The Department of Homeland Security recently published (PDF) its Strategic Principles for Securing the Internet of Things. It comprises six non-binding principles designed to provide security across the design, manufacturing and deployment of connected devices. It quotes, “there is a small — and rapidly closing — window to ensure that IoT is adopted in a way that maximizes security and minimizes risk. If the country fails to do so, it will be coping with the consequences for generations.”
That quote came from the National Security Telecommunications Advisory Committee Report to the President on the Internet of Things. It was delivered in November 2014. Since that time the window has got much smaller, and the security threat has become reality in 2016.
There have been staged demonstrations since 2014, when a Jeep Cherokee was hacked via its onboard entertainment system. In 2015, Symbiq drug infusion pumps were withdrawn from hospitals because they were vulnerable to remote exploitation. Also in 2015, the ShotView targeting system on a TrackingPoint rifle was shown to be vulnerable to remote misdirection.
These weaknesses were all found and demonstrated by researchers. But in September 2016 cyber criminals used the internet of things to launch the largest known DDoS attack (peaking at 665 Gbps) against the website of journalist Brian Krebs. “The unprecedented size and scope of recent malicious cyber activities leveraging the IoT ecosystem has created urgency for the Department to prioritize security for the IoT,” says the DHS.
The six DHS principles comprise security by design; vulnerability management and patching; use of best security practices; employment of risk management to focus priorities; transparency in the supply chain; and consideration of whether continuous connectivity is really necessary.
Ensuring that non-binding principles will actually be employed is going to be a problem. Here the DHS raises the possibility of legal liability. “While there is not yet an established body of case law addressing IoT context, traditional tort principles of product liability can be expected to apply,” it says. But it goes further to say that DHS and stakeholders will need to consider how tort, regulation, certification, legislation and other mechanisms can be used to “improve security while still encouraging economic activity and groundbreaking innovation.”
The DHS document has been well-received.
“The principles put forth by the DHS are a good baseline for IoT security practices,” says Art Swift, president of the prpl Foundation. “While it may seem basic, these are exactly the things manufacturers and developers need to be doing to improve security in the Internet of Things.” But he adds, “The part that is not addressed by the DHS is to provide any practical guidelines on how to implement its recommendations.”
Those practical guidelines really need to start with the first principle: security by design. ‘Secure by design’ has been advocated for all computer devices for many years; but has not yet been achieved. It is clear from experience that if a device is not secure from the beginning, there will be security problems during its lifetime.
The prpl foundation has its own recommendations, primarily built around hardware security and open source software. “At its core,” wrote prpl’s chief security strategist Cesare Garlati, “is a secure boot enabled by a ‘root of trust’ anchored in the silicon, and hardware-based virtualization to restrict lateral movement.”
“Securing devices at the hardware layer is one of the most important ways the IoT is going to become more secure,” explains Swift, “but using open source software is also a key area. Manufacturers and developers should no longer rely on proprietary code that can be reverse engineered as it has been proven time and time again that this ‘security by obscurity’ approach is broken. By using open source implementations, which are open to review and hence inherently more secure, developers can agree to get basics right on security first and then compete on value-add market differentiators.”
There have been other proposals for baking security into the design of IoT devices. An October Syracuse University Engineering and Computer Science article proposes what it calls ‘certified security by design’ for IoT devices. This combines a methodology for secure design combined with an audit process to confirm the design is met. “Of course,” says the article, “even the certification or verification steps need to be assured. To avoid human error, an ‘interactive theorem prover,’ such as HOL4, can be used.”
If the industry can find a way to follow and assure the six DHS principles, the IoT will undoubtedly become a safer place. Nevertheless there remains one major problem that falls outside of the scope of these proposals. The principles will promote safer future devices — but those that were harnessed to take down KrebsOnSecurity are already and still out there.
The Energy and Commerce Committee held a hearing Wednesday titled Understanding the Role of Connected Devices in Recent Cyber Attacks. A Statement for the Record from the Online Trust Alliance broaches the problem of existing insecure IoT devices. For developers and manufacturers it suggests, “Products which can no longer be patched and have known vulnerabilities should either have their connectivity disabled, the product recalled and/or the consumers notified of the risk to their personal safety, privacy and security of their data.” Retailers and resellers it suggests, should “Voluntarily withdraw from sale products being offered without unique passwords or without a vendor’s commitment to patching over their expected life.”
These are solutions more easily described than enacted. In the meantime, the DHS six principles provide a good platform for future development. “It seems those in the know are all in agreement about these principles,” says prpl Foundation’s Art Swift, “so it’s time to get the industry at large involve
d and effecting the change needed to make IoT safer and more secure. As we know, it often takes government a little while to play catch up, so hopefully this is the start of security considerations in IoT becoming mainstream and not ‘add-ons’. When the industry can change its attitude towards security and make it a priority or crucial functional element before shipping products to market, we’ll see a safer IoT emerge.”