Global Sources
EE Times-India
 
EE Times-India > EDA/IP
 
 
EDA/IP  

4 security threats to the Internet of Things

Posted: 19 Oct 2015     Print Version  Bookmark and Share

Keywords:Internet of Things  IoT  connected systems  proprietary software 

3) Broken firmware updates

The vast majority of IoT and connected embedded devices can't be regularly patched/updated; these patches and updates also aren't automatically provided by the manufacturer. In instances where the software can be updated, the software should only come from a trusted source.

Miller and Valasek exploited this weakness to modify TI OMAP-DM3730 chip firmware inside the 2014 Jeep and reflash the image, allowing them to reboot and execute arbitrary code. You can install the best alarm system money can buy to protect your house, but if a robber can come along and merely replace it with his own, what's the point of having one? A similar issue has enabled hackers to run a malicious backdoor on various Cisco router models—by inserting an implant the same size as the legitimate Cisco router image.

The issue with this kind of attack is that it gives the hackers complete control of the device and it is persistent—it can't be undone via a system reboot, for example. And it gives them privileged access to an affected device. In the case of incidents targeting network routers and home gateways, this means an attacker can potentially see and control all the traffic flowing in and out of the corporate or home network.

4) Systems promiscuity

All of the attacks mentioned above were made possible due to a lack of the internal security controls, which limit lateral movement inside targeted systems. It's a strategy used by cybercriminals frequently in targeted attacks to data centres. They gain an initial foothold into an end-point via malware download, made possible by a spearphishing email or by simply cracking or stealing user credentials. Then they move around laterally inside the network, escalating privileges until they find the real prize—typically a database full of sensitive IP or customer information.

Taking the example again of Miller and Vasadek, their initial incursion was into the car's on-board entertainment system, the head unit. After compromising this, they managed to achieve a refresh of microprocessor firmware, allowing ultimately for access to the CAN MCU Renesas v850, and then remote control of the car. Meanwhile, Chris Roberts allegedly managed to reach a part of an aircraft which should have been isolated—its on-board flight systems—by infiltrating the in-flight entertainment facility.

Separation is one of the fundamental principles of security, so it's not only dispiriting to see it ignored in so many cases when it comes to IoT-related system, it's downright dangerous.

As the Internet of Things becomes an ever-larger part of our lives, it has found its way into an increasing number of the systems and platforms we take for granted today. These systems control airplanes, automobiles, drug pumps and even rifles. It's critical then that we take proactive steps to lock down the risks that come from software vulnerabilities.

- Art Swift
  EBN/president
  prpl Foundation


 First Page Previous Page 1 • 2



Comment on "4 security threats to the Internet o..."
Comments:  
*  You can enter [0] more charecters.
*Verify code:
 
 
Webinars

Seminars

Visit Asia Webinars to learn about the latest in technology and get practical design tips.

 

Go to top             Connect on Facebook      Follow us on Twitter      Follow us on Orkut

 
Back to Top