The Device Chronicle interviews Professor Josef Noll on some typical cybersecurity challenges that come with IoT connected devices.
Josef Noll is Professor at the Department of Technology Systems, University of Oslo & Secretary General of the Basic Internet Foundation. He has a comprehensive knowledge of the issues at hand when it comes to securing IoT-connected devices.
In the halcyon days of 3G in the late 90’s, Josef was a group leader for a research project developing 3G technologies. In 4G, he witnessed the shifting focus from Internet connectivity on the smartphone to IoT device connectivity in mobility and then on to the stage where IoT security became a major driver as more and more devices started to be connected to the networks. Josef recalls the inflection point in 2008, when Hans Christian Haugli, Head of Mobile Research at Norwegian telecommunications operator Telenor famously remarked that “now is the time that we see more devices connected to the network than people (in Norway) in fact.” This inspired Josef to lead an IoT device security project for smart grids to create a secure and automatic smart metering infrastructure (in Norway). He says “It was a coordinated effort between 5 universities and 20 partners from industry overall.”
Threats to IoT device security
Josef outlines some intrinsic threats in IoT device security: he says there has been so much focus on low energy consumption and limited processing power in IoT connected devices and as a result, security encryption measures are often sacrificed. Josef says “Too often, device manufacturers have not been able to spend so much energy and system resources on encryption, and so prefer to make devices that are fit for purpose but not necessarily fit for security.”
Josef notes a second challenge: New security threats emerge so quickly and yet there are devices that have been installed for 5, 10, even 15 years already. Josef believes these devices are definitely vulnerable to these new and emergent threats. Josef provides the example of a pressure sensor in a vehicle tyre. This device will have a lifetime of at least 3-5 years in line with tyre changes. It should simply report the pressure. But this pressure sensor could easily be manipulated locally to catch the un-encrypted data and send fake messages out. This could cause the driver to stop leading to operational downtime. This is only one small example with limited potential impact. You could also have an unprotected fire detector sending unencrypted messages to the fire alarm system which could lead to the emergency doors being opened and a resulting physical security breach.
Supply side threats
Josef points out that ransomware had been the most common cybersecurity threat. Now he sees the emergence of the top down threat that comes from the supplier side. This is where the supplier gets infected and through the supply chain, all the customer’s devices get infected in turn. This happened in Western Digital My Book Live drives where hackers could perform a remote factory reset as there was a bug in the software where all data was set to zero as the device was set to zero. QNAP NAS products got compromised and then the end users suffered a ransomware attack looking for a bitcoin ransom. The QNAP Photo Station vulnerability created a small hole in the access control of the NAS that could be used to exploit as an attack vector for ransomware to be executed. It would still require an end user’s NAS to be setup in a weak remote access state – allowed internet access to the system without sufficient layers of encryption, protection and/or authentication, such as a VPN, Firewall or disabling UPnP in order to reach ‘photo station’ – it could then execute the command to the QNAP NAS to encrypt it’s contents, create a ransom text not and modify the login screen to show the deadbolt warning.
Linksys and Netgear routers also had known vulnerabilities where they could be exploited to be used as part of a botnet for attacks. A critical vulnerability WAS discovered in third-party code libraries used by hundreds of vendors, including Netgear, Linksys, Axis, and the Gentoo embedded Linux distribution. The flaw made it possible for hackers with access to the connection between an affected device and the Internet to poison DNS requests used to translate domains to IP addresses. By feeding a vulnerable device fraudulent IP addresses repeatedly, the hackers could force end users to connect to malicious servers that pose as Google or another trusted site.
Josef laments that some device makers have been driven by the dynamics of the consumer market which looks for low prices first. As a result, the go to market strategy for device manufacturers has typically been to bring out an inexpensive product with a low security protection. The device goes out into the field and then the vendor tries to react to a vulnerability after the fact. How can these vulnerabilities be patched if a secure OTA software update process has not been put in place?
Unfortunately, Josef also believes that organizations can often be dissuaded from putting a software updating mechanism in place as they fear that client infections could also come from the supply side through false firmware being installed through an OTA software update. He points to one such instance where the supply software was hacked and over 10,000 clients in customer sites got compromised. So this is why it is very important to implement a secure and robust OTA software updating mechanism that follows security-by-design principles.
Find a maintenance window for software updates
Due to high availability requirements, often companies do not want to do software updates in case the service / process no longer works as expected. Josef says “Implementations are often built on top of the underlying software package, and so a lot of testing is required before any changes should be made. This makes organizations hesitant about applying software updates.”
Josef concludes by covering the expected impact of the coming wave of cybersecurity legislation such as the EU Cybersecurity Act. Josef suggests that the cost of security non-delivery (from device manufacturers) could be accommodated by using a function from the energy market. “Just as there is a penalty in the energy market for non delivered energy from distributed grid operators. This function could be applied to device makers who do not deliver adequate security measures to meet the emerging threats. This is a function that depends on the impact of the disruption, the distributed grid operators must have protective measures in place.”
Security by design installed in company DNA
Ultimately, Josef believes that security-by-design needs to get into the DNA of the company so it is able to deal with graceful degradation. This is based on an understanding that the devil is there, the (cybersecurity) attack will come, so the organization must prepare for the attack in the system and the system must gracefully degrade to remain operational. This, Josef concludes “comes down to training and a digital inventory of all devices to know what needs to be upgraded so that adequate protections can be put in place.”
We wish Josef and his colleagues well in their research endeavors.