IoT device security challenges are a highly debated topic, for good reason. In this article, Attila Szasz, CEO and founder of BugProve will shed some light on the reasons, the trends, and current expectations.
What Are the Global Security Challenges with IoT Devices?
Perhaps the biggest wake-up call was the Mirai botnet attack, which initiated the changes. The compromised set-top boxes and the coordinated attacks that could shut down GitHub, Twitter, and Reddit demonstrated the biggest risk very well.
If there is a vulnerability in one device, it is present and accessible in all deployed devices. This is no longer just a simple security risk.
The current war between Russia and Ukraine also highlighted this. Intelligence agencies tried to hack into IP cameras, which were weak points through which the enemy could be most easily spied on. Let’s not forget that these devices are not only in our homes but also in government and military buildings, and critical infrastructure.
Regardless of the sector, most digital enterprises face risks if IoT devices operate within their network boundaries. Device vulnerabilities can be the entry points during attacks against high-value targets.
As a prime example of this, a casino made the news in 2017 that was hacked through a smart aquarium. Despite investing a lot in information security, they didn’t think that the aquarium could be the weak link. Since then, more and more information security departments have realized the risks associated with IoT assets on their network and increased their spending to discover such malicious attempts and risky devices.
What Makes IoT Devices Different? Why Are They More Challenging?
Embedded systems security is a fundamentally different way compared to the applications space. Here are a few key factors.
- Perhaps the most significant initial difference is the limited storage and resources, which impose many constraints on IoT code. Although some software projects have a relatively large market share, such as Linux and FreeRTOS, the spectrum of all IoT designs is very heterogeneous. Typically, these processes involve closed hardware-specific code, which frequently adversely affects security.
- Devices need to solve the entire problem on their own, often without a full-fledged operating system. Bare metal code is often susceptible to attack vectors, where simple issues such as a dereferenced null pointer end up being exploitable due to the environment lacking memory protection or other security facilities that are usually set up by the OS.
- There’s often no control over certain procured components, and associated SDKs come with vulnerable example code without any warranty. Sometimes, the vulnerable code is distributed as source code where a 3rd party audit might catch those. However, it is often the case that the SDK hides these vulnerabilities in the form of custom modifications to system binaries that are pre-compiled for the platform.
- Adding further complications is the fact that manufacturers typically seek the cheapest element that meets the requirements. As long as robust security isn’t among the hard requirements, the designs will minimize costs at the expense of basic measures such as strong cryptography or privilege separation.
- The programming languages commonly used in the domain, such as C and C++, are challenging from a secure coding perspective. Issues with memory safety are still the primary vulnerability classes that plague these designs.
- The difficulty of security testing is the last nail in the coffin. Tools that could assist in this area are lacking, with only a few open-source projects available. This is compounded by the fact that there’s a shortage of several million security professionals in the market. As such, it is impossible to rely solely on human supervision.
Who Bears Responsibility? Operators or Manufacturers?
Certainly, addressing numerous issues involves actively employing proper operations, including firewalls, XDRs, and IoT observability platforms. However, even with these measures in place, the vulnerability of devices can remain a risk, especially if it is a targeted attack against a high-value asset within an organization. Therefore, we believe it is primarily the manufacturer’s responsibility to ensure that their product meets basic security expectations.
Fortunately, the situation improved in one significant aspect: if we discover a vulnerability in a product today and report it, companies typically do not see it as a PR attack but rather as a welcomed contribution. Manufacturers are more likely to express their gratitude and collaborate with us on addressing the issue.
Why Does One Device Type Have a Better Security Posture Than Another?
What I’m about to say may not be surprising: those devices had a higher level of IT security where there was a business motivation and a real potential for attacks.
A great example of this is the set-top box as a device. One might think it falls into the same category as a router, especially when considering cheaper, lower-quality devices. However, from a security perspective, I’ve experienced a significant difference.
The analyzed inexpensive set-top boxes had dedicated hardware resources and operated with serious encryption. This is primarily thanks to content creators entering into contracts with operators and cable TV providers that included hefty penalties in case of theft, as they wanted to protect their intellectual property. As a result, operators suddenly had a strong interest in ensuring that content reached consumers securely.
In the third world, this is especially big business. Piracy has grown into a full-fledged industry, with some malicious groups even running their pirate satellite operations. Therefore, there was significant pressure on operators, which led to the development of more secure devices.
Similar processes have made game consoles secure as well.
In stark contrast to this, routers and IP cameras are far less secure. Based on our research, serious vulnerabilities exist in 8 out of 10 on average. And in general, we found that the more serious and expensive devices tend to be more secure.
Regulation and Customer Awareness
Now we come to a critical issue, which is customer awareness. Simply put, threats are not at a level yet where it forces manufacturers to optimize for security, as consumers do not penalize weaker devices. Of course, the question arises of how consumers could assess this, but there are more significant problems at play.
Some have not even reached the point of understanding the problem, which is the danger itself.
There was an article about BugProve titled something like, “We protect your smart fridge from attacks.” One of the top comments was, “Help, what will happen to me if they hack and steal my chicken nuggets?”
This was meant to be a sarcastic joke, and I also found it funny. However, I think it also sheds some light on the question of whether the average consumer is at a psychological disadvantage when correlating privacy and security concerns with otherwise harmless household objects. One could even call this the “fishtank fallacy” as per the casino incident.
For us, security experts, it is easy to immediately see IoT device security challenges wherever we see microcontrollers and other computing hardware hooked up to IP networks even if those are hidden inside familiar objects, however, this has not been the case for the wider population.
The Role of Regulations
As the earlier example with the casino illustrates, the risk doesn’t depend on the compromised device’s original function; the problem is that any IoT device can serve as an entry point into the customer’s network, and an attacker can obtain additional resources from there. Malicious code placed in this way often remains hidden from the user but can still pose a continuous risk.
This is something the upcoming regulations aim to change. The GDPR may not have been the best way to increase data security, but it did at least make everyone aware of it to some extent. We hope that RED and CRA will have a similar effect.
Even more noticeable is the American approach of the Cyber Trust Mark. Products will bear a logo with the shield, signaling to consumers that the product has met at least a certain standard. There will also be a QR code that consumers can use later to verify whether the product still meets these standards.
I believe some consumers will pay attention to this, but there will still be those who seek the cheapest option on the shelves. This is where the need to raise the overall security level of the entire industry comes into play. Even those who go for the cheapest solution should have basic protection – this is key to protecting our society.
This is a must if we want to keep using more and more embedded devices.