IoT development lifecycle is a complex process. When complexities increase, problem areas also rise up proportionately. In an IoT product lifecycle, security could be termed as a problematic area which needs unparalleled focus. Even a flaw at the early or later stage of development in the code or the device itself could pave the way to security vulnerabilities. This article is written based on the insights given by Jitendra Kumar, IoT Security Researcher, Sumeru
Many times, it is only after an IoT product reaches the market, security flaws are realized. Traditionally, the approach to solving this was to ensure that the crucial component or the codes follow standardized norms in its developmental phase. This game has changed now. If security was an afterthought, it is now threatening to an extent that attacks could be expected in the most unexpected approach.
Some “expensive” insights to building IoT
The IoT market is lucrative and everyone is rushing to put their product into it. IoT Market size is estimated to grow to about 457 billion dollars according to CAGR report. This looks lucrative and fast-growing market. Is often said that in haste a lot could be missed in overlooked. At the pace at which products are released, the security infrastructure in IoT devices could be put to debate. While building a hack-resilient product, one must realize the new types of attacks that are threatening the whole ecosystem. One such is the “Reaper botnet: which can compromise the security by creating DDOS or Distributed Denial of Service (DDoS). If you are driving and your pacemaker suddenly goes to a stop, I could be game over.
Some interesting scenarios
As we all know that Cyber-attacks are carried out without actual weapons and looks like IoT has made it easy. It is now easy to sniff out devices, install malware and flash malicious firmware into chips. It could start from one point of vulnerability, compromising the whole ecosystem.
Let us take a look at various scenarios that we can come across. “In IoT ecosystem, some devices update the software over the air. Sometimes the binary file could be intercepted and complete code of this file can be modified. This is done by monitoring networks for spikes in data usage etc. The hole in the wall is not because of the IoT devices or the communication channels. It is because they are made up of different components. Most commonly, the attacks happen through the interfaces where users interact of which some are popular. Some of the attackers are always behind finding vulnerabilities and trap doors”, says Jitendra.
To be precise, we are ten years behind the actual maturity of preparing it more secure in many cases. Let’s put it this way when product development team falls short of some security protocol installation due to time and budget constraints of the project, possibility of attacks may double up.
Threat modeling phases in a nutshell
Originally popularised by Microsoft, threat modeling first analysis the data flow and the pathways of IoT ecosystem. To begin with, different kind of known issues could be tested on the device during requirement elicitation and in the design phase design phase. Further, the analysis of features presently vulnerable is discussed with the experts from security and developers. This fulfills the basics of security infrastructure.
In the Implementation phase, the developers need to be educated as the embedded developer, mobile app developer and code implementers should be on the edge to understand code vulnerabilities. At the functional testing phase, maximum bugs are searched for and changes including design changes are done here. At the deployment phase, privileged access is set and sent out to further testing. If security issues are reported, Incident response team will work to fix bugs and loopholes.
The best key to increase security factor Is to Introduce complexity. Using cryptography which is complex will make it harder for the attacker. Security standards are usually adopted. The reason being there are many dedicated reputed organizations who create security structure while giving a win-win situation to corporations in this rebellion against attackers.
They have dedicated platforms (both hardware and software) to do so and often reward or appreciate people who help in finding vulnerabilities for giving their feedbacks
For more such interesting stories, read more.
To know more, attend Jitendra Kumar’s talk on “ANYTHING & EVERYTHING ABOUT SECURE IoT PRODUCT DEVELOPMENT LIFE CYCLE“ at EFY Conferences 2018