Will IoT Security Get Past the PB&J Stage?
If IoT Security is starved for attention, it could well be mobile apps, automotive safety, medical patient privacy and more that will experience something worse than just hunger pangs.
Icon Labs president and co-founder Alan Grau recently spoke with EECatalog about IoT security challenges.
EECatalog: What are some of the challenges for security in the IoT space?
Alan Grau, Icon Labs: A number of newer companies in the IoT space are trying to get products out to market quickly and establish a presence and are not security companies, so that is one of the challenges. Even some of the larger traditional companies moving into the IoT have great expertise in whatever their specific market is, industrial automation, say, or medical devices, but they are not security companies.
EECatalog: And there is the danger OEMs could get mired in the security details, losing development time?
Grau, Icon Labs: Absolutely. Look at the RTOS world. At one point in time companies asked, “Should I build my own operating system or do I want a commercial operating system?” Finally companies realized, going on your own, you are not going to be able to provide a comprehensive, well-tested end-to-end solution without making a very big engineering effort.
Part of our challenge as a company is to make sure that our customers are aware there are solutions out there they don’t have to build themselves.
Here’s an analogy I gave recently: When companies say, “We need ‘security’,” it’s as if they are saying, “We need ‘food’,” then buying bread, peanut butter and jelly to slap together one sandwich when the “food” they need is in reality a catered meal for thousands.
They need the infrastructure to pull together something that scales, and is interoperable and that they can use across multiple products—products that are going to be in the field for 10 years or maybe longer and they may not understand the distinction between a peanut butter sandwich and a catered meal for 1000 people, until they get into it and really understand all the nuances.
EECatalog: And not understanding the peanut butter sandwich/catered meal difference has caused problems—
Grau, Icon Labs: like the Chrysler Jeep hack—that didn’t have to happen; it was preventable. There are several pieces of technology that could have stopped that [for example] a firewall in the device, machine-to-machine authentication, secure boot, secure firmware updates—four different things, any of which would have solved that.
All [the four noted above] we provide, and it is not like we have a lock on these ideas and nobody has ever thought about doing these things or implemented them in other platforms, so [it is matter of] getting the basic fundamentals into place broadly.
Researchers found on some of the top mobile parking apps that there were vulnerabilities in the payment systems [because] they haven’t ensured complete end-to-end security.
EECatalog: How does an IoT security challenge differ from an IT security challenge?
Grau, Icon Labs: With IT you’ve got a server that is sitting in your data center. It is physically protected. It is [likely] behind multiple firewalls. To get access to the building requires significant authorization, so right there is built in control and security. You’ve got physical security around it, and yet these things are still getting hacked.
So now we’re going to take devices and their big sophisticated systems—Windows or [another] strong operating system with defenses built into the operating system as well as the edge security devices from the big security vendors—then take a device, which, instead of being at a big expensive server, is running some little bitty operating system on some tiny little device without a whole lot of security capability at all and put it out in the world where hackers can go steal one off the road, plug a USB device into it, tear it apart, and have access to the wireless physical proximity for wireless communication. It opens up a whole new set of attack factors. They are inexpensive so I can go buy one on my own, tear it apart, read the firmware off of the device and reverse engineer it, and use that information to go attack other ones.
It just opens up a huge set of vulnerabilities and attack surfaces so even though there is not the same level of data on these devices it is really critical to keep protecting them.
I wrote recently about hackers going after medical devices and then using them to launch an attack into the network and steal medical data.
And HP Labs did a study last year of 10 new-ish high-profile IoT devices and did a hard look at the security vulnerabilities and they found that 70 percent had at least one of what they classified as a serious vulnerability, and on average, they had 25 vulnerabilities per device identified.
EECatalog: What should and shouldn’t government be doing with regard to cyber security?
Grau, Icon Labs: I don’t think they should be asking people to put back doors in their systems; if you do that then you are creating a security vulnerability for everybody to exploit.
[However] I don’t spend a lot of time thinking about how does the government solve this problem; I spend a lot of time thinking about how do we build security technologies that make it easier for our customers to do the right things.
For example, if you go through and look at all the modules we provide, it can be fairly overwhelming for our customers, so what we spending time on is simplifying how that is packaged and presented. That is one thing hardware companies have helped us to do, to focus on simplifying how we present all the complexity so that they can more easily understand what we are providing and how they can implement it.
EECatalog: So that focus on simplifying you were just mentioning is one result of Icon Labs working with Renesas and other not-yet-announced vendors to integrate software onto hardware platforms—is software security on the same page as hardware security?
Grau, Icon Labs: I heard Renée James (at the time with Intel) speak at the McAfee/IntelSecurity FOCUS conference last year. She made the point that Intel has shipped literally hundreds of millions of processors with great hardware security capability that has never been used because the software hasn’t caught up. Some of the software to enable the hardware [security capabilities] is there but [what is lacking] is the end-to-end infrastructure to make it easy to use.
EECatalog: The embedded market is a pretty fragmented one and that can be challenging.
Grau, Icon Labs: Yes, the embedded market in general is a very fragmented market—there are still quite a few different operating systems that are popular and broadly used. There are a plethora of hardware platforms.
We have been in this space for quite a while so we have learned how to abstract things out and make them very portable. That is some of our value proposition—we can go into a customer and say, “Hey, you’ve got six different development platforms and three different RTOSes and all this different stuff, but we have a core set of technologies that will scale across all of it so that you are not having to reinvent the wheel for each platform.”
EECatalog: Anything you would like to add, Alan, before we wrap up?
Grau, Icon Labs: Getting back to your hardware and software on the same page question: We provide the ability to integrate with a security co-processor or hardware security elements onboard to do things like secure key storage. And to enable secure boot and crypto acceleration. If you’ve got a development system and it does not have those capabilities we can emulate them in software and do a decent job of it, but it is not going to be as strong or as secure as if it was implemented in hardware.
So we encourage companies to select hardware platforms that have the underpinnings in hardware for security because that adds a lot of value for them. However, even if a customer we’re working with doesn’t have [the type of hardware platform just described] yet, we can still work with them and put them on a roadmap. Then when they move to a platform that has those built-in hardware capabilities, they already have the other pieces of the infrastructure in place.