Reading time: 3 subtlety
Last Updated on March 25, 2022
Like new laws like California’s SB 327 that require basic IoT device security, combined with growing security concerns in the market, more IoT manufacturers are taking steps to improve security. Some leverage or comply with trusted standards such as the OWASP IoT Security Verification Standard (ISVS) and the Cloud Security Alliance (CSA) IoT Security Controls Framework.
How significant are these security claims? As an organization that purchases IoT devices, what should you look for (or reasonably expect) from providers?
In the final episode of The Virtual CISO Podcast, hardware hacker Joe Grand, known as Kingpin, explains where he sees IoT providers going with security, and how to get the most out of their efforts. The program facilitator is CISO and managing partner of Pivot Point Security, John Verry.
Verification and testing
What should someone look for in terms of security when purchasing an IoT device?
Joe has two answers to this question: “First, ask the vendor, so that he can actually show you what they did to secure his device properly. But my second recommendation would be that before you implement anything, you need to test it and verify it and figure it out for yourself.” .
But except businesses have the resources to perform independent IoT security checks. This test is usually performed as a third-party expert service performed by companies like Pivot Point Security often on behalf of clients.
Compliance with IoT security standards
While Joe is skeptical about compliance or authentication with IoT security standards, he admits it is better than nothing, though not final. A supplier tested according to a trusted standard is still better than a supplier who has become limited without testing.
Who appreciates the device and who appreciates the appreciator? “There were a lot of things that passed tests that they shouldn’t have,” Joe claims. “Or something goes through the tests and then in the production process, the elements change.”
“I think the vendors are going to use those credentials to say, ‘This is what we did,'” Joe clarifies. “You want to place the responsibility on the product supplier to prove that they have observed the physical or remote access. However, even at a high level, I think the buyer or implementer can ask the suppliers and not only ask to see their results, but also ask if they are concerned about “Remote access … because they’ll need legitimate remote access. At least you’ll understand some of the threats that can happen and then push it into doubt and say, ‘Okay, how do you protect me from these things?'”
Aside from interviewing vendors and conducting some sort of valuation check whenever possible, John suggests thinking of control compensation for areas where you are not 100% comfortable.
Security is application specific
What adds to the challenge of IoT security authentication is that product security often depends on the application.
“What may seem secure or appropriate for one environment may not be the same for another,” says Joe. “Going back to the example of the parking meter, the San Francisco municipality purchased these meters from the supplier, and they relied entirely on what the supplier told them about the masses. Yes, they were designed against vandalism and all kinds of physical destruction of those things. But they did not promise anything about security. Of the smart card application. And the city eventually got the bulk of the problem because people created fake smart cards. And the application was really easy to hack. But if the municipality might have said, ‘Okay, how safe is it from people who make fake smart cards?’ “So it will make the vendor responsible to explain it. It really shows you that if you are unable to ask the vendor questions, the vendor may not really understand your application enough to protect against these risks.”
“It’s all basic risk management,” John repeats. “It’s risk management on their side, and it’s risk management on your side and understanding the context, understanding your particular use of that product, your technology stack, your abilities to monitor and maintain the environment and all that fun stuff. Then figure out where the critical risks are and how to manage them effectively.”
What next?
To listen to the full podcast episode with Joe Grand, click here: https://www.pivotpointsecurity.com/podcasts/ep-75-joe-grand-how-hardware-hackers-exploit-iot-vulnerabilities/
Want more expert training on how to implement risk management in your IoT environment? This latest podcast is perfect: https://www.pivotpointsecurity.com/blog/owasp-isvs-vs-csa-iot-security-controls-framework-which-to-use-when/
