Firms with poor IoT security more likely to experience data breaches, DoS and more - could code signing help solve the problem?
November 2019 by Mike Nelson, VP of IoT Security, DigiCert
Enterprises are going to suffer for poor IoT security and it’s up to them to fix it. DigiCert’s 2018 State of IoT security has revealed what firms risk and the price they eventually pay for not securing their IoT rollouts properly.
These firms are 3.5 times as likely as their well secured counterparts to experience a malware and or ransomware based attack. They are 7 times as likely to have experienced an IoT-based Denial of Service attack; they’re just as likely to have experienced un-authorised access to those devices and they’re 5 times as likely to have experienced some kind of data breach.
Getting attacked is one thing, the resulting damages are another. Because as destructive as a cyber attack can be, what happens next makes the real difference. Organisations that were well secured were still attacked but there were almost no monetary damages associated with those attacks. Poorly secured organisations could not say the same thing. Over half, 54 percent reported monetary damages, 49 percent lost productivity, 43 percent lost reputation and 43 percent reported hits to their stock price and compliance penalties.
Much of that insecurity arises from the security of the connections within those vast IoT networks. Not just connections between devices but connections from the devices within a network to the outside world. IoT devices often need updating - partly due to the famously shabby security of many such devices - and third party providers will often push new features and security patches to their product via Over-the-Air updates (OTA).
One common tactic is for a hacker to write malware, disguise it as an OTA updates to a device and then proceed to enslave the devices it is claiming to update, bending it to their will. From there, there’s plenty an attacker can do. They could enlist that device into a botnet, or use that as a window ledge to climb further into your network.
Given the rabidly enthusiastic adoption of the IoT at all levels of business, there are and will be tonnes of new connections to each new adopter. If it’s those connections that are exposing a network to attack, then they have to be protected. More and more, companies are using code signing to help lock those new connections down.
Code signing allows organisations the ability to verify the integrity of a piece of software, and most importantly its source. By using public key cryptography, software authors can digitally sign their software, ensuring that its end user can trust the integrity of that code - that it was made by a trusted source and that it has not been tampered with since that signing.
The importance of code signing in the IoT has been demonstrated time and time again. Last year, two researchers demonstrated how an IoT pacemaker from medical device manufacturer Medtronic could be exploited in exactly this way. The researchers found that due to lack of code signing within the pacemaker, an attacker could deliver malicious updates to the device to remotely take control of it.
The truly landmark example happened several years before. When Charlie Miller and Chris Valasek hacked the Jeep Cherokee at the 2015 Blackhat conference, the wider world gasped. This was one of the most profound examples of an IoT hack that had ever been publicly displayed - and thankfully it wasn’t found in the wild. Suddenly, hacking wasn’t just about data anymore. Hackers - in this fortunate case whitehats - could reach out and touch the real world in very real and very scary ways.
The key to the hack was the connection between the communications system of the car - called the CAN bus - and its head unit the increasingly computerised entertainment system that used to only consist of an AM/FM radio, and if you were lucky, a tape deck. Through that connection Miller and Valasek could reflash a microchip which the CAN bus was depending on and turn the car to their own will.
Critically, noted Miller at Blackhat 2015, “there’s no code signing; you can update the chip, no questions asked.” It was largely that simple oversight that woke the world up to the malicious possibilities of the IoT and a frank reminder that as promising as the IoT could be, it could almost as easily be turned against its owners.
People are beginning to take the hint. Tesla, Elon Musk’s electric car company, have already pushed out code signing protection to their vehicles and more enterprises are taking the above lessons on board when it comes to the IoT.
Innovation is an exciting thing. No one’s denying that. But in that rush, organisations can open themselves up to potentially catastrophic vulnerabilities, by not considering the wider security oversights that their enthusiasm blinds them to. If organisations are serious about seizing hold of the innovative potential of the IoT, they’ll have to take account for their own security.