- | Home |
- Company |
- Contact |
- News |
- S/ware Eng |
- Standards |
- Academic Support |
- Documents |
- | Requirements |
- Validation |
- RTOS |
- Analysis |
- Software |
- Resources |
- Products |
IoT – Internet of Things/Its only technology
By Kilroy
June 2018 
We hear horror stories in the media on such a regular basis about security breaches that we have possibly become immune to them unless like me you are in the industry. It never ceases to amaze me that large can make such fundamental mistakes, but I guess that what keeps in me a job! I am an independent Senior Security Consultant, grey hair, needs glasses to read the laptop screen, although happy to say not much spread around the middle, but enough! Who, has been in the security industry since before it became trendy. The last newsletter prompted me to think back and ask myself why we keep making the same security faux pax.
In my simple mind, I see too many similarities in a functional specification for a business process, a piece of code, or a piece of IoT technology etc. It must do A followed by B, do some test, branch over here etc.
All of which at some stage or another have been the subject of abuse leading to an embarrassment for some poor company.
The themes of this blog is to look at IoT and why we keep making vulnerable devices, but you cant do that in isolation without looking at the process leading up to its inception and the drivers that affect its creation.
In my mind there are 2 things to consider, the top down approach where a device is conceived to do a specific thing based on a given functional spec. This can be constrained and rigid. Broad brush I see these as -
1. Identification of a need – Why do we require such a device
2. Customer/Business lead – Its must do …..and possibly.. we need it by Friday (today is Tuesday) due to immediate generation of revenue or rival company is also doing similar and we need to beat them to market etc
3. Technical interpretation of point 2 leading to an IoT device
OK, now the bottom up, fluid and flexible little or no constraints. Again, IMHO, hackers aren’t made, you can go to school and learn how to use tools. But to be a hacker you have to have a certain mindset, so I conclude hackers are born not made. We will now refer to this group as security researchers to be a little more PC and less scare mongering. They are not motivated in the same was as business, except in the similarity to be the first to root a device amongst their peers. This I think is just a human trait but manifests itself in different ways depending which camp you are in.
This group will take this device, take it apart, figure out how it works and they ask themselves…what if I do this..and do it! Typically, nothing related to its original conceived use.
Now might me a good time to draw an analogy. Business processes are designed around what is usually referred to as the “Happy Path”, no one ever thinks about what happens if I do this, like start the process half way through. I once consulted for a large mobile phone company, that lost over 150,000 mobile phones from its warehouse because a business process could be abused…anyway I digress!
That is why they can be abused in much the same was as IoT devices, no one asks themselves what else can be done with this, the focus is on the device meeting the requirements. Designers don’t have the “Top Down” mind set. And will often select off the shelf items to promote speed to market, and reduced development and purchase costs etc without worrying about what the possible inherited security flaws might be.
Hardware testing a device post manufacturer is like closing the gate after the horse has bolted. The costs to fix security defects in terms of redesign and missing the release deadline are too great. It just means the manufacturer knows the vulnerabilities at release time.
If IoT manufacturers had someone with the bottom up mind set or even knowledge, then security vulnerabilities could be built in at design stage. Oh, where have we heard that before, get security involved early!
A very large IoT company, who will remain nameless, that has millions of devices in peoples homes have exactly these challenges, a security researcher rooting a device didn’t mean anything them, as its the security researchers device, they have bought it, so what they rooted it, what can they do with it, well actually quite a lot!
Speed to market and competitive advantage is king, designers need to satisfy their bosses deadlines to get their bonus or good reviews. That all falls flat what you brand takes a massive hit when the resercher publishes his/her findings. Not everyone does ethical disclosure!
In reality physical access is always going to be game over, some academic will make it the subject of his/her thesis, but devices can be made unattractive, so security researchers will move onto lower hanging fruit.
Security is never about saying NO, its about giving the decision makers the information to make an informed decision around risk, rather than acceptance because it is unknown.