Security for the ‘Internet of Things’ (Video) posting an Slashdot provides one view to security of Internet of Things. What happens when your oven is on the Internet? A malicious hacker might be able to get it so hot that it could start a fire. Or a prankster might set your alarm in the middle of night. A hacker can use your wireless security camera to hack into your home network. Watch the video at Security for the ‘Internet of Things’ (Video) page (or read transcript) to get the idea what can happen and how to protect against it. Remember: There’s always going to be things that are going to break. There’s always going to be.
Mark: “So I think a lot of the system on chips that we’re seeing that are actually going in Internet of Thing devices, a lot of companies are coming up, take an Arduino or Raspberry Pi, very cool chipsets, very easy to deploy and build on. We’re seeing smaller and smaller scales of those, which actually enable engineers to put those into small little shells. We are obviously kind of at this early part of 3D printing. So your ability to manufacture an entire device with a couple of bucks is becoming a reality and obviously if you have a really niche product that might be really popular in Kickstarter, you could actually deploy tens of thousands of those with a successful crowd-funding campaign and never really know about the actual security of that product before it goes to market.”
484 Comments
Tomi Engdahl says:
Q&A: Bruce Schneier on joining IBM, IoT woes, and Apple v the FBI
It’s going to get worse before it gets better
http://www.theregister.co.uk/2016/03/04/bruce_schneier_speaks/
RSA 2016 Security guru Bruce Schneier is a regular at shows like RSA and his talks are usually standing-room-only affairs.
Q: First things first – you’re the CTO of Resilient Systems, which IBM is in the process of buying. Are you planning to stay on?
That’s the plan; I’m 100 per cent planning on joining IBM. As far as I know the entire team is coming over as well.
Q: Yesterday you gave a rather scary talk on the likelihood of a coming breakdown in the interconnected world. You talked about a lot of problems – what do you think the solutions are?
I didn’t mean to be doom laden, but that’s the way these things start – you always start with the problems. But I’m just on the start of this process – it’s likely that yesterday’s talk will form the basis of my next book and when I’ve thought that through, about a third of the volume will look at solutions.
But I really do believe this is a big problem that needs to be addressed. I hope a catastrophic failure won’t come about, but the fact of the matter is we humans are much more reactive than proactive.
Bruce Schneier: We’re sleepwalking towards digital disaster and are too dumb to stop
Coders and tech bros playing chance with the future
http://www.theregister.co.uk/2016/03/02/sleepwalking_towards_digital_disaster/
Tomi Engdahl says:
Securely Surfing the IoT Tsunami
http://www.securityweek.com/securely-surfing-iot-tsunami
The IoT wave is building like a thunderous tsunami, growing larger on the horizon by the day. What is missing from the conversation, however, is how large a role software plays in the IoT equation. Plugging something into the Internet does not make it work — it just makes it vulnerable. Value is created through the associated software. In fact, we have almost reached the point where the actual product or device and the associated software become a single logical unit to the consumer. Allow me to connect the dots.
An IoT device is, by definition, connected to the Internet. For the device to function with any degree of intelligence and value, there must be software. If software is not designed and constructed to be secure, it will contain vulnerabilities that can be exploited to gain access to the device. This means that anything connected to the Internet can be discovered and potentially infiltrated, and the associated software will be the target.
We used to do a practical test back in my days at Cybertrust. We would purchase a PC from a big box store, disable its protections, and plug it into the World Wide Web. Within minutes it would be discovered, and minutes later it would be infiltrated. The illustration was simple: anything connected to the Internet can and will be discovered and breached. There is no reason to believe that IoT devices will be any different, and most are not equipped to protect themselves from attack.
The software story does not stop with the software directly associated with the device. Connected devices collect data and send them to a collection point in a back-end application. If the device is compromised, it becomes possible to extract the device’s data, or collect credentials to attack the back-end system and the stored data.
Tomi Engdahl says:
Hardsploit: The handy hacker help for hapless hopeful hardware hacks
Like Nessus, for Things. Because there’s password gold in them thar chips
http://www.theregister.co.uk/2016/03/11/hardsploit_the_handy_hacker_help_for_hapless_hopeful_hardware_hacks/
Penetration testers Julien Moinard and Gwénolé Audic have produced a security testing framework to automate vulnerability scans for Things used on the internet of things.
The Hardsploit project, to be showcased at the NullCon security conference in Goa, India, is badged as an all-in-one hacking tool for hardware security audits that aims to become “the Nessus of hardware security”.
Nessus is a popular and easy-to-use automated software vulnerability scanner.
Hacking hardware should not be dismissed by software security experts, the pair say, because it can yield cleartext passwords, filesystems, and firmware.
Hardsploit stands to make that feat easier for those not in the know.
“The gap between software and hardware security has widened since the early 2000s … because hardware is mainly just a way to gain access to software,” Audic says.
“I am a software guy and guys like me should be able to access the hardware without struggling with a lot of documentation and to know everything about electronics.”
The pair says devices will use at least one communications bus, from I²C, to JTAG, SPI, PARALLEL, or UART in their chips regardless of internet connectivity.
Tomi Engdahl says:
Floodgate Security Manager designed to protect IoT and embedded devices against cyber-attack
http://www.nohau.fi/resources/news-archive/sv-news/floodgate-security-manager-designed-to-protect-iot-and-embedded-devices-against-cyber-attack
Icon Labs new Floodgate Security Manager (FSM ), is a security management software suite specifically designed to protect IoT and embedded devices against cyber-attack. FSM can be operated as either an on premise or a cloud-based security manager.
Tomi Engdahl says:
Hardware cryptographic acceleration and secure storage for TLS in IoT apps
http://www.electronics-eetimes.com/news/hardware-cryptographic-acceleration-and-secure-storage-tls-iot-apps
Atmel has disclosed a hardware interface library for TLS stacks used in Internet of Things (IoT) edge node applications. Hardening is a method used for reducing security risks to a system by applying additional hardware security layers and eliminating vulnerable software.
Atmel’s Hardware-TLS (HW-TLS) platform provides an API that allows TLS packages to use hardware key storage and cryptographic acceleration even in resource constrained edge node designs.
OpenSSL is a general-purpose cryptography library that provides an open-source implementation of the Secure Sockets Layer (SSL) and TLS protocols. wolfSSL is a cryptography library that provides lightweight, portable security solutions with a focus on speed and size. Atmel’s ATECC508A-OpenSSL and ATECC508A-wolfSSL are available for immediate download at their respective software distribution repositories, offering seamless adoption of more secure elements without disruption to the developer workflow.
Secure hardening for both OpenSSL and wolfSSL is made possible with HW-TLS which allows those TLS software packages to interface seamlessly with the Atmel ATECC508A CryptoAuthentication co-processor.
Tomi Engdahl says:
Security vs. Convenience
http://www.deskeng.com/de/security-vs-convenience/
Security Isn’t Easy
Technology may be easier to use than ever, but that’s a detriment to security. Manufacturers want to make it easy for people to use their products, not burden or scare them with layers of security. That can mean default passwords with no requirement to change them and logging in via unprotected sites. If the goal is to a make a high-tech product easy enough for a kid to use, what does that mean for security? Headlines calling out security lapses
How can companies design products that are easy to use and secure? It will require bringing even more expertise into the product development pipeline.
Designing Systems, Not Just Products
The good news is, like my family with their technology issues, there is somewhere to turn for help. In addition to security firms and security focused technology vendors, a number of organizations are taking on the challenge of IoT security.
For example, the Internet of Things Security Foundation (IOTSF) describes itself as a non-profit, international initiative with the goal of helping to secure the IoT. In its “Insecurity in the Internet of Things” report, it writes: “The concept of security by design must be given a higher priority in order to avoid security flaws being compounded as the IoT matures … The IoT will be a transformational, disruptive technological movement, but carries a spectrum of risks that affect more than just the IT department.”
The Industrial Internet Consortium (IIC) has released a reference architecture intended to provide a common language for the elements of Industrial Internet systems and the relationships between them.
Tomi Engdahl says:
IoT Security Foundation
https://www.iotsecurityfoundation.org/
The economic impact of the Internet of Things will be measured in $trillions.
The number of connected devices will be measured in billions.
The resultant benefits of a connected society are significant, disruptive and transformational.
Yet, along with the opportunity, there are fears and concerns about the security of IoT systems.
The international IoT Security Foundation (IoTSF) has been established as a response to those concerns.
Establishing Principles for Internet of Things Security
https://iotsecurityfoundation.org/establishing-principles-for-internet-of-things-security/
Security is an important part of almost every IoT deployment yet is often neglected in the development of systems. This blog series looks at questions that need to be considered when designing an IoT device, system or network. A common theme throughout is that investment in security at the design phase can save a lot of time, effort and potential embarrassment at a later date.
There is no single “best” IoT design, the devices will be different and how they are used will be different. Security needs to be considered in the context of how the device will be used. It is important to understand that a device alone will not provide complete security isolation; it needs to be supported by a good architecture and good expectation of what the device is capable of achieving.
Tomi Engdahl says:
Cyber security protection enters a new era
http://www.controleng.com/single-article/cyber-security-protection-enters-a-new-era/3d3c1ba515930f89646e36e6078a96c4.html
Watch for a backdoor cyber security assault. The Juniper Networks incident in December 2015 changed how industry looks at device security as hackers exploit deliberate weaknesses being installed into software. End users, integrators, and device manufacturers need to adapt and prepare for this new reality. Follow these cyber security steps.
A software engineer is trying to complete a major block of code, but his boss cut out a large section including some open-source routines downloaded from the Internet. Replacing those routines will add days to the project. He runs to his boss’ office and pleads: “I need to use that software in the system!”
“You can’t use it. It’s been compromised.”
The engineer nods, having anticipated that reply. “Yes, it’s open-source and came from the Web, but we’ve used it before. I also talked with the software engineers, and they will do a line-by-line review of the source and object code.”
The boss looks up and glances at his award for years of service at an undisclosed location. “You can never be sure something isn’t in there,” he says.
Bosch Rexroth
That brief scene might sound like something from a suspense movie, but the situation could be very real given recent events in the cyber security community.
Software engineers trying to write code for devices and industrial systems want to avoid re-inventing the wheel. If someone has already written code to do a certain job, and it works, they don’t want to write it again. They’d rather save time by downloading freeware and open-source code off the Web. Or, they could pick up existing code from earlier products with a proven track record. All of this gets cobbled together and loaded into a new device. As long as it does what it’s supposed to, nobody needs to know or care where it came from.
This has been the working assumption for quite a while, but the landscape is changing. The cyber security world is becoming more confusing with nation-states, hacktivists, and cyber criminals making their presence known. Hackers and their efforts reflect a wide spectrum of skill levels. Some are clumsy and easy to spot. Others are more insidious and undetectable by all except the most sophisticated forensic cyber specialists.
While the engineer looking to streamline the project means well, his boss is correct: unsecure code can lurk within such software. Sometimes it can be found and removed, but a recent example of a cyber security breach proves that the threat can be well camouflaged.
In December 2015, Ars Technica published a stunning report: “On December 17 [2015], Juniper Networks issued an urgent security advisory about ‘unauthorized code’ found within the operating system used by some of the company’s NetScreen firewalls and secure service gateway (SSG) appliances. A patch was issued to the affected device OS, and forensic investigation determined the unauthorized code acted as a backdoor into the device”
This suggests two conclusions:
1. The unauthorized backdoor was put there intentionally.
2. It was carefully designed to evade detection.
This is the beginning of a new era of cyber criminal threats. We are all used to the notion of attackers exploiting vulnerabilities caused by software flaws. It is a common tactic, and everyone is aware of it. Software patches are supposed to fix these flaws and address these vulnerabilities.
Network device vendors are targeted in this manner because their products are entry points to networks. Access to a router or gateway provides entry to an industrial or enterprise system. Network device security thus often proves to be the soft underbelly of many organizations’ defensive strategies. The value of such a backdoor secretly placed in a device, hidden with normal-looking code, is huge, and the larger implications are frightening.
Why? Let’s consider some examples of how this new network device threat will change security best practices:
1. Using network switches to implement virtual local area network (VLAN) separation between industrial control and business networks is no longer adequate. No organization can design networks with VLAN separation and expect them to be secure.
2. Depending on VPN encryption as a magic bullet to protect confidentiality is no longer adequate. An organization will need to start looking at how deeply it depends on VPN techniques as their “go to” solution to move information on secured networks. A VPN tunnel is no longer safe across any network-particularly for long-distance communication within global organizations.
3. Assuming all is well with network device configuration isn’t safe anymore. Many organizations follow a basic practice: if nobody touches a device, it has the same configuration it had before. That is no longer true. Companies will need to ramp up configuration control and auditing to account for the possibility of device configurations being changed by unauthorized means.
Researchers confirm backdoor password in Juniper firewall code
“Unauthorized code” included password disguised to look like debug code.
http://arstechnica.com/security/2015/12/researchers-confirm-backdoor-password-in-juniper-firewall-code/
Tomi Engdahl says:
Using SELinux and SMACK on Embedded Linux in Industrial and IoT Devices
https://www.mentor.com/embedded-software/multimedia/using-selinux-and-smack-on-embedded-linux-in-industrial-and-iot-devices?contactid=1&PC=L&c=2016_03_30_embedded_technical_news
The rapid growth in Internet connected devices increases the opportunity for rogue elements to hack into systems and cause damage. Device designers must become increasingly vigilant with the security of connected devices
SELinux and SMACK
Integrating SELinux or SMACK into embedded Linux platforms
Tomi Engdahl says:
IoT Security for Gateways and Edge Devices
https://www.mentor.com/embedded-software/multimedia/iot-security-for-gateways-and-edge-devices
Providing complete IoT security not only requires that the communication from the gatewayto the cloud is secure, but requires that the gateway can participate in the secure communication and management of connected edge node devices, which themselves must be secured. Learn the key concepts required to implement a security architecture to enable complete IoT security. Topics covered include secure boot and firmware anti-tamper, authentication and authorization strategies, certificate and key management, intrusion detection and prevention using an embedded firewall, encrypting data in transit, how to leverage system partitioning for enhanced security and the importance of event recording, system auditing and reporting, and device policy management tools and procedures to meet stringent security requirements. We will also address the scalability challenges of securing very small endpoints including devices built with 8-bit MCUs and as little as 8Kb of memory.
Tomi Engdahl says:
Hacker reveals $40 attack that steals police drones from 2km away
No encryption in pro-grade drones: just sniff Wi-Fi and copy signals
http://www.theregister.co.uk/2016/04/01/hacker_reveals_40_attack_to_steal_28000_drones_from_2km_away/
Black Hat Asia IBM security guy Nils Rodday says thieves can hijack expensive professional drones used widely across the law enforcement, emergency, and private sectors thanks to absent encryption in on-board chips.
Rodday says the €25,000 (US$28,463, £19,816, AU$37,048) quadcopters can be hijacked with less than $40 of hardware, and some basic knowledge of radio communications.
With that in hand attackers can commandeer radio links to the drones from up to two kilometres away, and block operators from reconnecting to the craft.
The drone is often used by emergency services across Europe, but the exposure could be much worse; the targeted Xbee chip is common in drones everywhere and Rodday says it is likely many more aircraft are open to compromise.
The Germany-based UAV boffin worked with the consent and assistance of the unnamed vendor to pry apart the internals of the drone and the Android application which controls it.
Tomi Engdahl says:
Secure IoT System Boot with a Hardware Root of Trust – See more at: https://www.synopsys.com/Company/Publications/DWTB/Pages/dwtb-secure-iot-system-boot-2016q1.aspx?elq_mid=7882&elq_cid=546544#sthash.G4RvNjki.dpuf
Tomi Engdahl says:
Bug Bounty Guru Katie Moussouris Will Help Hackers and Companies Play Nice
http://www.wired.com/2016/04/bug-bounty-guru-katie-moussouris-will-help-hackers-companies-play-nice/
As chief policy officer at HackerOne, Katie Moussouris helped the Defense Department launch its Hack-the-Pentagon program—the first federal bug bounty program that promises to pay hackers who uncover vulnerabilities in the DoD’s public-facing web sites. That was after spending three years to convince Microsoft to launch its first bug bounty program in 2013. And now Moussouris is branching out as an independent consultant to help companies and organizations interested in launching bug bounty programs move from the thinking stage to the doing phase.
“There’s huge momentum not just in the government space, but in private industry, where you’re seeing all types of vendors, not just tech vendors, … working with hackers,” she says. From medical device manufacturers and healthcare organizations to car companies and home appliance makers, companies that never considered themselves software vendors are now having to grapple with some of the same issues that Microsoft and Google face. As they add more digital code to their products, they have to worry about software vulnerabilities and patches. With that comes an increasing need to work respectfully with the community of white hat hackers and researchers who find and report vulnerabilities to them.
“We are riding this big wave where hackers are more and more being viewed as helpful as opposed to harmful,” she says. “That’s where I want to help.”
Tomi Engdahl says:
Internet of Things scares people
Already in 2020 the world has – somewhat depending on evaluators – up to 40-50 billion network-connected device. Most of these so-called form. Internet of Things IoT (Internet of Things). While the IoT promises endless faces of almost all companies, ordinary people in technology expansion downright scared.
This result came from the MEF, namely the Mobile Ecosystem Forum, which questioned more than 5,000 mobile users according to their views on the Internet of Things. 60 percent of those surveyed are concerned about networking. 21 per cent fear that the machines taking over the world.
Most of concern to privacy and security concerns. They are considering more than half of those surveyed (62 and 54 percent). More than one in four, or 27 percent of those surveyed afraid for their physical safety.
IoT solutions-building companies have a lot to think about. – They have to carefully think about how to build a trusting relationship with consumers
Source: http://etn.fi/index.php?option=com_content&view=article&id=4242:esineiden-internet-pelottaa-ihmisia&catid=13&Itemid=101
Tomi Engdahl says:
Threat Modeling
http://www.omg.org/hot-topics/threat-modeling.htm
Threats and risks are increasingly multi-dimensional in nature – spanning both physical and cyber space across multiple domains, (i.e. critical infrastructure, cyber, health and human services, public safety).
There is a critical need to share threat and risk information across these domains. A community of interest (COI) with standards can help spearhead the integration of threat & risk management and situational awareness along with the standards, technologies and capabilities to counter multi-dimensional threats.
Threat information sharing enables system engineers and architects to build systems-of-systems that implement and leverage the capabilities to share threats (and potentially actual attacks) across different organizations, IT systems and standards. To enable threat sharing across different protocol platforms and systems, a platform-independent model of threats is needed for establishing a common understanding.
The Object Management Group® (OMG®) System Assurance Task Force in collaboration with the Government Domain Task Force has issued a Request for Proposal (RFP) for a Unified Modeling Language (UML®) Threat & Risk Model.
Threat and Risk Community
http://threatrisk.org/drupal/
Threats and risks are increasingly multi-dimensional in nature – spanning both physical and cyber space. Only by analyzing, federating, and sharing information across multiple domains (i.e. critical infrastructure, cyber, health and human services, public safety), can we effectively counter multi-dimensional threats. This community initiative is focused on driving the federation and secure sharing of threat, risk and provenance information across multiple domains, technologies and data formats. Domains of interest include but are not limited to cybersecurity, law enforcement and public safety, counter terrorism, critical infrastructure, health and emergency management.
Tomi Engdahl says:
A good source for ‘traditional’ Internet connected device attacks is the Open Web Application Security Project
(OWASP [9], [10]). OWASP lists the following as the top 10 vulnerabilities for IoT systems:
`
`
Insecure Web
Interface
`
`
Insufficient Authentication/Aut
horization
`
`
Insecure Networ
k Services
`
`
Lack of Transport
Encryption
`
`
Privac
y Concerns
`
`
Insecure Cloud
Interface
`
`
Insecure Mobile
Interface
`
`
Insufficient Security Confi
gurability
`
`
Insecure Softwar
e/Firmware
`
`
Poor Physica
l Security
A good source for security threat models for higher-end security devices like bank cards are the Common
Criteria [11] Protection Profiles [12]. These Protection Profiles are documents that describe the security
targets for a class of devices and are used for formal certification of what Evaluation Assurance Level (EAL)
implementations are guaranteed to comply with the protection profile security targets. Many protection
profiles are published, for example, for ICs, smart cards and smart card-related devices and systems, and
for products for digital signatures. Another source would be the Payment Card Industry Security Standards
Council (PCI [13]) including a framework of specifications and support resources to help ensure the safe
handling of cardholder information at different steps.
Whereas the security threats listed by OWASP focus mostly on communication protocol and software security
problems that, in most cases, do not require physical access to the device, the Common Criteria and PCI ones
include physical attacks as well. For today’s IoT systems, most security breaches reported are on software/
end-to-end system level and often due to negligence. For example, 70% of the devices investigated in a
recent study [14] used unencrypted network services. Attacks that could exploit such security issues include
eavesdropping and man-in-the-middle attacks that intercept and modify the data being communicated.
Other examples of attacks are software buffer or stack overflow attacks that feed a device with out-of-spec
inputs like the OpenSSL Heartbleed bug. These types of attacks can leak secure information or could enable
running of malicious applications and rooting, obtaining higher level privileges than a user normally would be
entitled to. Physical attacks can be split into two categories: invasive and non-invasive. Non-invasive attacks
use regular interfaces of a device like USB ports, or relatively easy accessible JTAG debug interfaces that
provide access to and control of the IoT device processor and memories. Another type of non-invasive attacks
are side-channel attacks. These exploit information leaked from a device to reconstruct protected secrets
by measuring variations in power consumption of a device or variations in the electromagnetic radiation to
reconstruct the computations performed and to extract private keys from these. Invasive attacks go a step
further by opening up the IoT system and potentially altering it physically. This can be at board level e.g. by
tapping into the bus interface between processor and external memory, but also at chip level. Depending
on the budget of the attacker, attacks can go as far as de-capping an IC package, removing top layers and
then inspecting structures, monitoring signals (by attaching microprobes), or even altering structures with a
FIB device.
Given the diversity of all of the potential security threats described above, it is important to perform a specific
threat analysis for a specific type of IoT device
IoT Security Countermeasures
Reading the list of potential attacks from the previous section, an IoT system designer might easily get
disheartened. There are so many different threats that cover so many different disciplines that it is hard to
have sufficient expertise in all of these fields. On the positive side however, many technologies exist to counter
the threats. Some of these that have been around for a long time are well-known and proven
—
just not always
applied. And some are more recent or continuously being enhanced. More and more standard security IPs,
software, and tools are available on the market, simplifying the task of a system architect to design a secure
solution. This section provides a high-level overview of available solutions, the next part of this paper will
focus on more recent solutions, and finally a system example will be presented with an emphasis on securing
IoT edge nodes
Source: https://hosteddocs.emediausa.com/arc_security_iot_wp.pdf
Tomi Engdahl says:
Interfaces create new business – and cry for security
fewer than half of the commercial cloud services like Salesforce or eBay’s revenue is generated through the browser front nyhertävien end-user actions.
Most of the revenue coffers jingle grindstone through customers or partners’ self-written applications. Smartphones and tablets use applications has become so common that the use of the browser is an exceptional case.
Services can be accessed via the application interface, or API interface. The cloud giants in the wake of the quite ordinary companies have started to publish their own APIs for example product catalogues, business apps or info to their services. Open data providers are also significant APIs publishers.
The use of APIs can already view as a separate business as a form, API economy. Public APIs directory to maintain ProgrammableWeb.com. The directory is as of this writing 13 990 APIs.
API stands for application programming interface.
The current API-boom at the heart of Web APIs represent a new generation of the 2010s. The most common standards are rest and json, but on top of them built practices are less formal and therefore easier to use than SOA
When new business models are developed with enthusiasm, unpleasant basics such as security meet to be forgotten.
security breaches and vulnerabilities associated with api implementations past few years have raised the headlines of all the known companies like Facebook, Snapchat, Tinder, Twitter … Even the US tax authorities
As SOA time, the development of important standardized security procedures such as WSS (Web Services Security) and SAML.
Rest APIs, the world dispersion is more; the main security procedures are traffic TLS encryption, secure access to the delegation of the OAuth 2.0 and OpenID, and json-practices to protect jw family of encryption standards.
Of course, nothing to force the use of any specific procedures, because the API is a kind of two-way street. Apin publisher is satisfied if Apia is used, and the feedback will come in, hopefully not in the form of information leakage. Minority apin publishers to verify customers’ applications in any way – if api provides a technically sufficient data security, its use is the customer’s responsibility.
German University of Darmstadt and Fraunhofer SIT organization researchers reported in May to have found Parse- Facebook and Amazon AWS user databases of tens of millions of virtually unprotected user data: email addresses, passwords, contacts, and even financial payment transaction data
Researchers found Google’s and Apple’s app store multitudes of applications that have registered those background services confidential user data without any other protection. Such an application API is contrary to the instructions for use of services, but too few people thinking the author of the application security issues enough.
The end user is the entire unprotected against API threats; the ball is application developers. Owasp organization’s vulnerability statistics is a useful checklist to API developers. After careful software design and coding, can be used in the finished code vulnerability testing. Traditional testing products are indeed not very useful with novel APIs.
According to Gartner, published in August of applications security testing tools report goes through the 19 products. It is only a sparse instrument descriptions indicate any willingness to test the REST / JSON APIs, although progress has been over the last couple of years, just started to happen.
If several different APIs use the same authentication process, this should be implemented in a special API gateway on the other hand, that every programmer encodes its own solution.
APIs centralized management products are offered by many well-established enterprise software companies such as CA, IBM and Software AG.
Source: http://www.tivi.fi/Kaikki_uutiset/rajapinnat-luovat-bisnesta-ja-huutavat-tietoturvaa-6543765
Tomi Engdahl says:
Wearables Pose New Security Risks
http://www.eetimes.com/author.asp?section_id=36&doc_id=1329530&
Design flaws can create security vulnerabilities in wearable devices, according to a new report from the IEEE based on a fictional WearFit device.
Wearable computing devices are changing the way humans interact with technology, and that shift has security implications that must be addressed. The tight integration of these devices into our lives—they sense and transmit data on our activity and health—manifest in new ways risk we’ve long experienced in desktop and Web applications.
The IEEE Cybersecurity Initiative’s Center for Secure Design issued a report titled “WearFit: Security Design Analysis of a Wearable Fitness Tracker.” It provides practical insights into secure software design principles and practices, no matter what types of devices you work on, by analyzing the design of a wearable device.
The balance of the report uses a model originally published in the IEEE report “Avoiding the Top 10 Software Security Design Flaws” to walk the reader through the security design decisions that are most important to the WearFit system. This work was accomplished under the auspices of the IEEE Cybersecurity Initiative and its offshoot the IEEE Center for Secure Design, whose mission is to shift the software industry’s focus from a reactive search for bugs to a more proactive focus on secure design that prevents vulnerabilities.
WearFit: Security Design Analysis of a Wearable Fitness Tracker
https://www.computer.org/cms/CYBSI/docs/WearFit.pdf
AVOIDING THE TOP 10 SOFTWARE SECURITY DESIGN FL AWS
https://www.computer.org/cms/CYBSI/docs/Top-10-Flaws.pdf
Tomi Engdahl says:
News & Analysis
IoT Security Spending to Skyrocket
http://www.eetimes.com/document.asp?doc_id=1329533&
Global enterprises and consumers will pump nearly $350 million into securing the Internet of Things (IoT) this year, a figure that is set to grow exponentially in coming years as networks of connected objects expand, according to market research firm Gartner Inc.
According to Gartner’s latest forecast, IoT security spending is set to nearly double between 2014 and 2018, growing from about $232 million to nearly $550 million. The market research firm predicts that IoT security spending growth will pick up significantly after 2020, as improved skills, organizational change and more scalable service options improve execution.
Ruggero Contu, Gartner
Ruggero Contu, Gartner
“The market for IoT security products is currently small but it is growing as both consumers and businesses start using connected devices in ever greater numbers,” said Ruggero Contu, a Gartner research director, in a statement.
Gartner projects that there will be 6.4 bill connected devices in use worldwide this year, up 30% from last year. The firm estimates that were will be some 11.4 connected devices by 2018.
“However, considerable variation exists among different industry sectors as a result of different levels of prioritization and security awareness,” Cantu said.
Much of the attention focused on IoT security vulnerabilities to date has focused on vehicles and other large equipment that, if compromised, could have the potential to cause significant damage, injury and loss of life.
According to Gartner’s forecast, by 2020 more than 25% of identified security attacks in enterprises will involve IoT. However, the firm projects that IoT will still account for less than 10% of IT security budgets.
Tomi Engdahl says:
Smart homes are one of the fastest-growing segments in the IoT. Intelligent applications such as connected thermostats, washing machines and lights make life easier and more convenient for home dwellers, also helping to cut electricity bills. However, these networked devices can also open virtual doors to unwanted guests. The challenge facing smart home service providers and device manufacturers lies in protecting their services and products against digital threats.
Who should attend?
Design engineers, system and security architects and product managers involved in device and system design for smart homes
Source: https://webinar.techonline.com/2045?keycode=TOL1
Tomi Engdahl says:
Secure Your World
http://www.microchip.com/promo/cec1302#utm_source=Press_Release&utm_medium=Press_Release&utm_term=FY17Q1&utm_content=CPG&utm_campaign=Press-Release
CEC1302 32-bit ARM® Cortex®-M4 Controller with Integrated Crypto
The CEC1302 easily and quickly allows for pre-boot authentication of the system firmware in order to ensure that the firmware is untouched and uncorrupted thereby preventing security attacks such as man-in-the-middle, denial of service, and backdoor vulnerabilities. It can also be used to authenticate any firmware updates, protecting the system from malware or memory corruption.
Tomi Engdahl says:
U.S. Investigates Security Update Practices
FTC, FCC send letters to mobile industry
http://www.eetimes.com/document.asp?doc_id=1329648&
Perhaps, it’s a sign of the times. Federal agencies are seriously worried about cyberattacks.
Whether such assaults are launched on smartphone or connected vehicles, the U.S. government has come to believe that the threats are real. Agencies are asking industries how they’re responding to the vulnerabilities of their own connected devices and networks.
Last month,the Government Accountability Office (GAO) released a report on vehicle cybersecurity—connected to possible safety issues. The GAO interviewed 32 selected industry stakeholders to better understand how the automotive industry is developing cyber security.
Vehicle Cybersecurity:
DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack
http://www.gao.gov/products/GAO-16-350
Tomi Engdahl says:
IP Speeds Car2x Communications
http://www.eetimes.com/document.asp?doc_id=1329654&
Semiconductor IP provider EnSilica has launched a cryptographic IP that could help meet the high security communication and latency requirements of automotive Car2Car and Car2Infrastructure (Car2x) applications. These applications form part of emerging Intelligent Transport Systems.
EnSilica’s eSi-ECDSA cryptographic IP is compliant with the IEEE 1609.2 and ETSI TS 103 97 standards. These standards define the security layers in the Car2x communication protocols where cryptographic algorithms are the primary tools used to safeguard against information security risks such as message confidentiality, integrity, availability and authenticity. In particular, the Elliptic Curve Digital Signature Algorithm (ECDSA) is specified for message authentication, the Elliptic Curve Integrated Encryption Scheme (ECIES) for asymmetric encryption and the Advanced Encryption Standard (AES) for symmetric encryption.
The IP is an ASIC acceleration core designed to deliver the high level of message-signature verifications required by Car2x ECDSA message authentication, where practical requirements range between 400 to 4000 verifications per second depending on the message beaconing rate (1Hz to 10Hz) and expected worst case vehicle densities on the road. This overcomes the slow verification rates of traditional embedded software cryptographic algorithm implementations which typically only deliver message-signature verifications in the order of 10’s per second. eSi-ECDSA achieves this by off-loading the ECDSA signing and verification operations so that the processor is only required to load and read back results via an APB or AHB interface.
Tomi Engdahl says:
IoT Security is Imec Target
Program develops lightweight embedded crypto
http://www.eetimes.com/document.asp?doc_id=1329760&
Tomi Engdahl says:
Design and Build Secure IoT Solutions – Part 1
https://www.eeweb.com/company-blog/ibm/design-and-build-secure-iot-solutions-part-1/
IoT security has become the major challenge of developers nowadays. With the vast sensitive data being collected and exchanged along a network of smart devices in the cloud, it has been an attractive target for cybercriminals. Developers must address this issue seriously and incorporate a more reliable security feature into every IoT solution.
IoT Security Basics
IoT solutions involve a complex network of smart devices, such as vehicles, machines, buildings, or home appliances, that are embedded with electronics, software, sensors, and network connectivity, which enable these “things” to collect and exchange data. The “things” in the Internet of Things allows developers to provide a broad range of new services based on these cloud-enabled, connected physical devices. As IoT applications collect more and more previously unexposed—often private—data, and allow access to various control functions over the internet, security becomes a major challenge. Therefore, an IoT application must:
Prevent system breaches or compromises.
Each tier of the IoT application must implement effective preventive measures to keep the hackers out. For example, you need to harden the device to make sure communication from the device to the cloud is secure.
Support continuous monitoring. Even the best secured systems still leave many vulnerabilities. Also, today’s best secured solution (both hardware and software) might not be good enough to prevent attacks in the future. Therefore, you must supplement your security measures with continuous monitoring and constant upgrading of the system to protect against the latest forms of attack.
Be resilient. Finally, if a breach does occur, damage must be minimized and the system must recover as quickly as possible.
IoT Vulnerabilities
Developers have so many ways that they can apply IoT technologies to create IoT solutions. They can create a simple home monitoring system that provides alerts to smartphones and smart watches, or they can create complex healthcare systems that collect data and control a network of patient devices—and many opportunities for solutions we can’t yet imagine.
But connecting objects like cars, homes, and machines exposes a lot of sensitive data, such as the location of people in a building or medical records of patients. This data must be protected in accordance with the key information security principles, the CIA triad: confidentiality, integrity, and availability.
Any device that has network connectivity is vulnerable. Personal data that is collected by IoT devices is always of value to data hackers and identity thieves. Also, a cyber attack on IoT solutions has the potential to cripple physical services and infrastructure.
oT Security Design Challenges
While the importance of IoT security is widely understood and agreed upon, the actual design and implementation of IoT security brings new challenges and opportunities for creativity. In the design of most any app, developers always face a trade-off between security and usability. For IoT solutions, it becomes even more problematic. IoT devices often have limited computing power and memory capacity, making it difficult to use complex cryptographic algorithms that require more resources than the devices provide.
Another challenge is updating IoT devices with regular security fixes and updates. Rolling out security patches to all devices at once can be very difficult in unreliable, low-bandwidth device networks, and many existing security measures, such as web browser security, might not be available to IoT applications.
In addition, security mechanisms might need to be developed or enhanced for new protocols that are designed specifically for the Internet of Things, such as Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP). Therefore, it is especially important to factor in security considerations from the very beginning when you design IoT apps.
Most IoT solutions consist of three main tiers. IoT solution components that run in each tier need to incorporate specific security measures to protect against various vulnerabilities.
Devices/Gateways tier: Protect against a “fake” server that sends malicious commands, or protect against a hacker that tries to listen to private sensor data being sent from the devices. Security considerations for this tier are discussed in Part 1 (this article).
Network/Transport tier: Protect against a “fake” device that sends false measurements that might corrupt the data that is being persisted in the application. Security considerations for this tier will be discussed in Part 2.
Applications tier: Protect against the invalid use of data, or protect against the manipulation of analytical processes that are running in the application tier. Security considerations for this tier will be discussed in Part 3.
Tomi Engdahl says:
CCTV DVR Vulnerabilities Traced To Chinese OEM Which Spurned Researchers’ Advice
https://hardware.slashdot.org/story/16/03/24/002255/cctv-dvr-vulnerabilities-traced-to-chinese-oem-which-spurned-researchers-advice
RSA security researcher Rotem Kerner has identified a common vulnerability in the firmware of 70 different CCTV DVR vendors, which allows crooks to execute code and gain root privileges on the affected devices. The problem was actually in the firmware of just one DVR sold by Chinese firm TVT. The practice of “white-labeling” products helped propagate this issue to other “manufacturers” who did nothing more than to buy a non-branded DVR, tweaked its firmware, slapped their logo on top, and sold it a their own, vulnerability included.
http://news.softpedia.com/news/remote-code-execution-flaw-found-in-firmware-of-70-different-cctv-dvr-vendors-502096.shtml
RSA security researcher Rotem Kerner has identified a common vulnerability in the firmware of 70 different CCTV DVR vendors, which allows crooks to execute code and even gain root privileges on the affected devices.
His investigation started after the researcher revisited an older security report about the Backoff PoS malware campaign in which crooks hacked surveillance cameras to verify that the target they wanted to infect was a retailer.
“These DVRs have been abused since 2014″
A quick Shodan search showed Mr. Kerner that, today, 30,000 similar devices are still accessible via the Internet. He tracked down one of the DVRs as being sold by an Israeli company, which also offered the device’s firmware on its website.
While this helped speed up his research, Mr. Kerner received a second present when he discovered that the firmware binaries were also left in debug mode, which meant that the code contained symbols, function names, and code comments to help his investigation.
“Attackers can gain root on all vulnerable DVRs via a Web-based attack”
In the firmware, the researcher discovered a remote code execution (RCE) vulnerability that allowed him to run shell commands by accessing a specially crafted URL, accessible via the DVR’s built-in server.
The origin point for all these products was a Chinese company called TVT. The researcher revealed the issue to TVT, but the company chose to ignore him, so the researcher did the only thing left, by publicly disclosing the flaw and hoping that network administrators would secure these vulnerable devices behind a firewall.
Tomi Engdahl says:
Data Integrity for the IoT
http://www.techonline.com/electrical-engineers/education-training/tech-papers/4439263/Data-Integrity-for-the-IoT=NL_TOL_Edit_Subs_20160629_TechnicalPaper
The data flowing through an Internet of Things (IoT) solution can be its greatest asset and its largest problem. Since IoT devices do not behave in the classical server/client model—where communication occurs in an ordered fashion—an IoT implementation must be designed with the explicit goal of ensuring data integrity.
Tomi Engdahl says:
UL Bringing ‘Adult Supervision’ to IoT–Really?
http://www.eetimes.com/document.asp?doc_id=1330011&
In early April when UL (Underwriters Lab) launched its new cybersecurity standard, dubbed UL 2900, for the testing and certification of connected devices, reactions from the Internet of Things (IoT) market were split.
On one hand, cybersecurity experts surmised that UL was in over its head.
After all, the safety organization, founded 122 years ago, was originally built on safety standards for the public adoption of electricity. People worried about safety of electrical wiring.
However, plenty of people thought it high time for the well-respected organization — a guardian of safety standards for a host of products — to weigh in on cybersecurity issues for emerging connected devices. UL proponents are hoping it can bring “adult supervision” to a deeply fragmented Internet of Things (IoT) market – where too many connected devices are designed with too little security.
Three months after the UL announcement, EE Times talked to some IoT technologists. How is UL 2900 being viewed and accepted?
UL intends to play an important role in the IoT community. The industry should benefit from “scientific, repeatable and reproducible criteria” for assuring quality of their products – whether applied to software, chips, components or end systems, as UL’s Modeste pointed out.
A big unknown, however, is how UL’s Cyber Assurance Program will define commonality among cybersecurity practices, at a time when device vendors are already burdened with myriad compliance requirements set forth by each vertical IoT segment.
Right now, the UL 2900 standard is still in early days.
Sami Nassar, vice president of cyber security solutions at NXP Semiconductors, told EE Times, “As a technology vendor, we find getting a third-party certification is always a good thing. It helps to differentiate good products from bad.”
But Nassar provided a few cautions. Whether a connected vehicle or a smart home solution such as that of Apple’s HomeKit or Google’s Weave, “Each vertical [IoT] segment already has its own set of compliance requirements for interoperability and security.”
He stressed, “We want to encourage UL to get into security certifications.” But it won’t be easy for the group to “uniformalize” a cybersecurity standard to cut across the industries, he added. UL 2900, for now, might be useful only for products in industry pockets where compliance requirements don’t exist, he suspected.
UL relies on a publicly-available government vulnerability database – put together by NIST – to identify risks. UL helps IoT designers build secure products by avoiding the use of software or components with known vulnerabilities.
EE Times: Who will benefit from UL 2900?
UL: We have three categories of people in mind. First, there are manufacturers and designers of systems. Second, those in supply chains and owners of assets who want to know where critical components and software came from. Third, there are those working in the security department of organizations.
EE Times: Why do they need it?
UL: Asset owners – like hospitals, gas/oil refineries, and large organization that use HVAC or IT equipment, for example – approached UL. They asked us if they could be assured that they aren’t procuring products that come with known cybersecurity vulnerabilities.
UL: We’ve been in the security field for over 20 years. We developed FIPS 140 (The Federal Information Processing Standards are U.S. government computer security standards that specify requirements for cryptography modules). We’ve also worked on Payment Card Industry (PCI) standards and Common Criteria. We’ve been in the cybersecurity space for at least the last 10 years.
EE Times: How long have you been developing UL Cyber Assurance Program (CAP)?
UL: Over the last three to four years. We saw challenges emerging as security issues started to crop up in the field outside the traditional IT space. Risks are spreading out into HVAC, automotive, lighting, factory automation and medical fields.
EE Times: What do you exactly test?
UL: Software used within products – ranging from chips to components and systems. We look at existing vulnerabilities, defects and patches known to third-party vendors. We test to discover coding errors and security loopholes in software, operating systems or networks.
We see how a system accesses remote devices and do software updates. We offer structured penetration testing regimen, and see if we can plug those holes. We define flaws and weaknesses and provide scientific repeatable and reproducible testing criteria.
EE Times: I see UL 2900-1 and 2900-2 standards. What are the differences?
UL: The UL 2900-1 covers all the requirements ranging from automotive components to washers/driers and lighting. The UL 2900-2 was developed to address additional specifications specific to certain segments – like medical and industrial control. For example, authentication is critical for many connected devices. But when a doctor has to use an urgent care infusion pump and he can’t remember the password, it sort of defeats the whole purpose.
Tomi Engdahl says:
Run a Secure IoT Cloud Server for $8/Year
http://www.eetimes.com/author.asp?section_id=36&doc_id=1330015&
For most small-scale operations and DIY projects, a low-cost Virtual Private Server (VPS) is more than adequate.
Here’s how to setup a secure Internet of Things (IoT) cloud server, where memory-constrained edge nodes can communicate securely with the cloud server and where devices can be managed in real time using a web-based user interface. I’ve tailored this blog for learning purposes and DIY projects and provide a link to the details (the recipe with $8 ingredients) fkr setting up your own secure IoT server and device infrastructure.
IoT cloud server solutions
Most IoT cloud server solutions, whether they provide ready-to-use hosted services or not, are based on a standard Virtual Private Server (VPS). Most developers probably think about Amazon or Microsoft Azure’s services when considering the server side of their IoT solution. These high-end services are great if you need to scale up to millions of connected devices. However, for most small-scale operations and DIY projects, a low-cost VPS is more than adequate.
The website lowendbox.com provides reviews for low-cost Virtual Private Servers and is a great place to start when selecting a VPS. We found an $8/year VPS suitable for our secure IoT experiment.
Cloud server operating system and software
A freshly installed Linux operating system on an online VPS is typically bare-bone with few services running. At a minimum, the Linux installation must have an SSH (Secure Shell) server running so you can remotely logon to the server and install software of your choice. The software we selected for the server-side IoT solution is an application server called the Mako Server. One of the reasons for selecting the Mako Server is that it uses memory very efficiently. In contrast, most high-end server side application frameworks will require large amounts of memory, and are therefore unable to operate on a low-cost VPS.
The Mako Server is an extremely light-weight application server
Mako Server is that the server can act as a dual-certificate server, thereby enabling the use standard RSA certificates for browsers and small ECC certificates for edge nodes. SSL (Secure Sockets Layer) certificates can have a great impact on memory if you do not consider the type of certificate being used in your IoT solutions. Using the wrong type of certificate may break the design of a memory-constrained edge node.
IoT protocol for secure edge-node-to-cloud communication
The Mako Server includes a secure IoT protocol called SMQ (Simple Message Queues). The server and its application framework enable the user to write server-side scripts for interacting directly with the SMQ IoT broker. The server-side application framework also enables the user to extend the IoT protocol and connect it to other services on the Internet or to other local services running on the VPS, such as database services.
How to run your own secure IoT cloud server for $8/year
http://www.embedded.com/electronics-blogs/say-what-/4442293/How-to-run-your-own-secure-IoT-cloud-server-for–8-year
Enabling trust and security
Not surprisingly, setting up a secure IoT solution requires more work than setting up a non-secure solution. A secure IoT implementation requires that, at a minimum, you setup a trusted server. The SSL/TLS (Secure Sockets Layer / Transport Layer Security) protocol is used for the encrypted communication, but TLS will not be secure unless the infrastructure is based on trusted X.509 (SSL) certificates. This trust is the key component required for TLS to be secure. For this reason, it is important to install a certificate in the server that is trusted by all of the client’s connected to the server.
A browser that connects to the server requires an installed certificate that is signed by a well-known certificate authority (CA). In this case, “well-known” means that the CA’s public root certificate is pre-installed in the browser/computer that you are using. You can use free or paid-for well-known CA services when signing your server certificate.
An alternative to using a well-known CA is for you to become your own CA and to use your own server certificate for device communication
One of the benefits of being your own CA for the certificate exchanged between the server and the device clients is that you can select to use an Elliptic Curve Cryptography (ECC) certificate for the server. The benefit with using an ECC certificate is that the certificate is much smaller than an RSA certificate, and thus consumes much less memory in the device during the initial SSL handshake.
SSL certificates can have a huge impact on memory in constrained edge nodes, so using a non-chained ECC certificate may be a requirement for a memory-constrained device. Most well-known CA services only sign RSA certificates; meanwhile, the free/low-cost CA providers typically sign certificates with an intermediate CA certificate that requires a chain of trust, thereby consuming even more memory in the device.
Tomi Engdahl says:
The IoT Sky is Falling: How Being Connected Makes Us Insecure
http://www.securityweek.com/iot-sky-falling-how-being-connected-makes-us-insecure
The first chunk of actual sky recently slammed into the ground with a resounding thud.
The security community has been actively telling the world that the Internet of Things (IoT) is ripe for
compromise and exploitation. Unfortunately, the public has shoved aside these “Chicken Little” warnings in hopes
of getting all of the promised gee-whiz technologies without the sky actually falling.
Fortunately, a combined research team from the University of Michigan and Microsoft recently performed in-depth
analysis of an IoT home command center and brought the problems into the bright light of day. As sobering as
their research results are, they took things a step farther by building four attacks based on their research.
These attacks designed real exploits like creating a code for the automated front door lock, stealing a PIN to
open other door locks, and disabling detectors and alarms.
The device at the center of the research is the Samsung SmartThings platform, which is a series of products and
associated software that is tied together on a hub device. Samsung sells monitors, alarms, and other devices.
There is also a community of products that are SmartThings-enabled ranging from door locks to light and fan
switches to home weather systems. The community offers applications for the devices as well as mobile and Web
apps to control the devices connected to the platform.
It’s software that makes an IoT or embedded device different. The device is, by definition, connected to the
Internet. Software not designed and constructed to be secure will contain vulnerabilities that can be exploited
to gain access to the device. Anything connected to the Internet can be discovered and potentially infiltrated,
and the associated software will be the target.
The research notes that the majority of the vulnerabilities exist in the software of either the device or the
software that controls the devices. This is exactly what the security community has feared. This pattern is
repeating every time new technology is introduced without proper consideration for the basics of security. It
happened when applications moved to the Web, and we dutifully took note of the lessons learned. But when mobile
applications took off, we ignored those lessons and repeated the same mistakes. The pattern persisted when the
Cloud emerged, and now we see proof that it is happening again with IoT.
When vulnerabilities are discovered in business applications, there are changes made to remediate the exploits
and patches, or new releases are distributed to update the software. There are people in the business whose job
it is to ensure that the devices in the business are kept updated to mitigate potential attacks.
In the IoT scenario, there may be software that isn’t programmed to protect against new and emerging threats. In
order to manufacture devices at a competitive price point, manufacturers may not enable that capability
(hardware/software) to update the software on the device. This leaves the consumer with the decision to scrap the
vulnerable device or hope against an intrusion.
SmartThings Flaws Expose Smart Homes to Hacker Attacks
http://www.securityweek.com/smartthings-flaws-expose-smart-homes-hacker-attacks
Tomi Engdahl says:
Design and Build Secure IoT Solutions – Part 3
https://www.eeweb.com/company-blog/ibm/design-and-build-secure-iot-solutions-part-3/
IoT security has become the major challenge of developers nowadays. With the vast sensitive data being collected and exchanged along a network of smart devices in the cloud, it has been an attractive target for cybercriminals. Developers must address this issue seriously and incorporate a more reliable security feature into every IoT solution.
A key goal of security in a cloud-based IoT application is to ensure that unauthorized users do not access sensitive, private data that comes from the devices. The application also needs to prevent the sending of unauthorized commands to the devices. This article, part 3 in a 3 part series, describes the different approaches to securing web and mobile applications that deal with IoT device data. Part 1 and Part 2 outlined detailed approaches for securing devices and securing communication between devices and the network.
Tomi Engdahl says:
Securing Chips During Manufacturing
http://semiengineering.com/securing-chips-during-manufacturing/
Can directed electron writing change the security equation?
Lam: About three years ago we were working with some customers that were troubled by the counterfeiting problem. We became aware of that sense of urgency throughout business and government. We were doing CEBL (complementary e-beam lithography) at the time, and we still do that. And in the process we figured out a way to insert chip ID during production, with very little effort or additional time or cost. So that became part of the capability of our offering.
SE: And where does that fit into everything?
Lam: The IoT became very visible in the past 18 months. If you think about it, the attack surface is huge. Every Internet connecting point to the IoT could be a potential open door for cyber attacks. So we continued to work on it beyond chip ID.
Most IoT devices rolling out are not using advanced nodes, but at about 50 nanometers.
The key distinction here is that the directed electron writing (DEW) technology is not lithography. It’s security. The foundry, working with its customers, decides at which layer it wants to insert that information and what you want to insert. Then the DEW writer will follow the security database to determine what information to embed. A wafer will then go through one round of etching, and then back to the production line and finish.
SE: How much space are we talking about?
Lam: Very little. You’re talking about the chip ID, which is a number, a MAC or IP address, and privacy key encryption. The encryption key is the most important thing for secure authentication.
SE: This cannot be done later?
Lam: Today, it is done after the device is finished, using lasers or electrical methods to burn fuses to write security information on a chip. But there are flaws in this approach. Most of these fusing operations are outsourced. The secret information you create is exposed, and the security is compromised. Second, it can be changed by someone who is determined to change
SE: If someone gets a batch of chips, how do they know it’s not counterfeit if you can’t see the number?
Lam: At the test phase you can confirm it all. The chip ID can be read and you can interact with the MAC address. But you can’t change these IDs.
If you look at an IoT device, it has a microcontroller with very little memory and very few system resources. There is no security software to fend off a cyber intrusion. But we can insert something to make it safer. The ID that enables anti-tampering and supply chain anti-counterfeiting is very valuable, but the encryption adds another level of security.
SE: How does this compare with software security?
Lam: It complements software security and enhances cyber defense. In a car there may be as much as 100 million lines of code.
Tomi Engdahl says:
How IoT is Making Security Imperative for All Embedded Software
http://www.techonline.com/electrical-engineers/education-training/tech-papers/4442325/How-IoT-is-Making-Security-Imperative-for-All-Embedded-Software=NL_TOL_Edit_Subs_20160713_TechnicalPaper
Many IoT products lack proper security due to outdated software development practices. Hackers and criminals are acutely aware that many of the security procedures and applications in use today were designed to defend against attacks in the PC era—not current IoT threat vectors. Security isn’t a product “add-on” or feature; it must be built in. Learn about the unique challenges of securing embedded applications and how to deploy processes and tools to deliver more secure products faster.
Tomi Engdahl says:
Monitoring Side-Channel Signals Could Detect Malicious Software on IoT Devices
http://www.rh.gatech.edu/news/556931/monitoring-side-channel-signals-could-detect-malicious-software-iot-devices
A $9.4 million grant from the Defense Advanced Research Projects Agency (DARPA) could lead to development of a new technique for wirelessly monitoring Internet of Things (IoT) devices for malicious software – without affecting the operation of the ubiquitous but low-power equipment.
The technique will rely on receiving and analyzing side-channel signals, electromagnetic emissions that are produced unintentionally by the electronic devices as they execute programs. These signals are produced by semiconductors, capacitors, power supplies and other components, and can currently be measured up to a half-meter away from operating IoT devices.
By comparing these unintended side-channel emissions to a database of what the devices should be doing when they are operating normally, researchers can tell if malicious software has been installed.
Tomi Engdahl says:
Building the IoT: connectivity and security
http://www.edn.com/electronics-blogs/eye-on-iot-/4442411/2/Building-the-IoT—connectivity-and-security
Securing the IoT
The existing internet architecture compounds another impediment to IoT growth: security. Not a single day goes by that I don’t read an article about IoT security requirements. The industry is still analyzing what it means. We understand IT security, but IT is just a part of the IoT. The IoT brings new challenges, especially in terms of networking architecture and device variety.
For example, recent studies are demonstrating that device-to-device interaction complexity doesn’t scale when we include security. With a highly diverse vendor community, it is clear the IoT requires interoperability. We also understand that device trust, which includes device authentication and attestation, is essential to securing the IoT. But device manufacturer-issued attestation keys compromise user privacy. Proprietary solutions may exist for third-party attestation, but again, they do not scale. Security in an IoT system must start with the end-device. The device must have an immutable identity.
Unfortunately, today this situation does not have an answer. Some chip vendors do have solutions for it. However, they are proprietary solutions, which means the software running on the device must be customized for each silicon vendor.
Security in a closed proprietary system is achievable, especially as the attack surface is smaller. As soon as we open the systems to public networking technologies, however, and are looking at the exponential gain of data correlation from multiple sources, security becomes a combinatory problem that will not soon be solved. With semantic interoperability and application layer protocol interoperability required to exchange data between systems, translation gateways introduce trusted third parties and new/different data model/serialization formats that further complicate the combined systems’ complexity.
The IT realm has had the benefit of running on Intel or similar architectures, and having Windows or Linux as the main operating system. In the embedded realm there is no such thing as a common architecture
Fortunately, the technology community has identified several IoT design patterns. A design pattern is a general reusable solution to a commonly occurring problem
These IoT design patterns are described in IETF RFC 7452 and in a recent Internet Society IoT white paper. In general, we recognize five classes of patterns:
Device-to-Device
Device-to-Cloud
Gateway
Back-end Data Portability
IP-based Device-to-Device
Security solutions for each of these design patterns are under development. But considerable work remains.
Finally, all of this work leads to data privacy, which, unfortunately, is not only a technical question, but also a legal one. Who owns the data, and what can the owner do with it? Can it be sold? Can it be made public?
As you can see, there are years of work ahead of us before we can provide solutions to these security questions. But the questions are being asked and, according to the saying, asking the question is already 50% of the answer!
My goal here is not to discourage anyone from developing and deploying an IoT system—quite the contrary, in fact. The building blocks to develop IoT systems exist. These blocks may be too expensive, too bulky, may not achieve an acceptable performance level, and may not be secured, but they exist.
Our position today is similar to that at the beginning of the automobile era. The first cars did not move that fast, and had myriad security issues! A century later, we are contemplating the advent of the self-driving car. For IoT, it will not take a century. As noted before, Gartner believes IoT will take five to ten years to reach mainstream adoption.
Tomi Engdahl says:
75 Percent of Bluetooth Smart Locks Can Be Hacked
https://it.slashdot.org/story/16/08/08/1724246/75-percent-of-bluetooth-smart-locks-can-be-hacked
It turns out, the majority of Bluetooth smart locks you see on the market can easily be hacked and opened by unauthorized users. The news comes from DEF CON hacker conference in Las Vegas, where security researchers revealed the vulnerability, adding that concerned OEMs are doing little to nothing to patch the hole. Tom’s Guide reports
75 Percent of Bluetooth Smart Locks Can Be Hacked
http://www.tomsguide.com/us/bluetooth-lock-hacks-defcon2016,news-23129.html
LAS VEGAS — Many Bluetooth Low Energy smart locks can be hacked and opened by unauthorized users, but their manufacturers seem to want to do nothing about it, a security researcher said yesterday (Aug. 6) at the DEF CON hacker conference here.
Researcher Anthony Rose, an electrical engineer, said that of 16 Bluetooth smart locks he and fellow researcher Ben Ramsey had tested, 12 locks opened when wirelessly attacked. The locks — including models made by Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion — had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit.
“We figured we’d find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don’t care,” Rose said. “We contacted 12 vendors. Only one responded, and they said, ‘We know it’s a problem, but we’re not gonna fix it.’”
The problems didn’t lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock’s companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air.
Tomi Engdahl says:
Connected Devices Need E-commerce Standard Security say Cyber Security Experts
http://businesswireindia.com/news/news-details/connected-devices-need-e-commerce-standard-security-say-cyber-security-experts/49447
Billions of connected devices are potentially at risk unless security sensitive software can be managed to an e-commerce standard, according to a group of leading technology security experts.
The companies, including ARM, Intercede, Solacia and Symantec worked together to assess the security challenges of connecting billions of devices across multiple sectors; including industrial, home, health services and transportation. Their conclusion was that any system could be compromised unless a system-level root of trust was established.
To deal with the risk, the companies collaborated on the Open Trust Protocol (OTrP) to combine a secure architecture with trusted code management, using technologies proven in large scale banking and sensitive data applications on mass-market devices such as smartphones and tablets.
“In an internet-connected world, it is imperative to establish trust between all devices and service providers,” said Marc Canel, vice president of security systems, ARM. “Operators need to trust devices their systems interact with and OTrP achieves this in a simple way. It brings e-commerce trust architectures together with a high-level protocol that can be easily integrated with any existing platform.”
The threat
Symantec estimates that one million internet attacks were carried out every day during 2015. The Internet of Things (IoT) expands the attack surface and according to Gartner, the analyst firm, security is now the number one priority when building any connected product.
OTrP in more detail
OTrP is a high-level management protocol that works with security solutions such as ARM® TrustZone®-based Trusted Execution Environments that are designed to protect mobile computing devices from malicious attack. The protocol is available for download from the IETF website today for prototyping and testing.
The protocol paves the way for an open interoperable standard to enable the management of trusted software without the need for a centralized database by reusing the established security architecture of e-commerce. The management protocol is used with Public Key Infrastructure (PKI) and Certificate Authority-based trust architectures, enabling service providers, app developers and OEMs to use their own keys to authenticate and manage trusted software and assets. OTrP is a high level and simple protocol that can be easily added to existing Trusted Execution Environments or to microcontroller-based platforms capable of RSA cryptography.
OTrP is available as an IETF informational and it is planned that it will be further developed by a standards defining organization that can encourage its mass adoption as an interoperable standard.
“The chain of trust for connected services must be based on strong digital identities for people and devices to ensure the integrity of data and applications in an open and interoperable way,” said Lubna Dajani, OTPA Secretary and Futurist. “The release of OTrP is a significant step forward and it will enable the industry to operate more efficiently by collaborating on the basics and only competing where individual value can be added.”
“Posting OTrP as an IETF informational for public review is an important step in providing universal digital trust from silicon to services for mobile and IoT connected devices, said Richard Parris, CEO of digital trust specialists, Intercede. “It provides network operators and app developers the control they need over their selection of hardware security module and cryptographic key provider for reasons of interoperability, policy and cost while maintaining a common management platform across mixed fleets of devices.”
Tomi Engdahl says:
Simplifying Security for Developers: 5 New Rules for Success
http://www.techonline.com/electrical-engineers/education-training/tech-papers/4442459/Simplifying-Security-for-Developers-5-New-Rules-for-Success
http://www.techonline.com/asset/download/4442459/tech-papers-download
In order to take advantage of the latest digital business models, organizations need security that remains with their data and protects it no matter where it goes. Security needs to be transparent in solutions, without impacting the user experience. Organizations and developers need to define a resilient security architecture and deploy data-centric security technologies that support agility, speed, cost-effectiveness, and innovation in a highly connected world. For developers of mobile, Cloud or IoT applications, finding the right strategy is not always easy.
Digital Innovation Requires Rethinking Security
Connected digital services and applications are central to business success today. From Internet of Things (IoT) solutions to mobile apps and Cloud offerings, the trend is toward more data, more access, and more connectivity. Developers are now tasked with not only bringing these solutions to market rapidly, but must also ensure that appropriate security and data protection measures are implemented from the beginning – no business can afford the high costs of data theft.
The 5 Rules Developers Must Follow
Clearly, to take advantage of the latest digital business models, organizations need security that can remain with their data and protects the data no matter where it goes. Security needs to be transparent to applications and users, and it cannot impact the user experience. Security must scale to the new business models, and it must be financially viable – a tall order for legacy security solutions. In other words, organizations and developers need to define a resilient security architecture and deploy data-centric security technologies that support agility, speed, cost-effectiveness, and innovation in a highly connected world.
For developers of enterprise applications, Cloud, or IoT solutions, finding the right strategy is not always obvious or easy. Organizations are challenged to choose a way forward that:
Meets not only present requirements, but potentially unknown future requirements
Supports next-generation security capabilities compatible with innovation initiatives such as IoT and Cloud analytics
Delivers high performance for transaction-intensive workloads
Can protect all types of data, in motion and at rest, even if the perimeter defenses are breached
Is affordable, manageable, and reasonably easy to deploy
Allows the company to get to market more rapidly than the competition without forwarding risk to customers or end-users
1) Understand Time to Market is Everything
Do not fall prey to the “rush to release” phenomenon that can impair your ability to mitigate the risks associated with poorly secured application data or ignore security until well after release to market. Unfortunately, the norm for releasing mobile apps is that customer needs often outweigh security measures and security is seen as difficult.
2) Focus on the Data
Developers normally focus on the cleanliness of the software – code that cannot be compromised or have malware injected to the application to stop your service in its tracks. Hackers can turn to code modification or reverse engineering methods to inject malicious code or expose sensitive information such as keys for broader exploitation. “Hardening” the application from such threats is important but it’s only part of the puzzle. The real focus should be on protecting the most valuable piece in the equation – the data flowing through your application before it’s active and in-market with thousands or millions of users.
When a data breach occurs, no one will remember if the developer delivered clean code. The only thing that really matters is if the data were exfiltrated by hackers and the impact to the business.
3) Weigh Buy Vs. Build Security Options
Fundamentally, enterprises, application developers, or IoT providers developing modern apps and services have two main routes they can choose for security: 1) they can assemble security functionality themselves with open source pieces, or 2) they can invest in a private enterprise-level security solution that is supported, tested, and proven. Both choices have pros and cons, but not securing the application is no longer an option.
However, in many other regards, cobbling together a security solution for your application consisting of multiple appliances, services, and software packages from a variety of open source tools and vendors may not be the best choice.
Point solutions sometimes have difficultly sharing data with one another, leading to a fragmented view of security and limitations on threat detection.
And, the added complexity creates friction in the drive towards innovation. New apps and services must be made compatible with an array of specialized technologies, each having their own APIs, policies, and requirements.
With internal security expertise becoming increasingly scarce and expensive, dedicating resources to creating capabilities that already exist in the marketplace may not be the best option. The organization might also be taking focus away from more strategic work, slowing time-to-market.
With a quality security partner, that aspect of development is taken care of—upgrades and vulnerability fixes are handled by the vendor rather than becoming part of the burden on internal IT and development resources.
4) Bet on a Platform and a Partner, Not a Toolbox
For many organizations, a better approach to secure the data of their enterprise, IoT, or Cloud-based offering is to select an overall security platform especially built to meet modern requirements for performance, manageability, and robustness. Technology available today provides end-to-end data lifecycle protection—for data at rest and in motion, on servers, desktops, mobile devices, and the Cloud. Such a partner can be an invaluable asset in the quest to gain a competitive edge through technology.
A data protection partner providing a holistic solution should meet certain criteria.
5) Understand the Simpler, Smarter Security Choice
When you replace Open Source SSL/TLS with CENTRI, your application will never transmit a single byte in the clear. This means there are no vectors for compromise and no possibility of ‘man-in-the-middle’ attacks. CENTRI not only encrypts all traffic using advanced encryption technology with no known vulnerabilities, it also compresses and optimizes all traffic, in a single pass
Conclusion
Developers and security architects have a critical choice to make when securing the data with their next application – use legacy methods and open source tools that have known vulnerabilities and can increase risk, or apply a modern solution designed to protect data throughout mobile, Cloud, and IoT environments. The five rules of getting to market faster, focusing on the data, weighing buy versus build options, betting on a platform and a partner – and understanding the CENTRI way to securing your data can help developers to launch innovations with better preparedness, reduce time to market and, most importantly, lower risk of data exfiltration.
Tomi Engdahl says:
Is Security A Priority?
http://semiengineering.com/is-security-a-priority/
In safety critical industries, systems vendors are demanding security. In others, it’s still a risk-benefit equation.
Ask any two executives in the semiconductor industry about security threats and there is a good chance you will get two totally different answers. The disturbing part is they both may be right.
In markets where there is no physical danger to people, security always has been viewed a risk versus profit equation. At conferences over the past year, numerous executives have touted the Transport Layer Security (TLS) as a sufficient safeguard, for example, despite the fact that it has done little to stem the rising number of breaches in markets where it was deployed.
Where lives are at stake, such as the automotive, medical and aerospace markets, attitudes about security are different. From initial architecture through manufacturing and into post-silicon testing, supply chain tracking, and over-the-air updates, security is being taken very seriously.
Adhering to industry best practices always has been a good legal defense. But with breaches involving connected, driver-assisted vehicles, there is no legal precedent. And with an estimated 60 million new cars sold each year, all of them using varying levels of connectivity using technology that is still evolving, risk is significantly higher. Also at issue is damage to a corporation’s image, such as the controversial hack of a Jeep. In light of that, chipmakers and IP vendors say Tier-one and Tier-two automotive suppliers are very focused on improving security and reliability of software and hardware components, as well as internally and externally developed IP blocks that contain both.
“There are hundreds of electronic control units spread through the car, 100 million or more lines of software code, security issues, infotainment, driver assist,”
“The challenge with security is that it is not just a part in a solution,” said Mike Eftimakis, IoT product manager at ARM. “You need to build in trust at every step. And with a divide-and-conquer approach to design, it’s necessary to include lifecycle security. You cannot avoid attacks, and the risk of intruders is increasing. So you need to add control into a device to check what is happening, and you need to be able to program it and restart it from a good base. We call this a chain of trust, and it cannot be impacted by tampering. This is the element used to refresh or reprogram a device. You also need to be able to disconnect a device is that control cannot be recovered.”
Eftimakis said that TLS is simply one protocol in a security stack, which by itself is insufficient. “TLS deals with the communication between devices, but there are other types of security that need to be considered. Complex systems are running many different types of software that are not controlled. The complexity of a device may not be high or the software may be a small part of the whole solution. But what’s clear is that security is not an option for any device. Everyone will require security. It is not a differentiator anymore.”
Vulnerability points
In the past, hardware was assumed to be far less vulnerable to hacking than software. While there was always a risk in certain markets, that risk was generally well understood. “I remember a large company that had acquired a small pacemaker company,” said Aart de Geus, chairman and co-CEO of Synopsys. “They divested it because the large company could not take the insurance risk of the pacemaker killing someone.”
“If the keys leak, security is compromised,” said Asaf Ashkenazi, senior director of product management in Rambus’ Security Division. “If you can crack into a key, you can replace the software and remotely control a device.”
“Sometimes people forget about how a key gets into a device. The provisioning part can be complicated to do securely. There are a lot of devices manufactured in environments that are not secured. It also can be extremely expensive. And sometimes it doesn’t work well. So you may try to hide a key, but once someone gets a hold of that then all the keys are compromised.”
Storing the keys adds its own set of issues. Typically they are stored in memory, which is subject to side-channel attacks or direct attacks in which the package is physically ground down and probes inserted. “No one solution protects against everything,” said Ashkenazi.
Memory IP vendors are well aware of this.
Marvell CTO Zining Wu agrees, noting the problem in many cases is approaching security differently within a design. “Security is one of the most important elements in design, but this is a process change for many people. The technology is already there. You have to make sure a key is secure and in a secure position and that no software or hardware touches it.”
Wu noted that a “chain of trust” handshake needs to be implemented, but he said much of this already has been created on the computer side. The challenge now is getting people to use it correctly.
Moving targets
Adopting this kind of restrictive design is new to most industries outside of defense. But as more markets transect each other with the Internet of Things, the risk equation can change very quickly.
“Even if we have a methodology that truly should capture all security issues, after a product is shipped a new hack may be discovered,” said Synopsys’ de Geus. “We have a capability today that allows us to help our customers find the fingerprint of open source software in binary code. There is a registry of open source software with the vulnerabilities, which is updated all the time. If you are diligent and ship your product and then a new one is discovered, we can inform you. Do you want to know? Do you want your customer know? These are moving targets. That will bring about a set of interesting challenges of how we deal with it.”
On top of that, much of this technology is new.
“It’s a learning experience,” said Lip-Bu Tan, president and CEO of Cadence. “We’re learning with our tier one customers. There are a lot of new problems they’ve never had to deal with before. There is more processing and machine learning and intelligence.”
Conclusion
Technology companies are still trying to comprehend the impact of pervasive and continuous connectivity on increasingly complex technology. Standards are insufficient, not everyone is playing in the same sandbox with equal regard to security, and there are rising concerns that a failure by one company can inadvertently affect another in far more profound ways than in the past.
Tomi Engdahl says:
How IoT companies can beef up their data security
http://thenextweb.com/entrepreneur/2016/08/15/how-iot-companies-can-beef-up-their-data-security/
With high-profile data breaches all over the news, cybersecurity is on everyone’s mind. But beyond educating staff and users alike on best practices, what can Internet of Things companies do to improve their data security practices as they rush to ship products out the door?
To find out, I asked 10 entrepreneurs from YEC
Tomi Engdahl says:
Asking the Security Question of Home Automation
http://hackaday.com/2016/08/18/asking-the-security-question-of-home-automation/
“Security” is the proverbial dead horse we all like to beat when it comes to technology. This is of course not unjust — we live in a technological society built with a mindset of “security last”. There’s always one reason or another proffered for this: companies need to fail fast and will handle security once a product proves viable, end users will have a harder time with setup and use if systems are secured or encrypted, and governments/law enforcement don’t want criminals hiding behind strongly secured systems.
This is an argument I don’t want to get bogged down in. For this discussion let’s all agree on this starting point for the conversation: any system that manages something of value needs some type of security and the question becomes how much security makes sense? As the title suggests, the technology du jour is home automation. When you do manage to connect your thermostat to your door locks, lights, window shades, refrigerator, and toilet, what type of security needs to be part of the plan?
I am the Keymaster. Are You the Gatekeeper?
Security from the wider world is what comes to most people’s minds when talking about tech. Is there a risk that someone can open your garage door, turn off your furnace, or watch a video feed of your infant? I feel like this is a solved problem: every home should have a properly secured router for their LAN — the same holds true for Home Automation. It should be a walled garden.
If you’re with me on that thought, this becomes a standards issue. WiFi devices work across different hardware and throughout the world, offering both reliable connections and robust security. But as we heard in a lot of the comments in the last article, WiFi isn’t really ideal for Home Automation so other protocols like Bluetooth and Z-Wave have been tapped.
Software defined radio has become affordable and easy — you would think we can figure out a specification that adds a home automation router in between your walled garden and your Internet router that leverages SDR to speak to all devices. But who will do this work (the IEEE was named dropped last time) and what will drive adoption within industry?
Does Your Lightbulb Need Encryption?
There’s nothing quite like a simple light bulb to underline how sticky this topic is. Elliot Williams and I have been discussing home automation security off and on for a few months now and coming back to the same question. If you have your system protected from the wider Internet, do you need to have every device encrypted?
First off, WiFi and Z-Wave already have encryption built into the specification.
But does that bulb really need to be encrypted? What if your lightbulb is on 433Mhz and only listens for on and off commands from a hub. How secure does this need to be?
I’m of the opinion that critical automation tasks should never be possible to actuate remotely. For instance, you should be able to shut off your stove remotely, but not turn it on. You should be able to set your furnace to a reasonable temperature or to vacation mode remotely but not turn it off. I
The Weakest Link
The final concern I’d like to hear from you about is a weakest-link issue. If we build our walled garden to protect our devices from the big-bad Internet, do we open up a local attack vector for our entire system? Can you sit at the curb, spoof my light bulb, and make it to the sensitive documents on my server thanks to Home Automation devices being trusted on the LAN?
Tomi Engdahl says:
Single-Chip Security for IoT Devices Connected to Amazon Cloud
http://www.eetimes.com/author.asp?section_id=36&doc_id=1330324&
Amazon has teamed with Microchip to create a seamless solution in the form of the ECC508A crypto-companion chip.
The Internet of Things (IoT) has the potential to change the world, but only if it’s secure. Securing the IoT is currently one of the greatest challenges for the creators of IoT devices and the providers of cloud services.
Amazon is one of the major cloud players with its Amazon Web Services (AWS). The folks at Amazon have stepped up to the plate by adopting a mutual authentication security model that requires a unique identifier (digital certificate) for every device that connects into the cloud. This includes an industry-first called the Just in Time Registration (JITR) certificate registration process.
Single-chip end-to-end security for IoT devices connected to the Amazon cloud
http://www.embedded.com/electronics-blogs/max-unleashed-and-unfettered/4442574/Single-chip-end-to-end-security-for-IoT-devices-connected-to-Amazon-cloud
Tomi Engdahl says:
Industrial Cybersecurity Firm CyberX Raises $9 Million
http://www.securityweek.com/industrial-cybersecurity-firm-cyberx-raises-9-million
Industrial cybersecurity startup CyberX announced today that it has raised $9 million in new funding to help expand its business and solutions designed to protect the Industrial IoT.
Founded in 2013 by Omer Schneider and Nir Giller, CyberX offers a platform that continuously monitors networks and collects real-time data to help detect abnormal or potentially malicious activity.
Dubbed XSense, the platform was developed to easily connect to an existing setup and act as an invisible layer that models operational technology (OT) networks using what it calls “Industrial Finite State Machine (IFSM) technology.”
The company’s technology is already being used by dozens of enterprises across a range of industries, including energy, oil and gas, transportation, manufacturing and pharmaceuticals, the company told SecurityWeek.
“Using our dedicated Industrial IoT detection technology, IFSM, we have discovered multiple attacks, as well as critical zero-day vulnerabilities in industrial equipment,” said Nir Giller, CTO & Co-founder of CyberX.
Tomi Engdahl says:
Will Hypervisors Protect Us?
http://semiengineering.com/can-hypervisors-protect-us/
They may not be a silver bullet, but they are a good first step when it comes to securing cars and the Internet of Things. Problems start when people believe the job is complete.
Another day, another car hacked and another report of a data breach. The lack of security built into electronic systems has made them a playground for the criminal world, and the industry must start becoming more responsive by adding increasingly sophisticated layers of protection. In this, the first of a two-part series, Semiconductor Engineering examines how hypervisors are entering the embedded world.
“In the past, if I wanted to have separate tasks running, I would probably design it so that I would have one on the left, one on the right, each running on different processor subsystems and the two would never touch. I would pipeline data from one to the other. They were inherently separated except for the information that they shared. The move to modern hardware, where you have multi-core processors or a farm of machines, means that everything is connected. And yet, you still want to be sure that they do not touch each other – that the jobs don’t infringe upon each other.”
It is the role of the hypervisor to achieve exactly that separation. Its main function is to create and manage virtual machines where the software believes it is running on its own dedicated machine. It is completely unaware of other software that may be running in another virtual machine, even though both are running on the same hardware.
Virtualization has become a staple in the data center and provides many advantages, such as CPU consolidation, fault tolerance and job isolation. But deeply embedded systems are not as regular as server farms and the priorities are different. Embedded systems tend to be heterogeneous and contain different memory architectures. In addition they contain multiple types of processing engines, including CPUs, GPUs and possibly FPGAs.
Hypervisors have seen adoption where the need is the most critical. “The usage of hypervisors is a trend but not a revolution,” says Vicent Brocal, general manager for FentISS. “We have been working with aircraft manufacturers and hypervisors are a key technology for them. The technology has gone through a natural evolution. It is an enabling technology. It provides an opportunity to different sectors in the industry, and most recently in automotive where they are looking to see how it could be applied to their specific needs.”
It is security that is changing the game. “The hypervisor market was primarily for factory automation or automotive markets,”
Control systems are often implemented using a real time operating system (RTOS), but then they want to run graphics rich content on top of Linux or Android. Factory automation was similar, where there is real time control and either Windows or Linux on top of that. In automotive, they want to separate the infotainment from the control systems. The hypervisor can do that.”
But there are other important changes. “Most embedded systems are connected,” points out Majid Bemanian, director of segment marketing for Imagination Technologies. “The majority also have third-party applications running on them as well. With this kind of complexity, most of the players are concerned about how to protect themselves from all sorts of challenges.”
Mixed OSes
A common characteristic of embedded systems that run hypervisors is the combination of a real time function and the need to run a legacy stack of software that is available within a specific operating environment. This has to be done is a safe and productive manner. “Many times, the critical components are real time and have strict timing constraints,” says FentISS’ Brocal. “In the hypervisor, we have a fixed allocation of resources so we can guarantee that the application has the appropriate allocation of CPU processing and other less critical functions that may be running within a Linux environment.”
“If you take a CPU that does not provide a lot of support for the hypervisor, then you will see an overhead around 10% to 15%, but that will drop to less than 1% to 2% with hardware support, depending on workload. In terms of silicon impact, it is noise level. We are talking about a hundred thousand gates in millions of gates.”
Hardware support
None of this can happen without some hardware support. “If hardware support is not provided, the overhead of a hypervisor becomes quite large and in general it just doesn’t make sense,” says Egawa. “Hardware virtualization, trust zone, or several other ideas that are coming up, each accelerate hypervisor performance. We only use 1% of the CPU performance. The target is not only the big CPUs but the IoT market and that requires the usage of microcontrollers. These have very limited memory, so we have to make the hypervisor small and compact.”
Tomi Engdahl says:
Researchers propose two-part chips for security
http://www.analog-eetimes.com/news/researchers-propose-two-part-chips-security
A team of US-based researchers is proposing an answer to problems of hardware security for chips that have to be sent through a supply chain for manufacturing.
Siddharth Garg, an assistant professor of electrical and computer engineering at the NYU Tandon School of Engineering, and fellow researchers are proposing that chips include an embedded module designed to verify the correctness of a given IC and that a second verification processor is used to check the correctness of the embedded module.
The verification processor would be made a trusted foundry and be the root of trust for the primary IC.
“Employing an external verification unit made by a trusted fabricator means that I can go to an untrusted foundry to produce a chip that has not only the circuitry-performing computations, but also a module that presents proofs of correctness,” said Garg, in a statement.
Tomi Engdahl says:
Huawei: The global cyber security challenge
http://www.analog-eetimes.com/Learning-center/huawei-global-cyber-security-challenge
This white paper, the fourth in a series on cyber security stretching back to 2012, focuses on supply-chain and product lifecycle risk. It looks at the NIST Framework as a tool that can help an organization to understand their risk level and chart a path toward a more appropriate and sustainable risk environment and state of preparedness. It also looks at Huawei’s own approach to cyber security and the need to be part of open groups and alliances that can dress security infrastructure in a coordinated manner and to work with trusted partners.
Tomi Engdahl says:
How IoT is Making Security Imperative for All Embedded Software
http://www.techonline.com/electrical-engineers/education-training/tech-papers/4442325/How-IoT-is-Making-Security-Imperative-for-All-Embedded-Software=NL_TOL_Edit_Subs_20160907_TechnicalPaper
Many IoT products lack proper security due to outdated software development practices. Hackers and criminals are acutely aware that many of the security procedures and applications in use today were designed to defend against attacks in the PC era—not current IoT threat vectors. Security isn’t a product “add-on” or feature; it must be built in.
Tomi Engdahl says:
Home> Community > Blogs > Eye on IoT
Zombie-proof your IoT design
http://www.edn.com/electronics-blogs/eye-on-iot-/4442673/Zombie-proof-your-IoT-design?_mc=NL_EDN_EDT_EDN_today_20160913&cid=NL_EDN_EDT_EDN_today_20160913&elqTrackId=8c7e2111ba6b4537b6384b308c0bcee5&elq=45c9648aa602409c8f2fef230e54a088&elqaid=33840&elqat=1&elqCampaignId=29576
When asked about security features, many IoT device developers still express reluctance to implement protections. “There’s nothing hackers would want from this device,” many rationalize. But without cyber-security, your device risks being forced to join a zombie army known as botnet.
In case you have not heard of them, botnets are collections of connected devices that are running malware allowing an external party to use them without the owner’s awareness. In particular, the abuser can make these connected devices accept and relay messages via their Internet connection. As the device user never sees these messages (they target a fourth party), this hijacking operation can go unnoticed indefinitely.
While an individual device may not be particularly interesting to an abuser (aka, a bot-herder), an army of them can be very useful. Two of the most common uses for a botnet are distributed denial-of-service (DDoS) attacks and dissemination of spam emails.
Traditional botnet recruits are insecure home network routers and personal computers. But with rising numbers of IoT devices in deployment, many of them with little to no security, the bot-herders are beginning to change their conscription targets. A recent survey reported in Dark Reading found a botnet based on the BASHLITE malware family with more than one million zombies, 96% of which were IoT devices.
Without increases in security for next-generation IoT designs, such zombie armies can only be expected to grow.
The problem, as many developers exclaim, is that “Security’s too expensive!” It’s true that many of the traditional security processes and algorithms require many more compute resources than small IoT devices can provide. Further, these processes and algorithms don’t scale down effectively to match resource constraints. But if adding security into a design seems expensive, consider the cost of not having it. Companies have already had their products tank and their reputations shredded, and sometimes been forced into million-dollar recalls, because their IoT designs had eschewed security. And everyone pays if the bot-herders build and unleash zombie armies based on your unprotected design.
And cost may not be an issue for much longer. Devices like the Microchip ECC508 have started becoming available for tacking security onto microcontroller-based designs for under a dollar.
So, developers thinking of creating a new IoT device should at least stop casually dismissing security and start considering it as seriously as every other design tradeoff.
Tomi Engdahl says:
Processor Cores Feature Improved Security
http://www.eetimes.com/document.asp?doc_id=1330456&
In the escalating war between developers and cybercriminals, processor design needs to continually evolve. In one such evolution, Synopsys has developed next-generation security processor cores with protections that go well beyond encryption. The ARC SEM cores are designed to protect against both passive and invasive attacks aimed at compromising the contents of processor memory.
To handle encryption, the ARC SEM security processor family is designed to use software rather than an encryption engine, according to Angela Raucher, product line manager for ARC EM processors. “Developers of SoCs are looking to save power and area while still implementing security,” Raucher said in an interview with EE Times. “These choices are leading to requirements on the processor side to eliminate the crypto core.” The new processor cores instead offer an optional crypto pack, Raucher added, which are hardware extensions to help accelerate cryptographic calculations.
It has long been known, however, that running cryptographic algorithms in software can expose secret keys to discovery using passive side-channel attacks.
To guard against such attacks, Raucher explained, the ARC SEM cores are designed to flattening the timing of instructions by removing data-dependent instruction cycle count variations. The cores also introduce randomized variations in power and alter timing with random insertions of branch-to-self instructions. Such actions reduce the correlations upon which the attacks depend.
The cores also offer protection against intrusive attacks such as using the debug port to copy code and probe for software keys.
ARC SEM cores support creation of a trusted execution environment, Raucher noted, by providing up to 16 separate protected areas for code and data, with per-region scrambling capability.
Tomi Engdahl says:
Security Protocol Promises Trust
http://www.eetimes.com/author.asp?section_id=36&doc_id=1330455&
A group of security experts led by ARM, Intercede, Solacia and Symantec collaborated to create a new security protocol for smart connected products.
The companies agreed that any system would be compromised unless a system-level root of trust between all devices and services providers was established. This led to the definition of the Open Trust Protocol (OTrP), which combines a secure architecture with trusted code management, using on mobile devices proven technologies from banking and data applications.
The protocol is now available for download from the IETF website for prototyping and testing. The key objectives of OTrP are to develop:
an open international protocol based on the Public Key Infrastructure (PKI)
an open market for competing certificate authorities
an ecosystem of client and server vendors around the protocol
Collaboration began in early 2015
The OTrP protocol adds a messaging layer on top of the PKI architecture. It is reusing the Trusted Execution Environment (TEE) concept to increase security by physically separating the regular operating system of a device from its security sensitive applications.
Given the heterogeneity of devices, Trusted Services Managers (TSMs) manage keys in the devices to create security domains, authenticate resources and load applications. OTrP defines a protocol between a TSM and a TEE and relies on the IETF JSON mechanisms for end-to-end security.
The protocol assumes that a device is equipped with a TEE and is pre-provisioned with a device-unique public/private key pair, which is securely stored and is referred to as the root of trust. A service provider uses such a device to run Trusted Applications (TA).
By identifying the key components in the system, OTrP defines an ecosystem of partners that deliver trust.