Researchers find gaps in IoT security
Researchers from the University of Michigan and Stony Brook University published a paper explaining a novel approach to IoT security challenges (pdf). The researchers pose the question:
“What are the new intellectual challenges in the science of security when we talk about the Internet of Things, and what problems can we solve using currently known security techniques?”
This research approach is very accessible because it uses existing categories and concepts by comparing security methods developed for smartphones, PCs and the cloud to identify the gaps and challenges to IoT security. The IoT stack is defined with the familiar layers:
- System software
- Application layer running custom code
A constrained hardware layer
The hardware layer is constrained by the lower-performance 8- and 16-bit microcontrollers and low-power designs. If Cisco’s IoT estimates of 50 billion devices shipping by 2020 are correct, using today’s technology, the electrical power used by all information communications technology would double, according to Peter Corcoran, Ph.D., of the University of Galway.
IoT device designs are usually powered by microcontrollers, are less powerful and lack hardware security features compared to microprocessors. But they are well suited to IoT devices because applications do not require the computational capability of microprocessors, they consume much less power, and they cost a fraction of a microprocessor.
The simpler architecture of microcontroller hardware makes it challenging to implement established security methods. During fabrication, attackers with access to the design can inject analog components that can flip the microcontroller’s privilege bit to allow malware to be introduced. Many of these devices lack an accurate clock needed for network security. Algorithmic timekeeping methods still in an experimental stage could be a solution.
Most microcontroller designs omit a memory management unit (MMU). This challenges the implementation of process isolation, opening the IoT device to the exploitation of a bug in one process from another process to execute malicious code. This exploitation could load malware or escalate the privileges of an otherwise benign isolated application to execute malicious code.
+ Also on Network World: Armis wants to resolve the IoT security issue +
Computational limits of microcontrollers prevent hardware mechanisms that allow unalterable cryptographic keys to be burned and securely stored. In larger systems, these keys make the device uniquely trusted on a network and capable of a secure boot, with each OS component starting with the bootloader confirming the next module loaded.
There are defenses to these hardware exploits. Low-level hardware verification can be used to certify that a microcontroller does not include components that can be conscripted for malicious purposes. And experimental operating system software has been built to explore a combination of language-based isolation and memory protection to perform analogous process isolation without adding an MMU.
The researchers ran an empirical security analysis of Samsung’s SmartThings IoT platform and found system-level access control could be compromised to execute an elevation of privileges exploit. Privilege elevation would enable a process to read and write to memory or a communications port that would otherwise be restricted or load malware code. Access control properly implemented could protect against an exploit by whitelisting executable code with a unique permanent token.
Information Flow Control
Information Flow Control (IFC) is more easily understood as fine-grained policies that restrict the flow of information. Where should it be possible for data from a self-driving truck or from an Amazon Alexa or Google Home device be routed? These are less well-studied privacy safeguards, according to the researchers.
Smartphones, PCs and the cloud are protected from security flaws with regular updates. For IoT devices, this poses problems. An IoT device that controls a critical network element might have to be taken offline to be rebooted, and the updated device may need to be reverified for safety compliance. Some devices may not have an update method because they are not connected by a network layer that is capable of updates or may not be connected at all.
Many IoT devices do not have the common I/O peripherals for authentication, via passwords, and adding 50 billion devices to password authentication systems that already show cracks in the feasibility may not be the best and most secure methods. Perhaps new design schemes are needed for IoT.
Network layer diversity and constraints
Compared to the internet, the IoT network layer has diverse connectivity and protocols due to the technology’s infancy. Cost and power constraints also pose problems. For instance, Bluetooth (BLE) can scan only for disconnected devices. A BLE IoT device would have to be taken out of service to be connected to another device for another purpose, such as software updates. A partial solution is to repurpose Wi-Fi technologies, adding hubs to the cost and Wi-Fi to the power budget.
Machine learning safety
Machine learning algorithms used to control IoT devices could come under attack by changing the inputs, indiscernible by humans, resulting in unintended consequences. The researchers cited the case of a self-driving car’s camera that was tampered with to produce a yield sign in place of a stop sign.
Unique IoT features adaptable for new security methods
Unique features, such as network anomaly detection, can add security features that would not be possible with larger systems. It is hard to define what normal traffic in TCP/IP networks is with established platforms because of the diversity of traffic patterns and multiplicity of connections. Given the lower volume and the application-specific type of traffic in IoT networks, defining normal traffic and detecting anomalies should be easier.
Also, because many IoT devices control physical devices, there are other channels to correlate correct operation, such as sensing an acoustic pattern of a garage door programmed to close at a specific time.
Smartphone, PC and cloud platforms were delivered with incomplete security defenses that matured over time. IoT device physical control limits the time that IoT systems have to reach robustness.