It also limits what other devices each type of device can communicate with, limiting the movement of attackers in a network should they compromise a single device, he says. Connectedness of IoT devices creates risk. “Hackers love connections,” he says. “If I can compromise one thing, I can get the rest.”
Raytheon will commercialize technology for the hardening of IoT devices by tying its software to hardware, says Michael Daly, CTO of Raytheon Cyber. The company has experience in this area due to its military contracts for network-centric warfare gear, such as sensors in tanks and on soldiers. They need to gather data around them but also receive analysis of that data to make it useful. All that must be done securely and with equipment that can’t be turned against the side that deploys it should it be captured, he says.
He recommended that IoT startups walk through the code of whatever open source software they incorporate in their products to make it more secure before they use it.
Chris Rezendes, president of INEX Advisors, a technology intelligence and advisory firm, says startups he’s worked with are shifting their attitudes about securing IoT devices by addressing it early. That’s a change. “Small companies use IoT as an entry point and money is a big problem,” he says, and that used to affect how they treated security. “Trying to get the product to market was more important than having it secure.”
The problem of securing IoT devices was pointed up by a demonstration given by Stacy Cannady, a member of the Trusted Computing Group who works for Cisco. TCG works on hardware security embedded in chips. The problem was that for the sake of expediency, security was less than optimal.
The demo showed how to use the secure chips to connect a Raspberry Pi camera to a server via a Cisco router, all using a TCG Trusted Platform Module, which can tell when files on devices have been altered, signaling the devices are no longer secure.
But the demo relied on allowing the device a one-time free pass to declare its safe state to the router. “Is that a secure way to do it?” Cannady says. “No, but it’s pretty darned fast.”
Meanwhile, UL – formerly Underwriters Labs – which sets safety standards for electronic devices, says it is about to step in with safety standards for IoT devices. These could include, for example, standards for augmented-reality glasses that deliver radiation (light) to the retina and could therefore pose a danger to the eye, says Anura Fernando, UL’s principal engineer for medical software and system interoperability.
He says security weaknesses in wearables that are network connected could lead to breaches and elevation of privileges that lead to sensitive data. He echoed the advice that defense in depth is planned from the design phase for these devices.
Sign up for Computerworld eNewsletters.