The challenge of securing embedded devices and IoT on display

Every year the numbers and the types of devices security professionals find themselves having to secure from attacks keep growing, and there's certainly no sign of that letting up at Black Hat 2014 this year.

This week at the annual Las Vegas event, researchers Charlie Miller and Christopher Valasek in their talk A survey of remote automotive attack surfaces, will show how attackers often remotely - can leverage vulnerabilities to hack vehicles, and in some cases quite seriously. While Logan Lamb will present how home security systems are susceptible to shenanigans in his presentation, Home Insecurity: No Alarms, False Alarms and SigInt.

[Also see: Black Hat 2014: How to crack just about everything

And researchers Don Bailey and Zach Lanier will be hold a roundtable on security and Embedding the Modern World, Where Do We Go From Here. The panel will examine how embedded computers, smart watches, cameras, industrial control systems, and other devices will impact security in the years ahead.

The good news is that the security industry is well familiar with the means to secure the IoT and embedded devices, such as identity management and secure software development. The bad news? We've yet to broadly master either.

Don Bailey, CEO at Lab Mouse Security contends that the management of identities and associated user and device permissions will be critical when it comes to bringing trust to the IoT. "The number one issue is identity. We will have all of these unmanned devices that aren't going to be monitored by anybody," says Bailey.

"You will have these complex devices controlling your refrigerator, your car, or whatever else that you can imagine. But how do you know that the actions that are being taken on that device can be attributed back to a specific individual? How can you ensure that any action that's taken is an action initiated by the authorized user," he says.

And, because of the many moving parts, the security of IoT and embedded devices depends on an entire stack of trust when it comes to the interconnected networks, hardware, applications, operating systems, and protocols. "It requires a lot of participation from different organizations, which I don't think people fully understand how these complexities create a lot more opportunity for subversion than people realize," says Bailey.

For instance, the most common way Bailey infiltrates IoT systems is over the cellular network, largely because it is assumed that the security of the communication channel is assumed to be managed by the provider. "And each provider of software and hardware often presume their all secure, and no one has any real control over the security of the entire system," he says.

These potential weaknesses make software security just as crucial as ever. Jared DeMott, in his course this week, Application Security for Hackers and Developers, covers source code auditing, fuzzing, reverse engineering, and exploit development and the skills and tools necessary to find, fix, and exploit bugs found in software.

DeMott explains that while many professionals are focused on securing modern frameworks, scripts, and high level languages, more skills are going to be needed securing the traditional C and C++. "So kernels, and low-level operating system security is crucial for securing these devices. And in C and C++, there's a lot opportunity for developers to shoot themselves in the foot, because developers have to manually manage system resources in these languages," he says.

And it's these low level languages that run the telematics systems in your car, embedded systems for your home thermostats, smart TV, and anything else. All these devices are still written in C and C++.

The challenges associated with developing securely in these languages have been fought for nearly two decades. "You often hear people say, Well, why don't we just get rid of the C and C++ language if it's so problematic. Why don't we just write everything in C# or Java, or something that is a little safer to develop in?'," DeMott says.

What does DeMott think this means when it comes to securing the IoT and embedded devices? "It's yet to be seen, but I wouldn't be surprised at all to hear about somebody remotely takes control of a car and driving someone off a bridge," he says half joking. "A lot of people don't realize the amount of code in their cars, or in industrial control systems. We don't know for certain if we will see a bunch of attacks on these systems, but history does have a way of repeating itself in these regards," DeMott says.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityblack hatapplication securityAccess control and authentication

More about Lanier Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place