Reading time: 4 subtlety
Last updated on March 22, 2022
The Internet of Things (IoT) has basically become “all things Internet” – everything from sensors to smart door locks for biomedical equipment to smartphones. Each of these billions of IoT devices is part of an “ecosystem” that connects it to one or more things (often through software) so that it can do its job.
This is a pretty big surface of cyber attacks. If you are a product engineer working for an IoT device manufacturer, where should you focus your efforts to help improve device security?
In the last episode of The Virtual CISO Podcast, our special guest was the well-known hardware hacker Joe Grand, also called Kingpin. Joe shares a wealth of knowledge about what makes devices vulnerable and how to think about their security. The program facilitator is John Verry, Pivot Point Security CISO and Managing Partner.
Using our tools against us
Joe notes that even the hardware design process leaves hackers out of hand: “From the product or board level, there are many things to worry about. Basically, the point is that anything a design engineer uses on a board to facilitate device design, testing, manufacturing or repair can end up It can also be useful from an attack point of view. A large hardware breach is the exploitation of things like test points, which are small connections on a circuit board to make it easier to make critical signal measurements. Whenever an engineer puts a test point on the board, it “For some reason. So, an attack will go after any such signal.”
Debugging interfaces that allow designers to read and write memory and combine individual code and change parameters and impressions are another convenient access point for hackers. All these types of interfaces are essential for the design, manufacture and testing of the device, and getting rid of them after the fact is time consuming and expensive.
Another challenge is that most of the peripheral chips where engineers can use typical devices do not support things like encryption while in motion. This makes the entire embedded system vulnerable to chip-level snooping, similar to how Wireshark can look at network traffic.
Of course, hardware hackers who have physical access to the device can “re-insert” debugging chips and test points, or even just download the chips from the board and play with the communication protocols between the chips in a generic “bread board”. Building chip-level encryption and other security measures is much more difficult and expensive. Cost and time to market often become limiting factors.
What about sabotage-resistant packaging?
Does rugged physical packaging, like packaging called “tamper-proof” have any value in securing IoT devices? For example, in some scenarios, disrupting the packaging makes the device inactive. On the downside, some manufacturers leave the debugging ports intentionally exposed through the packaging layer.
“This is a difficult question because it also costs money and it also depends on the threat or what you are trying to defend,” Joe states. “What comes to my mind is that I recently hacked into a cryptocurrency wallet that had $ 2 million worth of cryptocurrencies in it. “
“Some of the common things we see are security mechanisms that slow down the attack,” Joe adds. “It sometimes gives people a false sense of security because they say, ‘Oh, we have an anti-tamper – we have epoxy that covers the components to make it really hard to reach.’ But those are not real security features. These are just some physical prevention. So, I would not trust them, but they may be a good move depending on what your real concern is. “
Taking a risk-based approach
John advises taking a risk-based approach to IoT security: “You want to make the fence high enough so that the malicious person should not take the time to expand it. Like, a $ 2 million crypto wallet, I’m going to be ruthless in my chase to get into the device “If I have the ability to mess with the nearby farmer and confuse the irrigation of half an acre of lettuce, I do not intend to spend much time on it.”
“I do think you need to be very aware of the risk, and what you are protecting against,” John emphasizes. “I think in some cases these barriers are not final, but slow [the attack] To the point where it’s a good strategy. “
“If they are applied properly,” Joe says. “I’ve seen devices that protect chips, but then right next to it they have an unprotected open footprint that connects to the same bus. Unless you think about the whole attack process, just detecting a little epoxy on something or applying a switch will not really stop anyone.”
“Security comes down to making the attack difficult enough or time-consuming or expensive to the extent that it is not worth it,” Joe concludes. “With IoT devices, however, you may only need physical access, for example, to one device. But now you have a piece of information that you can use as a milestone for a larger network. So that makes this effort worthwhile.”
“That’s really all … I guess you call it risk management or a threat model,” Joe repeats. “You have to model a threat, as an engineer. But unless the people you are trying to persuade understand the problems, it’s very difficult. You need not only your engineers to understand security, but also then your management needs to understand what the risks are. Everyone up the chain really needs to understand The whole landscape of their devices, from the design point of view or what they apply in their environment from other people. “
What next?
To hear this thought-provoking podcast with Joe Grand all along, click here: https://www.pivotpointsecurity.com/podcasts/ep-75-joe-grand-how-hardware-hackers-exploit-iot-vulnerabilities /
Looking for more IoT Security Training? We recommend this latest podcast: https://www.pivotpointsecurity.com/podcasts/ep32-aaron-guzman-john-yeoh-how-iot-is-shaping-the-future-of-cybersecurity/
