Internet of Things (IoT) describes an emerging trend where a large number of embedded devices (things) are connected to the Internet to participate in automating activities that create compounded value for the end consumers as well as for the enterprises. Many organizations are hesitant to tap into the power of the IoT due to the vulnerabilities and evolving threat while working with and managing such diverse and constantly evolving devices and the network environment that they operate in. e.g., According to Intel security, IoT devices are just beginning to be exploited. It is only a matter of time until IoT device threats become more widespread. Attackers are not after the devices themselves, but the data or gateway capability that they enable because it is the easiest way in, and these devices often provide under-defended access to target-rich networks. ESET, security firm recently found a malware named ‘KTN Remastered’ that would target routers and other embedded devices like IoT. Another interesting article that was published in most of the newspapers was ‘Why light bulbs may be the next hacker targets’.
Researchers demonstrated the IoT worms for smart light bulbs. To create the worm, the researchers developed a method for disconnecting the bulbs from their network and then flashing (or re-installing) the firmware on them using an over-the-air firmware update mechanism built into the bulbs.
With focused approach, it is possible to minimize the vulnerabilities and risks exposed to the devices and networks thus taking advantage of the value that the Internet of Things brings to the evolving digital landscape. Adopting security induced Software Development Lifecycle (SDL) is one of the major step in identifying and minimizing the zero-day vulnerabilities and hence to secure the IoT applications and devices.
In order to stem the security issues with IoT applications and devices, there needs to be a step change in the software development process. Adopt security best practice into the software development process to integrate secure coding and security testing ingrained as part of Software Development Lifecycle.
Following are some of the considerations for adopting secure SDL:
1. Setup governance for secure SDL
Document and setup secure SDL governance and compliance framework based on industry best practices like OWASP, SANS, MITRE CWE and compliance certifications like PCI DSS.
2. Leverage Threat Modeling tools to identify attack surface(s)
Create threat modelling which can help understand how the system works and the threat it faces. A good way to get started in space is the Microsoft’s STRIDE model. Focus testing on areas where difficulty to attack is least and impact is the highest. The attack centric model is centered on the attacker’ goals and motivations for breaking into a system. In this case, we want to evaluate how an attacker would achieve this and why. The reason being whether we like it or not hackers do exist and understanding how an attacker might invade a system will aid in protecting it.
The software centric model is aimed at detecting vulnerabilities in the system’s design. In this case, we step through the different components of the system and look for vulnerabilities that an attacker might exploit:
3. Monitor the threats introduced by 3rd party libraries
Third party libraries need to be integrated into development and the processes need to be built in such a way that they do not become major stumbling blocks. It’s recommended to document the various third party libraries and versions of each 3rd party library, where it’s used and in which release on the application. Integrate secure code scanning tools as a part of the continuous delivery pipeline and identify the threats in the 3rd party library. It’s quite important to coordinate and collaborate with 3rd party vendors on threat management.
4. Eliminate false positives from static code Analysis & Vulnerability Assessment findings
It is important to evaluate the attack surface and threat. To unearth the vulnerabilities that can be exploited, select appropriate tool to perform static code analysis. Elimination of false positive from VA means know your attacker and yourself. You think like evil, be evil and test like evil.
5. Plan for Secure Over The Air (OTA) Firmware upgrade
The ability to securely update a deployed embedded system can provide many hidden benefits. Firmware is a type of software that provides control, monitoring and data manipulation of engineered products and systems. If an image verification is required, the code key protection and OTA image encryption method needs to be implemented. The security relies on a secured symmetric key that is kept secret from any intruder. The secured symmetric key should be stored in all the accessories and used to generate the encrypted OTA Image. It is important to start identifying the security risks and ways to address these risks at the system design stage itself. The aspects of security needs to be thought of holistically rather than in bits and pieces.
6. Manage PKI Based Certificates during the development process
PKI certificate based trust management is a critical component to an enterprise’s overall security strategy as it plays a critical role in establishing root-of-trust for securing communication between IoT device and IoT application and also for remote firmware upgrade of IoT devices. Segregation of certificates used for development and deployment and avoiding use of master public/private key helps address many of the security risks.
7. Provision for integrated and continuous penetration testing
With the continuous testing of the Secure SDL, every change made to the code is automatically analyzed so developers are notified once any vulnerabilities are found which means businesses get information early enough and they don’t have to make tough decisions. In short, by bringing automated security testing framework, starting the development process, making security the core of the Secure SDL and saving time, developers learn to write safer code. This ultimately helps to make the IoT devices and applications become less of a security risk.
8. Ensure parity of secure SDL practices across IoT solution subsystems
With different subsystems of an IoT solution developed by geographically distributed teams, using different programming languages and having different attach surfaces, it is important to have a central security architect who has a holistic view of the overall IoT solution and prioritizes attack vectors that individual IoT solution component has to address based on the attack surface as well as the evolving threats.
To summarize, it is important to adopt a comprehensive secure SDL practice while developing IoT devices and IoT applications. Aricent has been working with its clients in implementing secure SDL for IoT solution components (including IoT device firmware, gateway software, Mobile app and public cloud deployed IoT application).