It was five years ago that a security expert hacked an insulin pump produced by Medtronic Minimed to demonstrate how grievously dangerous it could be to crank out connected products without much thought to security.
Awareness of that event might have been expected to compel some IoT device developers to be somewhat more conscious of product security, but no. According to Aaron Lint, Arxan Technologies Inc. research director, "we found the vast majority -- more than a half, more than three-quarters -- of devices actually don't do anything whatsoever to protect themselves against the types of attacks we protect against."
Five years after demonstrating how easy it would be to shock diabetics into comas, hackers demonstrated how easy it is to take over a moving vehicle. About the same time, the FDA, working with a unit of the Department of Homeland Security, issued a warning that a specific medical infusion pump was at risk for being hacked, and should be disconnected, if possible. (See Network Security Is a Bad Joke)
Shortly after that, there was a rash of hacks of nannycams by people who chose to use their computer skills to terrify very young children. Shortly after that, it was revealed to be fairly easy to hijack a WiFi Barbie.
And just because the average readers of Light Reading don't play with WiFi Barbies, don't think you're safe. Your smartphone is dramatically less secure than you assume it to be. That's because it's all loaded with apps, and while many developers are diligent about security while they're writing their code, hardly anybody is making any attempt to ensure the security of their software after they release it.
Even if a software developer writes perfect code with no obvious vulnerabilities, "software is still very vulnerable to attack because, especially with IoT devices and especially on mobile phones, once your software leaves your door, the attacker has full access to it. They can reverse engineer it to find problems," Lint said.
"This is what happened with the Juniper Networks hack," he continued. "The password was right there in plain text, and all it took was some very rudimentary analysis by a researcher to find something that was basically a break-once run-everywhere attack is apparent in every copy of that software in every vulnerable router. The underlying problem was that that password existed. The greater danger is that software is immediately analyzable, and can be easily taken apart and weaponized against every device that has this problem." (See FBI Investigating Juniper VPN Hack)
There are multiple methods of undermining application layer security. Code can be tampered with, substituted, rewritten. Configuration management can be accessed. If cryptography is used, it might be weak or could end up being rendered obsolescent. Keys and passwords might be easily detected, or stolen. There are others.
IoT devices are very typically software upgradeable. If this feature isn't carefully protected, hackers can hijack the device so that it malfunctions or perhaps even causes harm. This is the feature that hackers exploited in the infusion pumps last summer (the devices were discontinued by the manufacturer at the time but still used and also still available through third parties).
The move to cloud computing is exacerbating the problem; when application programming interfaces (APIs) are moved into data centers, the potential scope of any threat expands.
What Arxan does is provide tools that a developer can use to take final code and "inject" additional safeguards directly into the binary code that Arxan warrants will make it harder to reverse engineer or alter code.
Other companies come at application layer security from different angles. Gartner tracks application-level security and cites IBM, HP, Veracode and White Hat among the companies with the most thorough application-level security capabilities. Gartner has been banging the drum for years that companies are not investing anywhere near enough in security, including -- and perhaps especially -- app-layer security.
Of course there are security issues all up and down the OSI stack, with most investment going into network security. It is axiomatic that hackers will go after the most vulnerable point in a system. It's becoming clear that the most vulnerable point in the system is that it's not being treated as a system. Few companies have the vision or the scope to take on every security issue all up and down the stack.
Arxan believes that combining security measures on the network and application layers would be a huge step.
"What we have seen to be the most effective strategy is where the network's security layer, as well as the analytics that a lot of these devices are delivering, in addition to applications security -- where they're all giving insight into different aspects of security, working together, providing an in-depth connected picture. That will give devices the most chance to be resilient against attack," Lint said. "In short, all of these things need to work together. They need to compensate for failures in one level or another, and be able to corroborate that information to help defend devices against attack."
— Brian Santo, Senior Editor, Components, T&M, Light Reading