Andreas Philipp is Vice President of Business Development with Utimaco, the innovation leader in Hardware Security Modules. With over 15 years of experience in software development, project management and system implementation, Andreas changed to technical sales for HSMs and finally ran the worldwide sales team of Utimaco for over 10 years.
With an overall extensive experience in the Security Module Business of 25 years, Andreas has become a well-known industry expert and a frequent conference speaker.
The Internet of Things offers great opportunities in a world where we are connected and online 24 hours a day. Whether in industrial applications, such as medical, automotive and automation technology, or in the private sphere, with its smart TVs and the omniscient fitness bracelet. In all areas of the IoT, we are dealing with data streams containing sensitive information which, in many areas, might even affect privacy.
For years, companies have been busy issuing security policies and the corresponding IT measures such as policies, instructions, procedures and technologies. Even in the private sphere, we have learned how to deal with our data in the virtual world, e.g. when disclosing personal information in online shopping sessions or social networks.
Should all this become obsolete with the IoT? With the introduction of intelligent connected objects, the doors opened to connected shop floor systems and Distributed Control Systems. Does this mean established security procedures become obsolete?
Even in the private sector, data collection and transfers happen between a multitude of objects, from our Smart TVs connected to the internet to Smart Watches on our wrists. Where is this collected data stored and who has access to it? Basically, the fundamental question is: Where is my digital self-determination?
The increasing number of security issues over the last years shows that this is not part of a science fiction novel. Examples are the unprotected remote maintenance access to industrial facilities and private homes or the various attacks on automobiles. Many experts predict that the real IoT world is still ahead: Consumers and businesses are only willing to activate the IoT concepts they have already prepared after strong IT security measures have been introduced and implemented. Nonetheless, due to the value proposition and promised cost reduction, we can certainly say that IoT is real today!
Cost pressure and IT Security
A question to start with: How likely is the identification of a potential security flaw that causes product liability consequences for the device manufacturer of a webcam? A webcam today costs approximately 100$, with a profit margin of 10% – which puts high pressure on the costs of adding appropriate IT security to the device.
This concerns IoT devices for end-consumers but equally applies to the area of mechatronics and automation, where aspects of cost pressure often drive a cost reduction spiral and may result in low cost = low quality.
The question arises whether considering the security functionalities of IoT devices from a regulatory perspective is not more appropriate? What if there was a kind of technical inspectorate to periodically check whether these “IoT devices” and implementations are secure and trustworthy?
Information Security – Where to start and how to realize it?
Information security is a very wide and complex domain with different facets to consider. As for the IoT and IoT decides, we observe that economic interests come before security. An HP study from 2015 about IoT devices clearly shows this and brings the following vulnerabilities to light:
- Poorly secured web applications which are allow cross-site scripting or SQL injection
- Weak user and device authentication
- Unsecured communication channels
- Unsafe pre-configurations
- Basic vulnerabilities in hardware and software
Sure, we can address the symptoms with appropriate countermeasures but – much more important – the causes need to be eradicated. Why are the device web applications so poorly secured? Why are errors that have been corrected long ago (when company websites started emerging) made again?
Do we give too little attention to security and safety when it comes to software development? Agile software development methods allow us to minimize the administrative burden and enable highly dynamic creation of software. But what is required is an appropriate security concept & measures across the entire lifecycle of an application or product.
But let’s get back to the vulnerabilities that had already been addressed in the past. The change in software development is certainly one of the reasons why these “old” faults re-occur. But more generally speaking, dedicated security testing is needed in addition to common test pattern. These tests range from classic scanning of known vulnerabilities to detecting even unknown vulnerabilities by using fuzzing tools (confrontation of a system with random values to produce a misbehaviour).
Embedded or not?
Let’s now look at IoT devices and hardware. Basically, we are dealing with computer systems embedded into devices, systems or machines and the very special task of control, take over control to communications. These embedded devices – as opposed to personal computers – do not have the “usual” peripherals like mouse or keyboard.
With the introduction of embedded system such as Arduino or Raspberry Pi, it is now a days possible to start into the adventure of embedded programming directly. The focus here should be on the facet of security, where security problems subliminally but steadily open up due to faulty implementations in software and hardware:
- What if a programming error causes a command to target a wrong part in a supposedly protected RAM area?
- Vulnerabilities that are located in the hardware design of such units are very hard to detect.
Another important point to consider is whether IoT devices are designed on hardware that withstands side channel attacks and of which level – which brings us back to the importance of security testing. Protection of privacy versus self-determined action.
Basically, you can extend this list of security issues in the area of IoT eternally. Depending on the IoT system and the application, security measured need to be taken accordingly. However, at this point, we should look at another player in this game: the user!
Why should businesses invest in security when – on the other side – millions of users in social networks spread personal and private information (about holiday destinations and timing) and reveal their entire consumer behaviour for loyalty programs like “Miles and More” or PayPal?
Let’s say that, as a conclusion, IT security together with safety and privacy measures should certainly be implemented via regulations and inspections. But on the other hand, it is hard to deal with the stupidity of end-consumers.
Disclaimer: This article has been published in SecureMAG Volume 9, 2017
