So Many Smart Devices, So Many Security Vulnerabilities
November 28, 2018
Novemer 28, 2018
|By: Christine Young
Blogger, Maxim Integrated
Do you have an internet of things (IoT) device at home? A smart TV, perhaps? Or a thermostat that senses when the heat needs to be turned on? More importantly, have you done your part to ensure its security? At a minimum, that means changing the device's default password. While users have a responsibility to protect their IoT applications from hacking, design engineers have an even greater obligation to defend their designs. That was the key takeaway from a keynote by a McAfee executive at this fall's Internet of Things Device Security Summit in Santa Clara, California.
"There are so many connected devices out there. There are things we probably don't even know are smart devices," Lynda Grindstaff, VP of content operations & assessment at McAfee, told the audience. "All these devices are really fun, they're exciting…they entertain our kids, they entertain us…but also they have vulnerabilities."
To provide some context on the potential scope of the problem, Grindstaff shared some notable statistics:
- By 2020, a typical household is expected to have more than 50 connected devices
- That's over 24 billion connected things by that year, which breaks down to at least 4 connected devices per person
- More than 60% of consumers are concerned about privacy and security around connected homes
Then, she highlighted an example IoT attack that McAfee researchers discovered inside a WiFi smart plug. One of the libraries inside had a buffer overflow allowing hackers to get inside the device. The issue has since been fixed. However, if the issue was left unpatched, a hacker could potentially send the user an email, using this communication as a vehicle to enter the user's network to seek out the smart plug. Given the plug's vulnerability, the attacker could take control of the device and, in this way, monitor network traffic, discover the home router, and connect to that router via Secure Shell (SSH) protocol to open a port to the outside world. The hacker could then potentially see all of the traffic coming into the home and log into and take control of other smart devices there. Scary scenario, isn't it?
The IoT future threat landscape is, indeed, a scary place: DDoS attacks, ransomware, malvertising and fake ads, social media scams, medical IoT attacks, control and surveillance system attacks. "All of these exploits are going to continue unless we change how we view security. Collectively we can work together and make these devices safer for all of us," said Grindstaff.
Smart TVs and other IoT devices must be designed with security in mind, a McAfee exec told an audience at this fall's IoT Device Security Summit in Santa Clara.
Make Security Your First Design Consideration
Grindstaff urged the designers in the audience to create their products with security in mind. "As you start to create your next widget, think of security first. Embed it into your architecture, your interfaces, and product designs. Don't make it an afterthought," she said.
That mindset is a start, and there are other things to keep in mind, too, she noted during her talk. Establishing and testing basic security concepts, such as data protection, is important. Are you compartmentalizing your data and your code? Are you authenticating to your users? Authentication should be guaranteed without jeopardizing user privacy. Allow for a connected architecture, if you can. What can you do to allow all those devices collectively to work together? Grindstaff noted that the open-source McAfee Data Exchange Layer (DXL) allows different devices (from different vendors) to communicate security alerts to each other. Older-generation devices shouldn't be neglected in the security equation. And, particularly as technologies get smarter and smaller, it will pay off to consider how security can scale to combat even those attacks that haven't yet been conceived.
Security provisioning and configuration is another area that Grindstaff touched on. Her main warning here ties back to the user's oft-neglected responsibility. "Do not allow default passwords. It is a huge, huge problem," she said. Require patches and updates to be signed, data to be encrypted, and a secure web connection. If the IoT device will be operated inside an enterprise, limit its network access and install patches in a timely manner. Add security software to devices that need it. Apply proper administration and management; give end users control to administer the device. Automatically install signed security updates, and provide advanced configuration and reset capabilities. Finally, she said, it'll pay off to design devices so that they're easier to access to implement changes and updates.
Maxim has a long history in developing embedded security ICs that provide a relatively easy way for designers to protect their products. Among its newest devices are the DS28E50 DeepCover® secure SHA-3 authenticator with ChipDNA™ physically unclonable function (PUF) technology. Ideal for a variety of end applications, including IoT devices, the IC brings together FIPS202-compliant secure hash algorithm (SHA-3) challenge-and-response authentication with ChipDNA technology for cost-effective, crypto-strong security that doesn't require cryptography expertise to implement. Have a look for your next embedded (and smart) design.