IoT Security – A Painful Process

iot security a painful process

The Importance of IoT Security

What is Okiru?

    A. A city in Japan

    B. A species of fox native to the American northwest

    C. A variant of the Mirai Internet of Things botnet

If you answered “C,” you’re likely ahead of the game when it comes to IoT security.

Okiru is a recently discovered malware that specifically targets AR-based systems, including IoT devices based on ARC cpu. The potential for exposed IoT devices is enormous. In fact, ARC processors have been licensed by more than 200 organizations and are shipped in more than 1.5 billion products per year.

Perhaps that’s why the FBI recently issued a warning about IoT security, specifically noting that unsecured IoT devices are prime targets for hackers looking to anonymously and maliciously exploit cyber networks.

“IoT devices make easy targets for attackers because many are still shipped with poor security, often enabling attackers to gain access with the use of default username and passwords, or by using brute force attacks to guess passwords — and that’s if the devices even have authentication processes in the first place.”
IoT botnet
Kyrio white paper by author Ron Ih Internet of Things IoT Security beyond cryptography document pdf

It turns out that, implementing adequate IoT security is a notoriously complex and painful process. That’s why it’s not even a consideration for many device manufacturers. In their whitepaper, Internet of Things Security – Implement a Strong, Simple and Massively Scalable Solution, our friends at Kyrio note that IoT security is difficult because:

  1. Many of the companies producing IoT devices do not have or cannot afford a team of cyber security specialists to build in more rigorous security policies.

  2. Additionally, the products they’re developing use small microcontrollers that do not have a lot of compute power, and it does not make economic sense to put a large System on a Chip (SoC) in place merely to crunch cryptographic math for an operation that is only used to establish the authenticated secure session.

  3. Finally, while Public Key Infrastructure (PKI) is the cornerstone of most enterprise cyber security plans, its’ technical and logistical requirements make it challenging for chip manufacturers to implement without compromising the strength of the security.

“So far, companies have not been held accountable for producing IoT products with inadequate security, but that is changing with greater government scrutiny.”
— Kyrio

IoT device makers need a security solution that is:

  • Inexpensive on a per-unit basis

  • Adds minimal complexity to the design and sales process

  • Uses minimal computational resources in the device and

  • Does not require a cybersecurity specialist to implement

IoT Security Solutions

Does such a solution exist? Is it possible to implement highly scalable device security for IoT without compromising the strength of that security? According to Kyrio, we’re not doomed to vulnerable IoT systems. Kyrio suggests that IoT device and chip manufacturers can improve the security of their products through:

  • Repackaged PKI solutions that deliver enhanced security options with less complexity

Instead of a traditional customized, hard-to-implement PKIs, IoT devices makers would benefit from a pre-established PKI that encompasses a multi-vendor ecosystem where all adopting manufacturers simply need to use certificates issued from that PKI.  A managed PKI implementation, backed by a trusted CA that can provide the rigor and process behind issuing and revoking authentic digital certificates, can feed directly into the manufacturing flow for IoT devices and provide robust security.

  • Embedding Certificate-in-a-Chip at the Time of Manufacturing

Advances in semiconductor miniaturization have led to the development of specialized chips (aka: secure elements) that enable cryptographic key storage and mathematical operations. These certificate-in-a-chips make it much easier to manage certificates and provisioning from the IoT device itself. In addition to being physically very small, these secure elements include physical and electronic protection mechanisms to prevent unauthorized access to private keys:

“With pre-provisioned keys and credentials embedded in secure chips that are manufactured into the products, a cryptographically verifiable, securely stored, unique device identity is an integral part of each device.”

Making these small changes could have a dramatic impact on the IoT market. In fact, research by Bain & Company finds that enterprise customers would be willing to buy more IoT devices if their concerns about IoT security were addressed — on average, at least 70% more than what they might buy if their concerns remain unresolved. In addition, 93% of the executives we surveyed say they would pay an average of 22% more for devices with better security. 

spaceinvader.png

DVmobile is working closely with Kyrio and Microchip to solve this problem.  Come to our Daybreak Education Series event on August 28th to learn more about how dynamic chip-based security provisioning can minimize the pain of IoT Security and provide Enterprise quality security.


 
Shawn Davison CEO DVmobile Enterprise Software Development

Shawn Davison

CEO of DVmobile, triathlete, and technology philosopher.

blog-separator