The Internet of Things is rapidly turning a new generation of products "smart" by adding computing power, network connectivity and sophisticated software, offering a wealth of possibilities for tech savvy owners keen to push their device capabilities to the limits. And as IoT finds its way into ever more critical environments - from cars, to airlines to hospitals - the potentially life-threatening cyber security implications must be addressed. Real world examples have emerged showing how proprietary connected systems relying on outdated notions of ‘security-by-obscurity' can in fact be reverse engineered and chip firmware modified to give hackers complete remote control. The consequences could be deadly.

Embedded systems and connected devices are already deeply woven into the fabric of our lives. They help to fly our planes, dispense life-saving drugs to our loved ones, steer our automobiles, and even operate ‘smart rifles'. The only problem is they're not secure. And in this environment that doesn't result in data breaches and monetary losses. It could mean actual loss of life. Consider these three examples:

  • Miller and Valasek hacked a 2014 Jeep Cherokee via its Uconnect on-board entertainment system. Finding port 6667 open, they managed to pivot inside via the D-Bus service to rewrite the firmware on the Uconnect head unit in a way which allowed them to send commands through the car's controller area network (CAN) message bus. This allowed them to remotely control steering, brakes and other key functions.
  • Runa Sandvik and Michael Auger demonstrated how the ShotView targeting system on Tracking Point Linux-powered rifles could be compromised in a similar way via its Wi-Fi connectivity. By exploiting software vulnerabilities they could prevent the gun from firing or cause it to hit a target of their choosing.
  • The FDA was forced to warn hospitals in July not to use certain models of Hospira's Symbiq, Plum A+ and PlumA+ three internet-connected drug infusion pumps, after it was demonstrated that they could be remotely hacked.

These examples illustrate how a new approach is needed to secure connected devices, which is exactly what the prpl Foundation is proposing in its new document: Security Guidance for Critical Areas of Embedded Computing. It lays out a vision for a new hardware-led approach based on open source and interoperable standards. At its core is a secure boot enabled by a "root of trust" anchored in the silicon, and hardware-based virtualization to restrict lateral movement.

This guidance should be essential reading for everyone: after all, we all use these embedded computing systems and would benefit from better understanding the security risks and ways they can be mitigated. But it is also written for all major stakeholders in the supply chain who deal with security: from the OEMs and SoC manufacturers; to producers of routers, biomedical devices and set-top-boxes; to CPE, home entertainment and automotive designers and developers.

The problem with IoT ‘security'

All of these systems share the same traits, which make them vulnerable to hackers:

  • They're proprietary - but ‘security-by-obscurity' no longer works. Their firmware binary code can usually be found online, or else reverse engineering is possible via debugging tools like JTAG and interactive disassemblers like IDA.
  • Their network connectivity is their Achilles heel, allowing attackers to remotely hack them. What's more, the engineers tasked with building these devices often don't have the requisite TCP/IP skills, leading to weak implementations which can leave additional gaps to exploit.
  • The firmware update system in many devices is fatally flawed in that it's not signed. This means that an attacker could reverse engineer the code, modify it, reflash the firmware and reboot to execute arbitrary code. Those behind the recent Cisco router hack did this.
  • Many allow for lateral movement within the hardware, ignoring the fundamental rule of Security by Separation. At present, the best we can do is processors which allow for only ‘trusted' or ‘untrusted'. But this is too simplistic for our modern world where a processor may have to keep numerous components separate and secure - from management of biomedical devices, to Netflix streaming, to banking applications.

A new approach

The prpl Foundation proposes a new way to overcome these challenges and engineer security into connected and embedded devices from the ground up. Vendor-led initiatives can be incredibly time-consuming and costly, yet the results are usually non-portable across homogeneous platforms. But under prpl, vendors can come together on a common platform, architecture, APIs and standards, and benefit from a common and more secure open source approach.

It's built on the following principles:

Open source - an end to proprietary security by obscurity and instead a 100% "Darwinist" focus on quality, usability and robustness. Code is becoming increasingly complex so let's get as many eyes on it as possible. And open standards could overcome the dearth of connectivity expertise in the industry.

Secure boot - ensure IoT sytems will only boot up if the first piece of software to execute is cryptographically signed by a trusted entity. It needs to match on the other side with a public key or certificate which is hard-coded into the device, anchoring the "Root of Trust" into the hardware to make it tamper proof.

Hardware-assisted virtualization - this will containerize each software element, keeping critical components safe, secure and isolated from the rest and preventing lateral movement. Secure inter-process communication will allow instructions to travel across this secure separation in a strictly controlled mode. This approach improves on current binary approaches where applications are either trusted or untrusted at a processor level, allowing for as many independent, secure guests as possible.

Potentially catastrophic IoT security vulnerabilities are no longer theoretical. The SYNful Knock campaign against Cisco routers that enabled attackers to modify the device's firmware and maintain persistent presence while inside the network has shown us that attackers are already exploiting them to devastating effect. The prpl Foundation hopes this Security Guidance for Critical Areas of Embedded Computing will galvanize industry stakeholders to begin the journey towards a more secure Internet of Things.