IoT security is the gift that keeps on giving – an endless source of topics that can explore all manner of edges and wrinkles. However, the overall message is that things are bad, and likely going to get worse before they get better. For the likes of security providers like Spirent, there’s ample opportunity here, helping companies weather the storm ahead, and we spoke to Stephen Douglas, Corporate Solutions and Technical Strategy Lead, to get a view of the turbulence ahead.
The background to our conversation is Spirent’s approval as an authorized testing lab for the CTIA’s IoT Cybersecurity Certification program, which is intended to prove the security capabilities of cellular-connected IoT devices. This program is based on recommendations from the USA’s NIST and the NTIA, and kicked off in October of last year.
Douglas outlined how Spirent provides device and equipment manufacturers with security testing services, and also post-deployment operational monitoring, to ensure things run well once they are live. He said Spirent was more focused on networks, testing the security infrastructure and the ‘posture’ of the overall system – how well it is positioned to suffer attacks.
Over the last few years, Douglas explained how the industry has moved towards worrying about the security of their devices, as well as their networks. Especially so for IoT devices, these are less complex and less robust than network infrastructure. The IoT-type devices are often orders of magnitude less complex than even a smartphone, and so they must be protected and accommodated differently.
To this end, Spirent believes that standards and industry best practices are the way forward, and so hence the involvement in the CTIA. AT&T is a notable supporter, and is one of many calling for more chipsets to be pre-certified – shifting the onus for security into the silicon and its providers.
As for the security methodologies used to evaluate overall resilience, Douglas outlined how there is still a blend of the traditional testing, focused on passwords and data transfer, all the way through to the systems used to check for breaches in databases and the breaking of encryption. These sorts of services are a hot topic at the moment, and moving forward, Douglas expects things like tamper detection and audit trails to become more prominent, so that a user knows if their systems have been breached.
On that point, a recent Verizon study found that over 60% of enterprise breaches were not identifiable for at least a month, meaning that an attacker has a pretty good chance of doing damage without being initially detected. This led to be major takeaway from our discussion with Douglas – that the greater problem for the IoT seems to lie at the application layer, and not in the device layer where so much attention is usually paid.
In Douglas’ view, SIM authentication doesn’t provide the application-layer protection, especially when the conventional approach is essentially just hoping that the security gateways inside the network can handle the workload. There’s a lot of investment going on in that area, particularly in traffic-analysis systems, which are being used to spot anomalous, malicious, network activity.
Compounding this device-level concern is the consumer electronics side of things, where the race to the bottom is going to see corners being cut in security, especially in the hardware BOM. This is going to create an increased workload for the network-layer security appliances and services, sifting through botnets of hijacked devices routinely, with no real recourse to solve that particular problem on the device itself.
But the application-layer is currently very problematic, according to Douglas, where the biggest risk is the privacy of personal data. Douglas notes that the communications industry is not good at keeping such personal data private, and that much of the data is unencrypted when at rest – that is, having been encrypted during transit, it is stores in an unencrypted manner when sitting in the application-layer.
To this end, it means that there’s a wealth of data available to any attacker that finds a way through the web of systems and networks, which in Douglas’ opinion is a massive risk. A particularly concerning trend is the abuse of error logs, where an attacker forces a fault in order to generate the log, which all too often contains information that becomes useful to the attacker – such as network configuration details. These logs typically give too much away, mostly because the developers behind them want to make their troubleshooting sessions as easy as possible. Consequently, those juicy little tidbits can easily become the breadcrumbs that lead an attacker to one of those at-rest databases.
Panning back out, Douglas said that enterprises are now spending heavily on security, especially in the financial and utility sectors. In largescale IoT projects, blends of licensed and unlicensed networks mean that security priorities are higher, and these could have ripple effects that extend into the wider enterprise world.
In the automotive sector, there are two distinct concerns – the in-car networks and the external networks that connect the car to the outside world. There are very close partnerships for the in-car components, but these are not as prevalent in the V2X connections.
Douglas notes that it is quite easy to spoof satellite signals, with cheap equipment bought from online retailers. One such example is truck drivers that don’t want employers to know their exact location, and use small boxes to try and trick the on-board system. The fallout of this is that nearby devices, up to a kilometer away, are exposed to the RF interference, and in a world moving towards autonomous vehicles, which rely on these satellite signals for real-time driving, there is a risk that a spoofed satellite signal could cause crashes.
There are ways around this, says Douglas, but there has been a tendency to treat satellite as gospel. Putting more emphasis on other sensor inputs and signals, in order to determine which is being interfered with, is key. Similarly, you need a testing system that is able to emulate these kinds of environments, and wouldn’t you know it, Spirent can help you there.
Another area to consider, according to Douglas, is the Industry 4.0 trend, where there is great interest in using wireless communication to replace cabling. For many of these IIoT firms, data privacy and the protection of intellectual property is critical, and with many of them needing to incorporate such technologies across multiple locations or logistics networks, there is a huge need to ensure that the tiered security approach will work correctly.
The techniques deployed range from geofencing and network slicing, to ensure that devices stay in their respective lanes, or dedicated gateways that operate on the assumption that all the devices they connect are riddled with malicious code – a fairly labor-intensive process. As those sorts of gateways are where the first level of data aggregation is taking place, this is where encryption enters the fray, and this can complicate application architectures, as the network is operating on an insecure-by-default basis.