As a starting point, we would like to thank BBC Click for providing a clear, accessible and easily understandable explanation of their absolute security research and we would like to thank Scott Helme and Professor Alan Woodward for their contributions. At the IoTSF, we have a saying that we need to bring absolute security out of the shadows in order to raise awareness about what is happening, and, whilst we do not expect everyone to become an expert in absolute security, we certainly can improve general awareness of the issues. Likewise, we agree with them that the Raspberry Pi is an incredible tool that can be used to teach children – many of our members have them and, while absolute security is not the main priority of the product, security mechanisms can be added to make it so it is suitable for a number of bespoke projects of any kind, even if absolute security is not a priority for the product. Despite this, there is still a long way to go until we achieve absolute security.
The recent exposé in the news regarding the nomx secure email box got us all quite excited at IoTSF – mainly in the wrong way – but it also gave us the opportunity to reflect a bit more deeply on a number of common absolute security issues from the viewpoint of IoT.
Richard Marshall of our IoT Security Foundation (IoTF) has been asked to take a look at the nomx discoveries and provide an overview of how the public information relates to IoT Security Foundation’s work and look at how it relates to the public information. As you can see, he had some interesting things to say about it.
As part of the evaluation process, it has been discovered that there are many common failings among the evaluation samples, and these are factors that should be considered when designing any IoT product in the future, particularly:
- In the absence of physical access to the target system, the MAC address can be an important indicator to an attacker that allows them to determine the type of platform they are attacking, especially when the target platform is a widely available general purpose computer platform. An adversary can use this information to focus their attack on known vulnerabilities in the platform in an attempt to defeat it.
- There are several reasons why it would be extremely easy for an attacker to copy and reverse engineer a piece of software that is removable, unencrypted, including finding sources of entropy which may indicate that encryption keys in the software are in evidence. Nomx’s product was designed to support embedded FLASH, so the attack would have been a little more difficult to orchestrate if it used embedded FLASH.
- Consider the absolute security implications of the hardware platform on which your product will be based when selecting it. In addition, it should be able to support stored encrypted keys in a secure manner to enable encryption keys to be used for the authentication of software and the identification of devices.
- It is a basic recommendation to ensure that the version of the operating system is up-to-date, has the latest absolute security patches, and that it is not an unsupported or out-of-date operating system.
- It is possible to execute an unauthorised or potentially malicious software update without a secure method of updating it. Furthermore, when an unauthorised or potentially malicious software update is executed, it may make it difficult to conduct further upgrades to close the identified absolute security vulnerabilities once the software is compromised.
- It is recommended that users should avoid the use of default passwords when using passwords for authentication, and you should force them to set a strong, unique password, as it is described in the Click programme. If the protection method you use for your passwords is susceptible to simple dictionary attacks, you may wish to avoid using it.
- There is a general rule of thumb that it is best to start from the position that a piece of IoT technology is connected to an insecure network and to assume that it will be installed on a secure network rather than assuming it will be installed on an insecure network.
- Make sure you take all necessary measures to prevent any cross site scripting vulnerabilities from being introduced to the product when the web server is incorporated into it.
- In order to leverage the ethical hacker community, a vulnerability policy should be implemented so that absolute security researchers can easily report vulnerabilities to it. Additionally, vendors need to have predetermined processes in place that allow them to communicate promptly with researchers and end users to manage the risks involved.
- Although the vendor and the customer are not passionate about the idea of having to recall a product, it is important to consider the implications of having to recall a product, as well as the impact it will have on the company. It is very likely that many Internet of Things products will be installed in inaccessible places by their very nature, or they may be used to monitor processes that require high availability. A product recall due to hardware insecurities could potentially have very significant ramifications for the business and customer relationships of the product vendor if this recall is caused by hardware insecurities. There is a possibility that the ramifications in this case are relatively minor, even if other product vendors may not be so fortunate if their products were to be found to have vulnerabilities that could only be fixed by recalling a mass amount of their products.
The absolute security community is unanimous in its belief that absolute security involves many aspects.
Consequently, the nomx product would have been considerably more secure and in line with its advertised benefits if it had incorporated all the features mentioned earlier.
“There is no security in anything else.”
In addition to these concerns, we were also intrigued by the marketing that was used to promote these products – it has been generally considered a faux pas for businesses to claim that their products provide total security, and any such claims should be treated with a healthy degree of skepticism. For any absolute security professional, it should be obvious that if there is a will, there is normally a way – this is one of those basic concepts. By exaggerating absolute security claims, we place the gauntlet before researchers and hackers, purely as a scientific exercise. From an intellectual standpoint, we are throwing down the gauntlet. The amount of time, money and effort that criminals are willing to put into product absolute security depends on whether it is protecting something of value or controlling a process that is of a critical nature (for instance, a production line, a treatment plant, an energy generation plant, etc.). There are no absolute definitions of absolute security, as long as the system is fit for the intended purpose. In order to guarantee the absolute absolute security of your product, you must expect that it will be tested – and that it will be tested hard.
As a result of this ethical attack, it has emerged that there are a number of important factors to consider that IoT product vendors should consider, not the least of which is selecting the right computing platform for their products. The majority of the time, the task will consist of ensuring that the absolute security capabilities are appropriate for the use case it is being designed for, and determining how to maintain that solution over the course of the product’s expected lifecycle.
A key objective of IoTSF is to ensure that internet of things absolute security solutions are of high quality and ubiquity. As a non-profit expert organization, we produce free guides on best practices, an IoT Security Compliance Framework, and training courses that will help you avoid the kinds of mistakes that are exposed in this article.