Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > Embedded

Designing security framework for IoT devices

Posted: 15 Dec 2015 ?? ?Print Version ?Bookmark and Share

Keywords:IoT? security? SCADA? VxWorks? Heartbleed bug?

Security challenges continue to make headlines in the IoT, and no vertical market has been spared. Automotive security has been in the headlines recently, but lighting systems, white goods, home security devices, medical equipment, airplanes and industrial automation systems have all had their unfortunate turn in the cyber vulnerability spotlight.

With high profile cyber-attack headlines a weekly occurrence, companies are finally beginning to get serious about IoT security. Building a secure IoT device requires a solution crafted specifically for the types of threats these devices will be exposed to and, more importantly, designed to run on the specialised, low-cost hardware usually found powering IoT devices. IoT devices are by nature, highly connected and therefore provide broad attack surfaces for would-be hackers to exploit. To secure these devices, designers need a comprehensive security framework that provides enterprise-level security in these small devices.

Application layer attacks
In 2013, Security researcher Craig Heffner discovered a backdoor within the firmware found in a number of D-Link routers. The HTTP server in these routers included a backdoor that bypassed the standard authentication process. The web server examined the browser user agent, and if it matched "xmlset_roodkcableoj28840ybtide", authentication checks were skipped. The string, read backwards, "edited by 04882 joel backdoor" showed that this was an intentionally planted backdoor. The backdoor provided access to the device's configuration capabilities.

In Australia, beginning in January 2000, Vitek Boden waged a three-month war against the SCADA (Supervisory Control and Data Acquisition) system of Maroochy Water Services, which resulted in millions of gallons of sewage spilled into waterways, hotel grounds and canals around the Sunshine Coast suburb. It is an interesting case study because not only did the perpetrator cause pumps to not run when they should have been, he also was able to prevent alarms from being reported, further complicating the problem. This example also shows the danger of insider attacks, as Boden was a former contractor of Maroochy Water Services.

Other widely reported exploitations of application layer services include attacks on web-enabled IP cameras and nanny cams, which have notoriously weak security. A quick google search will reveal multiple reports of successful attacks against web-based security cameras, nanny cams and IP cameras. These vulnerabilities allow unauthorised users to view the video streaming from the camera, allowing them to spy on whatever the camera is set to watch. Even worse, in some cases, they can even instruct the "Camera On" light to not activate, leaving the victim with no indication that they are being spied upon.

System layer attacks
While application layer attacks are prominent in embedded devices, attacks against system layer services are also found. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory regarding Wind River VxWorks TCP Predictability Vulnerability for Industrial Control Systems. Researches also discovered a remote code execution (RCE) vulnerability in VxWorks. These are both network-based vulnerabilities.

The now well publicized Chrysler Jeep Hack is another system level attack against an embedded device C this one involving reprogramming the firmware on a vehicle ECU to enable control of the vehicle over the network.

The Heartbleed bug is a vulnerability in the OpenSSL cryptographic libraries that are widely used in embedded devices. Mark Schloesser, a researcher at security firm Rapid7, says it's not clear how widespread similar problems might be, but believes it's safe to assume that "quite a few embedded devices use vulnerable library versions". Given the typically long upgrade cycles for firmware in deployed embedded devices, it is likely that many vulnerable devices still exist in the field, even though a patch has been available since April of 2015.

1???2?Next Page?Last Page

Article Comments - Designing security framework for IoT...
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top