again closed proprietary software has proven to be simply unfit for purpose. Compared to mainstream open source software it represents the path of least resistance for a determined and sufficiently resourced attacker—more on the benefits of the open source security in my next post.

2) Network Connectivity

The most dangerous Achilles heel of IoT devices is their connectivity—whether to the public facing Internet or with other networked devices. It gives attackers who have found a weakness in the code a means to hack their victims remotely. On an unprecedented scale, connectivity means an almost limitless number of systems can be hacked simultaneously.

The situation is compounded because many of the engineers tasked with designing and building IoT systems are not experts in network protocols and even less in network security. They may know how to put together hardware components, but implementing TCP/IP protocols is a rarefied discipline that requires expert knowledge and extensive debug and testing. And a hardware engineer that takes a correct 'by design' approach may not appreciate the needs for software updates and security patches, or indeed the need for security around the update process itself.

It's unfair to expect mechanical and electrical engineers to shoulder this burden and stay up-to-date with the latest secure development best practices. But their lack of subject matter expertise is leaving systems wide open to attack. Weak implementation of network protocols enabled Miller and Valasek to infiltrate the Jeep's D-BUS via port 6667 left inexplicably open and unauthenticated, for example.

1 • 2 Next Page Last Page

Comment on "4 security threats to the Internet o..."
*  You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.


Go to top             Connect on Facebook      Follow us on Twitter      Follow us on Orkut

Back to Top