If IoT devices are improperly managed due to lack of code signing, secure communications and mutual authentication they could be vulnerable to exploit. A good example is if an unauthorized person can physically access a device, they can install malicious firmware onto a vulnerable device. If that device does not have proper code signing or secure bootloading implemented, it could be impacted. This kind of scenario could result in a national security issue that, at minimum, would hinder congressional operations while the affected equipment is quarantined, analyzed or replaced.

 

Last year, we released research that looked at the risks of low entropy and its ability to break IoT devices. What we found was that 1 in every 172 outbound connections relying on a target endpoint's RSA key confidentiality could be intercepted. Applying those findings here, that scenario could allow hostile parties to tamper with communications infrastructure. Ethernet jacks could be replaced with hidden, embedded devices that could run a man-in-the-middle (MitM) attack on selected traffic. Someone with physical access could also perform internet scans, running an analysis like our research, which could identify vulnerable connections. With that information, they could load broken server keys onto a device that could decrypt traffic whenever a request is made to a compromised domain. It might sound unbelievable, but it is not farfetched – the U.S. Capitol is a prime example of a high-value target and it is reasonable to consider that physical access could provide a communication path to perform a MitM attack. This kind of exposure significantly broadens the attack surface that security personnel must consider as they sweep for bugs and such as they re-secure the premises.

  Read Less

This year, the proliferation of IoT and inherent security risks have become a larger focus for CIOs in enterprise. Security has always been a concern, but with a growing reliance on IoT for broader business operations - especially in our remotely connected world - keeping IoT secure is priority.

 

Expect to see the conversation focus on device production and what IoT device makers are doing to build security into devices at design and ensure security through the device lifecycle. First and foremost, cryptographic measures at design will be crucial to ensure secure software and firmware updates over time. Unique identities at design are critical for all personal and commercial IoT devices. 

 

Technically speaking, modern IoT devices have constraints that prevent them from producing highly random keys. Devices rely on an assigned key, or digital identity, to protect them from exploit and allow controlled access and secure updates.  IoT devices lack the power and compute resources necessary to handle random key generation - which means that countless life-critical and high risk devices (including connected vehicles, aircraft and medical devices) could be vulnerable to attacks and exploits.

 

Connected IoT devices – everything from diesel engines to medical devices – are developed in one location, manufactured in another, then shipped into untrusted networks for operation. Device manufacturers need to ask themselves how they can ensure that devices can be managed, updated and protected at all times in these untrusted and remote environments.

 

IoT manufacturers will also be looking to add more flexibility into their supply chain strategy but employing tools and technologies that give them options when it comes to where to produce products. This allows manufacturers to optimize production based on economic cycles and respond more quickly to the market needs. When it comes to IoT devices specifically, it’s essential that each device is produced with a unique, traceable identity, and that the root of trust is established securely, independent of the factory where the device is actually built.

  Read Less

Any time there is an initiative around improving cybersecurity for IoT devices, independent of industry, it helps the collective market challenge the current state and think deeper about best practices around encryption and authentication for this growing population of connected things. We frequently hear about hackers who take advantage of weaknesses in IoT security, maliciously taking control of smart home devices for DDoS attacks or changing functionality of medical devices. The only way to improve our security posture is to design a robust security architecture around our entire IoT systems. Guidelines provided by NIST or other standards groups can really make an impact in how we design security into IoT devices from inception and provide a method to manage authentication and encryption around the IoT device data and functionality over time.  Read Less