Dinyar Dastoor, VP and GM at Wind River, recently penned an article for CIOs in Embedded Computing Design that explores the security risks associated with the management and deployment of IoT devices.
“For many [CIOs], this will be the first time they’ll have to actively manage such embedded devices across their networks. Indeed, for some it will be the first time the walls of their datacenter have extended beyond the web portals used for customer services and other customer-facing engagement,” Dastoor explained.
“The army of IoT devices needs a strict regime of security applied to them. Protecting from attempts to attack the current firmware, eavesdrop on the data being sent, or creating a man-in-the-middle attack to change data being sent are all potential threats.”
To simplify life for their customers, says Dastoor, IoT device manufacturers will deploy an over-the-air approach to updating firmware and configuration data – in an attempt to keep truck-rolls to an absolute minimum. However, the Wind River VP warns this approach could “open up” other attack routes unless carefully reviewed.
Dastoor also points out that protecting access to IoT data is an equally complex task, as are the issues of information ownership and infrastructure.
“The need to establish domains of trust and how to actively control them are paramount,” he emphasized.
According to Dastoor, the Internet of Things is becoming an agent of change – making “transformative affects” throughout the enterprise.
“Like all change, it needs to be carefully planned and reviewed for the anticipated benefits to be realized,” he added.
Perhaps not surprisingly, hacker turned security consultant Kevin Mitnick recently told an IoT security symposium that he doesn’t know of “any system” considered impenetrable.
“In our experience, when we are hired by clients to attack their systems, our success rate is 100%,” he confirmed.
More specifically, says Mitnick, the IoT is plagued by many of the same issues corporate computer networks face, including lack of encryption, authentication weaknesses and password resets.
“Those same vulnerabilities exist in the IoT,” he added. “If I want to get information from a device, all I have to do is go out and buy one and then extract the firmware.”
Kendra De Berti, a marketing manager at Rambus, recommends manufacturers of IoT devices and platforms adopt a hardware-based security strategy – beginning at the SoC level itself.
“A hardware-centric approach will help ensure SoCs powering the IoT remain secure during the manufacturing process. In addition, embedding the appropriate security IP core into an IoT device or platform will go a long way in helping companies design systems that remain secure throughout their respective lifecycles,” she concluded.