Security in Our IoT Products: We've Never Needed It, So Why Start Now?
April 07, 2020
Is device security necessary? Most companies have a solid portfolio of products deployed out to the field, and many could claim they?ve been in the market for more than 20 years without incident.
Is device security necessary?
Good question. Most companies have a solid portfolio of products deployed out to the field, and many could claim they’ve been in the market for more than 20 years without incident.
Well, the market is not the same as it was 20 years ago, and things have changed, even from just a few years ago.
Business models have evolved, tools used for hacking are more accessible, end products are more ecosystem focused, and those with malicious intent can now work virtually unnoticed from the safety of their living rooms.
Hacking is also no longer about acquiring a single individual’s data or creating inconvenience and havoc for the fun of it. Hackers are seeking out bigger targets. They are setting their sights on big business. They know big business is more likely to pay up quicker and with larger sums of money because they know the alternative is painful: costly system outages, millions in lost revenue, unhappy customers and the long-term problem of brand damage. The illusion of comfort by looking back on the last 20 years could be a poison pill for many.
Ransomware has fast become one of the biggest threats to industry as hackers move their attack focus to operational technology (OT). OT hardware/software detects or creates changes through the direct monitoring and/or control of industrial and smart home devices, assets, processes and events.
According to FBI data, ransomware attacks have successfully accumulated $144 million USD, all paid in Bitcoin, from 2013 to 2019, and with $85 million of that paid through ransomware variants developed since 2018.
According to Symantec, there has been a 37% drop in generic ransomware attacks between 2017 and 2019. A whopping 62% increase in targeted ransomware attacks during the same period, further illustrating the focus on the bigger prize by those with malicious intent.
Rockwell Automation also stated that in 1H2019, 47 percent of ransomware attacks targeted government and manufacturing:
But still, is device security necessary?
At what point does big business become big enough to be a target?
This is a fair question, and only the attacker can really offer us an answer. While an individual business may not become the target of extortion, their products may become compromised as virtual private servers to be used as bots in ransomware attacks.
Both bandwidth and compute power can be bought anonymously using Bitcoin. Google “anonymous VPS” and ask yourself, “Why would you want to buy bandwidth and compute power anonymously via Bitcoin?”
The problem of maliciously using IoT technology against big business is paving the way for regulation. Governments around the world are introducing legislation that will be imposed on developers to curb the growing malicious trend.
While GDPR focused on privacy and data, new legislation focuses on the connected device. For example, Europe is introducing TS103 645 / EN303 645 (Cyber Security for Consumer Internet of Things), and several US states, covering about 30 percent of the US population, have similar bills in play such as the California Consumer Privacy Act (SB-327).
In general, new legislation focuses on the following best practices:
- Do not use universal or default passwords
- Implement a means to manage reports of vulnerabilities
- Keep software updated and via authorized entities only
- Securely store credentials and security-sensitive data
- Communicate securely
- Minimize exposed attack surfaces
- Ensure software integrity
- Ensure that personal data is protected
- Make systems resilient to outages
- Examine system telemetry data
- Make it easy for consumers to delete personal data
- Make installation and maintenance of devices easy
- Validate input data
- Implement a unique device identity
The design specifications of yesteryear’s wireless doorbell will no longer satisfy the specifications and legislation expected in the future. Developers will need to create products with security built in from the ground up, not as an afterthought and not as an option.
With IoT set to become such a focus for developers and semiconductor companies alike, security is becoming a key differentiator. It’s becoming less about who has the cheapest solution and more about who has the security solutions that will scale to protect my long-term business.
New security solutions such as Secure Vault technology from Silicon Labs are designed to provide developers with evolving solutions to a world of evolving threats. Built around a security subsystem and kept separate from the developer’s application, the Secure Vault solution features a dedicated crypto coprocessor that includes physically unclonable function (PUF) technology designed to keep crypto keys secure. The subsystem also has several anti-tamper blocks designed to detect and address efforts to circumvent physical attacks.
To learn more about Silicon Labs’ new Secure Vault solution, visit silabs.com/security.
About the Author
Nick Dutton is a senior IoT product marketing manager at Silicon Labs where he leads initiatives to drive the company’s wireless IoT platforms, products and strategies. Nick has held senior leadership roles at Silicon Valley technology startups including Zentri where he served as general manager and vice president of embedded products and helped lead Zentri’s successful acquisition by Silicon Labs. Previously he served as director of technical sales and customer marketing at Microchip Technology and also at Roving Networks. Nick holds a Bachelor of Engineering degree in Electronic Systems and Information Engineering with Honors from Sheffield Hallam University (Sheffield, South Yorkshire, UK).