Is Device Management the Key to a Secure IoT?
David Rogers MBE is the author of the UK’s Code of Practice for Security in Consumer IoT and Services, in collaboration with DCMS, the NCSC, industry, and academia. Here, David discusses how device management platforms can help secure a growing IoT attack surface:
The days of shipping a product and leaving it in the field are long gone- Primarily because the environment they cohabit is coming under constant threat from cybercriminals using devices as an access point to steal or disrupt a device or systems that it connects to. IoT device manufacturers understand the importance of securing a device throughout its life cycle, but what are the deeper reasons for needing to manage IoT devices and what security gains can be had? Device hacks are becoming increasingly frequent, but you’d be surprised by the simplicity of some attacks. Conversely, the protection of diverse device types is no easy task, especially when an enterprise’s duty of care lasts not just to the point of sale, but for the device’s entire life cycle.
IoT Attacks are Increasing Whilst Products Remain Insecure
In order to prevent the onset, a ‘secure by default’ approach should percolate to every function in the business. A product design lifecycle driven by ‘first to market’ is inherently a false gain; an insecure product will inevitably be hacked, creating cost through re-engineering and loss of customer trust. Here are some of the more common attacks resulting in ‘security debt’ caused by shipping insecure products:
Attacking IoT devices to create scale and power for botnets can enable Distributed Denial of Service Attacks (DDoS), such as Russian attempts to attack IoT devices and the ‘Satoshi’ IoT botnet.
While their approaches are unsophisticated, so is defense against them. In both of these cases, the use of default passwords and a lack of software updates were major factors in the compromise of the devices.
IoT is seen as the low-hanging fruit for nation state attackers in 2019 who use home and enterprise routers to ‘pivot in’ to networks. This technology is widely deployed, used in both homes and businesses and this large attack surface makes for an appealing access point for hackers gaining access to broader networks thanks to poor passwords and out of date firmware.
Failing on the Basics
Many IoT products are failing even on the basics. Recent examples include more than 1 million DAB radios leaving unnecessary and old protocols like telnet open to attack and 600,000+ GPS trackers operating with the same default password of 123456. Research shows that less than 10% of IoT companies have a straightforward way for security researchers to interact with, securely manage or update devices.
The real possibility of ransomware against IoT devices raises the prospect of users having to gamble with their own lives potentially if they’re trapped in a house or subjected to attacks against life-affecting systems such as a boiler or oven.
Not knowing that devices are being hacked, or even that attempts are being made against them, is negligent and the functionality to manage these devices must be implemented correctly, otherwise, it risks becoming just another security hole.
Diverse device types have different intended lifespans and constraints, so there is no one-size-fits-all approach and each application and use case needs to be considered carefully to avoid a patchwork of solutions for differing device classes. The delicate balance between security, durability, capability, and cost must be carefully considered. From a business perspective, security is about risk management. Measuring risk is a fine art; threats can be misjudged in many ways, with some concerns being unnecessarily overestimated, resulting in higher security costs.
Attending the Product in the Field
Modern product development of connected devices and systems means looking after a device remotely, from inception to retirement, and is a huge undertaking for some organizations. If the vision of the Internet of Things is that all products are connected, then this applies to every entity involved in that process; this is usually not one company, but the entire supply chain.
Enrolment and Provisioning
Perhaps the most important, yet difficult task for a business to accomplish properly is device provisioning and IoT system enrolment. It’s best to perform this remotely and in a simple, but secure fashion. It could be that provisioning is via self-enrollment by the customer or during a commissioning process by another company or maintenance engineer.
The use cases for device management are not solely about security, and the insights gathered by telemetry in the field can be hugely beneficial. The basics of why companies would want to use device management include:
Many successful IoT attacks have been the result of a misconfiguration by a customer or supplier, but that misconfiguration was not detected until well after the devices had been compromised. Thankfully, remote device inspection can indicate compromise during emerging attacks, or validate a configuration state.
Software Updates and Configuration Management
Updating devices regularly throughout the lifetime of a product is both good security hygiene and good software management. Cloud software updates are easier to deploy as cloud services are usually hosted within secure data centers and can be managed more closely than end-point devices, without many of the constraints.
Understanding a device’s state before updating is important to ensure that the end result is successful. Updating is useful for:
Understanding and architecting for all the multiple scenarios can get very complex, very quickly. Issues that can complicate supply chain security include:
•Updates to standards and regulations
•Updating 3rd party proprietary software libraries
•Deploying open source components
•Multiple software versions
•Multiple stakeholders and supply chain stakeholders
•Contractual agreements preventing or demanding updates
•Responsibility for updating devices
•Diverse stakeholder requirements
IoT solutions should be based upon a reliable platform that can manage all of these different situations cleanly.
Decommissioning and the Decision to Cease Support for Devices
Hardly any attention is paid to the ongoing support and eventual sun-setting of devices. Over time, devices and services will decay if not updated, become increasingly distant from current standards and very quickly fall out of step with industry-level security vulnerability discoveries and fixes. Having access to a device’s security exposure in a regular, consistent manner offers peace-of-mind during a product’s lifetime and a reasonably clear pathway to retirement.
End users can become victims when devices become ‘orphaned’ or abandoned (or indeed forgotten!) because other parties cease trading or support. By having clear access to device management and contractual support for end-of-life, enterprises and supporting IoT companies have a better way to transfer ownership, modify configuration and ensure that systems don’t become abandoned, creating a security risk.
Deploying updates and receiving actionable data requires the right partners who can give security guarantees about how to deploy software updates safely and successfully, as well as continued assurances about how a device will be securely managed from birth to retirement. Why not join my TechCon seminar in San Jose on October 9th where I'll be detailing how to implement a device management platform. Done well and securely, your platform will ensure system longevity, a safer ecosystem for all, and above all, happy customers.