The Internet of Things (IoT) is a hotbed of innovation but I have been wondering who is really innovating in the IoT Security space. It seems to me that IoT security calls for highly adaptive measures and therefore is a good fit for those who visit this site. Recently I was contacted by Cassie Phillips who offered to do a guest article for me. Cassie is an internet enthusiast who generally writes about cyber security. She has recently become interested in the Internet of Things and has found that there is a huge correlation between the IoT and your privacy. So I asked and she accepted and voila – check out her guest article below. I think you will find an interesting blend of the old established security vendor and the new start-up innovating for IoT security.
Guest blogger – Cassie Phillips
May 17. 2016
Everyone knows to be mindful of the security of your smartphone or laptop. It stores your personal and often your employer’s sensitive information. But why should you care about the security of your Internet-connected thermostat or home lighting system? What sensitive information do these devices store? What about that Fitbit – maybe a little bit more sensitive information? How about that network-enabled pacemaker? Does it even store information? The explosive growth of IoT devices has resulted in an increasing concern for the security of these interconnected devices and the privacy of the information they contain. While you may be very careful with the security of your laptop or your smartphone, it is highly unlikely that you would take the same precautions with your connected thermostat, car, or lighting system. This lack of precautions increases the appeal of the IoT to hackers as IoT devices offer an easy way to hack into a network or access otherwise secure information.
For example, the Gartner Research Report: “Predicts 2016: Unexpected Implications Arising From the Internet of Things” says: “IoT becomes an increasingly attractive early link in [the] kill chain, as IoT vendors are most likely to repeat the security mistakes of the past and to not embrace modern security, vulnerability management and disclosure practices.”
This prediction seems to be borne out so far as evidenced by the HP Report – Internet of Things Security: State of the Union – “…a total of 250 security holes have been found in the tested IoT devices — on average, 25 per device. The issues are related to privacy, insufficient authorization, lack of transport encryption, inadequate software protection, and insecure Web interfaces.” The study shows that 80% of the tested devices, including their corresponding cloud and mobile apps, raised privacy concerns regarding the collection of user data such as names, email addresses, physical addresses, date of birth, financial and health information. HP says 70% of tested IoT devices don’t encrypt Internet and local network communications, with half of their applications lacking transport encryption. For 60% of devices, manufacturers haven’t ensured that software updates are downloaded in a secure manner, in some cases enabling attackers to intercept them.
Another recent example of IoT vulnerabilities and evidence of the disregard of security principles by those building IoT systems was demonstrated through analysis by University of Michigan researchers regarding Samsung’s SmartThings smart home programming platform. The research revealed that over-privilege was the core root of all the vulnerabilities discovered. The attacks were primarily dependent on two scenarios – the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure.
The IoT includes cyber-physical systems for home, industrial control, or medical systems. Vulnerabilities in cyber-physical systems may change the attackers’ game as well from data theft to function disruption thereby unleashing the potential of kinetic attacks, with Stuxnet being a prime example.
Considering how many IoT devices have inadequate cybersecurity, there is a huge demand for innovative solutions to protect IoT devices. The Industrial Internet Consortium has produced a reference architecture to guide developers and stakeholders on how to build secure IoT systems. The report emphasizes security controls such as:
- secure booting to a known secure state enabled through cryptographically signed software and firmware,
- enhanced trust by network and application whitelisting and reputation-based approaches (or dynamic approvals),
- enhanced privacy through mutual authentication in communication integrated with means to automatically ensure the privacy of data,
- early attack detection through rigorous anomaly detection over established norms of traffic patterns
- simplified system, secure management of all systems and their update processes,
- automatic threat containment to minimize the damage of a successful attacks.
These protections can be summarized by six key questions:
- What is connected?
- Where is it?
- What is it transmitting?
- Can I trust what it is saying?
- How is privacy protected?
- How are threats mitigated?
Answers to these questions form the basis of innovations in the IoT space.
IoT systems tend to have an abundance of sensors. This abundance has increased concern over privacy protections for IoT systems. To address IoT security and privacy concerns, the European Union-funded Respect project aims to help governments and technology companies develop and deploy Privacy-Enhanced Technologies (PETs) to minimize the impact of ubiquitous surveillance and data collection on people’s privacy. The goal of this project is to limit the collection and retention of data, and assure that sensors, CCTV, and other IoT devices collect anonymized data and the information retained is only accessed for aggregate analysis.
A separate EU project – The Secure Enclaves for REactive Cloud Applications (SERECA) project aims to remove technical impediments to secure cloud computing, and thereby encourage greater uptake of cost-effective and innovative cloud solutions in Europe. Although secure enclaves are a general mechanism, SERECA focuses on a particularly important and rapidly growing class of applications: reactive applications for the Internet of Things (IoT), Cyber-Physical Systems (CPS), augmented reality, gaming, computer-mediated social interaction, and the like. These applications are highly interactive, data intensive, and distributed, often involving extremely sensitive societal and personal information. An early pilot in this program leverages Intel’s SGX. Using the SGX instruction set, a so-called secure enclave can be created, which is an isolated range of memory within the application’s (virtual) address space to which the SGX security enhancements apply. Using SGX even the main system memory will be encrypted and integrity protected.
There are a variety of commercial solutions emerging to support IoT to include analytics tools and cloud-based management on the back-end; network gateways and routers at aggregation points and at the edge; and, encryption software, identity solutions, and vulnerability assessment systems at the endpoint. Endpoints bring special issues due to their low power and computational capabilities; therefore, many innovations and research are focused on dealing with these SWaP (Space, Weight and Power) issues. A short summary of some of these innovative solutions follows.
Azeti Networks AG
Azeti Networks AG provides a reliable, low power, and secure gateway to control access to your IoT applications. It offers a remote IoT management and monitoring application called the Machine to Machine Multipurpose Gateway (M2M). It appears to be highly effective providing real-time logistical information. It offers one of the most extensive integration platforms for automotive, healthcare, logistics automation and telecommunications applications. It is built and designed to withstand vibration, broad temperature ranges and high humidity.
These SWaP features reflect a design attention to the important requirements of IoT devices, allowing the gateway to operate in power sensitive and hazardous conditions. Since its access control systems rarely go down no matter the conditions, you will always be in control of who has access to your IoT devices and have a constant flow of information.
Certified Security Solutions
Certified Security Solutions (CSS) offers data transfer and secure identity between back-end business systems and IoT end points. As opposed to Azeti Networks’ M2M system, the VerdeTTo IoT identity platform is a scalable and secure cloud-based solution for the management of digital identities. It issues every individual device on the IoT a unique digital network identity for connecting to other devices, improving security awareness for all devices involved.
The application will allow connection only upon successful authorization and authentication of the device’s unique identity. It encrypts the data transfer between the endpoints as well as the network tunnel, ensuring any data transfer is validated. Moreover, the VerdeTTo identities are operating system agnostic.
With its end-to-end IoT reference model, Intel combines security, connectivity and gateway components of IoT deployment. Intel’s EPID technology is modified using the Direct Anonymous Attestation Algorithm (DAA) to enhance the security of IoT devices.
The DAA is a digital signature algorithm that offers you anonymity without needing a unique public verification. With the DAA, a device on the IoT has a common group public verification key often associated with other private signature keys. What makes this innovation so important is that a device does not need to provide device identity to a network it wants to connect to, since the common group public key will be enough.
Sypris is taking lessons learned from its high assurance defense work and applying these lessons to the IoT. For example, Sypris’ Resilient Device Authentication System (RDAS) provides an end-to-end solution for identification and authentication of electronic hardware. RDAS builds on the physical mechanisms for establishing hardware-based root-of-trust, while combining traditional authentication elements that manage device identity through the life cycle of a system and the applications it supports. This begins in the manufacturing process; RDAS not only supports Supply Chain Risk Management (SCRM), but forms the foundation for “trust” of a device and then supports the extension of that trust into deployment.
Sypris has also developed a platform for the modeling and simulation of UAV systems, aerodynamics, and operations. This platform has been used to develop a comprehensive model of a UAV autopilot with cyber-attack inputs and then simulate and test the operations of that autopilot subjected to cyber-attacks. Flight is simulated using a flight dynamics modeler with a model of the vehicle aerodynamics obtained through DATCOM or wind tunnel testing. By computing sets of the states of the system that can be reached over different attack combinations and magnitudes, the reachable set is determined and the vulnerabilities and nuances of the system are revealed. Extending this modeling concept to autos and other transport systems may improve the situational awareness of other “smart things.”
Many IoT devices are in mission-critical roles but have limited compute, memory, bandwidth and power so are unable to protect themselves. These devices are connected online, putting them at high risk of compromise as they try to deal with critical missions. ZingBox has come up an answer to this problem with a network perspective on security-as-a-service.
The ZingBox solution discovers connected assets, identifies them, detects vulnerabilities and provides a comprehensive risk profile for an IoT deployment. It consists of an agent placed on routers and gateways that collects network data about traffic to and from these devices. The data is analyzed by ZingBox’s analysis engine, which evaluates threats, formulates responses and pushes security rules for the routers and gateways to enforce. ZingBox is deployed out-of-band and seamlessly integrates with existing enterprise security controls; providing real-time policy enforcement. ZingBox also generates IoT logs and can send it to a SIEM (Security Information and Event Management) for enhanced correlation of threat vectors.
The Shodan tool, commonly referred to as “Google for the IoT”, is a significant innovation in IoT security. Similar to how Google crawls the internet and indexes websites, the Shodan tool searches and indexes vulnerable IoT devices that are connected to the internet. It accesses data through HTTP, FTP, and SIP servers to identify things such as security cameras, routers, PCs and refrigerators. It also uses protocols such as Real Time Streaming Protocol to access video streams and webcams. What makes the tool even more remarkable for IoT devices is that it can identify the software that the IoT device is running, its IP address and its location.
The Shodan tool is getting a lot of attention from IoT security specialists since it is seen as a very appealing tool for hackers to use to find vulnerable devices. That being said, this tool can also provide information needed to protect IoT systems. As the tool allows one to search for devices according to specific parameters, it can be a useful tool for IoT companies to collect critical data on devices already in the hands of their clients. They can then use this data to improve cybersecurity instructions and practices in the long run.
The promise of IoT is that Internet-connected devices from different manufacturers will all be able to communicate with one another. This inter-connectivity can include, but is not limited to, mobile phones that talk to watches, watches that talk to televisions, televisions that talk to thermostats, thermostats that talk to kitchen appliances, and kitchen appliances that talk to home surveillance cameras. However, for all of this inter-connectivity to happen, there has to be a unified security toolset, or common security denominator if you will, that all devices can understand. Cybersecurity researchers and vendors face pressure to develop innovative solutions that deal with emerging threats while keeping the promise of inter-connectivity among devices. The innovations of the above companies demonstrate the potential of creative thinking in the cybersecurity realm and how this trade-off between interoperability and security can be managed. Secure interoperability among existing technologies will continue to play a critical role in how we plan for IoT devices going forward.
Thanks Cassie for that enlightening tour of who’s innovating in the IoT security space. While there have been major developments in the IoT security sphere, it sounds like there is still much ground to be covered. If you want to learn more about innovation in IoT check out the IOT Global Innovation Forum this June in Barcelona. You can find out more information at this link: http://www.iotglobalforum.com/
What direction do you believe is the next frontier for IoT security innovation? Are there any other applications or innovations that you believe deserve attention? Join the discussion by leaving a comment below. And thanks for tuning in to ActiveCyber!