Light Dark
February 22, 2016 By Shmulik Regev
Assaf Regev
6 min read
Cloud Security
Mainframe

Co-authored by Ravid Sagy.

The Internet of Things (IoT), commonplace devices connected to each other to become more than the sum of their parts, is quickly becoming an exciting reality. However, there are connectivity, interoperability, management, scalability, privacy and security challenges that require a hands-on approach to this phenomenon. Gartner predicted that there will be more than 4 billion connected IoT devices in consumer smart home environments by the end of 2016 and 25 billion by 2020.

The Internet of Things Needs Better Security

The majority of IoT devices — from medical devices to connected vehicles and even smart cities — come with their own apps, systems and connections and do not necessarily interoperate or communicate. While consumers are gradually adopting the concept of connected devices, recent studies pointed out that security is not high on their priority list, leaving the door wide open to a myriad of security risks.

IBM recently discussed the end user’s need to trust the authenticity of the endpoint device (the “thing”). This is due to the fact that it may store information and potentially affect your immediate physical environment, putting the spotlight on personal privacy.

One other element to note is the communication between the thing and the cloud-based application or infrastructure. Sending data to the cloud means the application has full visibility into the way IoT devices are being used. For example, a smart water meter can reveal the size of a specific household and daily activity patterns. A deviation from this pattern, if in the wrong hands, can be monetized, making it an ideal target for criminals.

There’s been a lot of discussion regarding the hacking of devices and systems to obtain sensitive information and data. It shouldn’t come as a surprise that financially motivated attackers will find a way to monetize the hacking of IoT devices.

What Is the Current State of Things?

Attempting to apply traditional controls to the IoT is an uphill struggle and would require substantial engineering to address the many constraints these devices have. Some of these may include storage, processing power, bandwidth and inherently limited connectivity.

It should be noted that these devices have a relatively low footprint. As a result, they possess almost the exact processing capacity and memory needed for their tasks. This means there is little interaction with a human; they are expected to make their own judgments and decisions about whether to accept a command or execute a task.

A study sponsored by the U.K.’s Government Office for Science predicted that by 2020, the number of connected devices could be anywhere from 20 billion to 100 billion, so we shouldn’t assume IoT devices are too small to be noticed. As the Internet of Things phenomenon continues to gain traction and more connected devices come to market, security should be top of mind.

Software developers and vendors need to make sure they incorporate adequate security measures as part of the initial design and implementation process. These include dedicated security software development kits (SDKs) such as IBM Security’s libsecurity.

Improved Security

Libsecurity is a comprehensive package that offers application developers a complete, small and provably correct security toolkit for endpoints and gateways/hubs. That includes a lightweight and correct implementation of various security-related modules, including secure storage, user and password management, permissions and more.


Figure 1: Security features provided by libsecurity.

Forewind: A Secure Router/Gateway

Nowadays, most routers, gateways and hubs are usually running on top of Linux distributions, which tend to be prime targets for adversaries. From simple username and password misuse to sophisticated bypass authentication mechanisms, it is clear that he who controls the router controls the entire network.

For example, a recent attack on Netgear routers allowed cybercriminals to bypass the embedded authentication mechanism and change the default Domain Name System (DNS) to an alternative IP address, effectively routing Web-browsing data to a malicious address.

Secure Runtime Environment

Hardware vendors and service providers (such as ISPs and Telcos) are reluctant to allow users to perform software or firmware updates on their own. Therefore, it is crucial that their distribution of choice be as solid and robust as possible.

By default, the Linux kernel already supports important technologies (such as SELinux and AppArmor) to harden the runtime in addition to other optional applications that can be added as needed. Subsequently, this significantly reduces the attack surface and makes the environment more sustainable.

Secure Management Interface on Top of Libsecurity

As previously discussed, the implementation and management interface of most commercial routers does not necessarily make use of adequate secure mechanisms offered by the environment, nor are they written with the proper security mindset. A recent review of the 25 most popular passwords revealed that unchanged passwords make up a large portion of the top 10. The management application behind the scenes is not necessarily secure.

Forewind provides a secure management application and interface, using libsecurity to provide solid password management, user management, access control, etc. Additionally, applications running on the router can be hosted in a secure framework to benefit further from its management features.

Distributed Analytics

One factor to consider is the enormous amount of data IoT devices generate and communicate back to the cloud for analysis. It would be naïve to assume that all systems can scale to accommodate the bandwidth, power, storage and computing ability needed to handle this load; there are simply too many devices generating too much data at any given point in time.

One method for solving this dilemma is a gradual approach. This means the first analytics phase takes place locally on the router, and if an anomaly or deviation is discovered, the relevant data is sent to the cloud for deeper inspection. This allows for a better distribution of data and optimized bandwidth and processing power.

Libsecurity provides a generic anomaly detection algorithm that works autonomously on time series data generated from IoT devices. It is extremely lightweight and very well-suited to first-pass analytics.

Privacy

An additional factor to consider is privacy — or the lack thereof. Continuous data delivery to and from the cloud has a dramatic effect on your privacy. For example, a smart meter — one that is able to send energy usage data to the utility operator for dynamic billing or real-time power grid optimization — must be able to protect that information from unauthorized usage or disclosure. For example, information that power usage has dropped could indicate that a home is empty, making it an ideal target for burglary.

It is crucial that device manufacturers as well as users spend time understanding what data their devices collect, what information is shared and with whom and how the thing transmits and receives data. Additionally, one must be fully aware of the whereabouts of the stored data, whether encryption should be enabled and if more stringent privacy settings need to be activated in accompanying software.

Just as with any other computer devices, it is essential to run the latest software and patch vulnerabilities as well as ensure all apps associated with the device are updated.

So What’s Next?

This is a wake-up call for any engineer, designer or company in the process of building an IoT device. With the advance and proliferation of new IoT devices, security concerns will grow proportionally. There are numerous factors that contribute to this — where the most obvious one is the IoT’s high interconnectability posing a real threat only to be amplified by the sheer mass and projected deployment scale.

A recent research paper from EURECOM in France and Ruhr University Bochum in Germany showed that embedded device firmware is susceptible to multiple security flaws. The research included analysis of over 1,900 firmware images from 54 different vendors. Researchers looked for vulnerabilities in the Web interfaces of corresponding IoT devices. The results, to no one’s surprise, revealed over 9,000 vulnerabilities found in more than one-quarter of the vendors analyzed.

While the testing was mainly automated and performed on a relatively small number of firmware images, the researchers agreed that it is likely the issues are widespread among IoT devices and not limited to a single vendor or a small group of vendors. Since many of the discovered vulnerabilities have already been disclosed, the impact on end user security is potentially much higher because some users ignore firmware updates available for their devices.

There are several important steps that need to happen to change this mindset:

  • Raise awareness. Companies and decision-makers need to understand the critical role of security in the design of the new IoT devices. Security cannot be thought of as an add-on rather than integral to the IoT device’s functionality and reliability. It should be part of any press article, discussion or plan for new and existing devices.
  • Establish accessible security. Make security accessible. Nonexperts need an easy-to-use means for holistically handling security and privacy issues from the start.
  • Rely on the experts. During the design and implementation phases, individuals and companies should make use of proven, reliable tools and libraries. These security solutions are the products of true security experts as opposed to freely available amateur solutions, which may either lack basic security concepts or are poorly implemented.

IoT brings forth a great promise that requires a change in mindset and in the overarching framework to overcome its inherent shortcomings. Awareness and proper guidance must be provided in order to make sure device manufacturers and owners understand how to put forth basic security and privacy measures as a first line of defense.

Turn to the Experts

You shouldn’t rely on off-the-shelf, amateurish implementation over proven expert solutions. The new IBM Security libsecurity library provides a collection of easy-to-use tools for password protection, authentication, authorization, secure storage and much more.

Libsecurity provides a powerful tool in the fight against cybercriminals who are on the constant prowl for the next system to attack. With libsecurity, you can start engaging with the Internet of Things knowing that you are in safe hands and armed with the correct tools and ammunition against the most prevalent attacks.

 |  |  |  | 
Shmulik Regev
Head of Security Innovation, IBM
Assaf Regev

More from Cloud Security
November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 19, 2023

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

October 3, 2023

The importance of Infrastructure as Code (IaC) when Securing cloud environments

4 min read - According to the 2023 Thales Data Threat Report, 55% of organizations experiencing a data breach have reported “human error” as the primary cause. This is further compounded by organizations now facing attacks from increasingly sophisticated cyber criminals with a wide range of automated tools. As organizations move more of their operations to the cloud, they must also become increasingly aware of the security risks and threats that come with it. It’s not enough anymore to simply have a set of…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature