My Kettle Hacked What?!

 

The Internet of Things (IoT) is growing rapidly, and the number of security incidents involving IoT products even more so [1]. The resulting distrust of IoT products is a major inhibiting factor in the development of the IoT’s social and business objectives of reaching billions of products in the coming years [2].

Industry and regulators worldwide are looking at security testing/evaluation as a possible solution to the security problems introduced by IoT [3], as even the simplest measures addressing security concerns facilitate and accelerate the adoption rate of IoT solutions [4]. Most of these initiatives take a silo approach and look at each and every type of product separately [5] with seemingly different requirements, resulting in the re-evaluation of underlying platforms over and over. Not only is this wasteful, but it will also never scale large enough: there are millions of IoT products [6].

The Risk of IoT Products

IoT products need to protect the important assets they handle [7], such as:

• people’s privacy [8] (e.g. IP cameras),
• access to locations (e.g. connected door locks), and even
• life and limb (e.g. connected cars),

not to mention assets such as pay-for-use features, intellectual property and trade secrets.

Even without these assets, due to their connectivity IoT products still have to protect:

• their privileged connection to the network and services they are connected to [9],
• the passwords they hold [10], and
• the impact they may have on the environment [11].

In other words, IoT product security is important. But it is surprisingly difficult to evaluate.

Even “Simple” IoT Products Are Complex

Although a “simple” IoT product such as a connected kettle [12] may not look very complex, it is in fact an arrangement of several individual hardware and software components providing functionalities such as encryption/decryption, memory management, random number generation, (real-time) operating system, and of course the application that performs the actual functions of the product.
Each of these components is complex in and of itself, with many potential entry points for attacks that might result in subversion of the entire product. This has previously happened with at least one vulnerability in one kettle [12].

Security Is Difficult to Achieve for Product Developers

IoT product development is focused on making a product that performs a function well. It is not focused on security. After all, as customers see their kettle boil water, they do not see a TLS 1.3 secure channel with full X.509 certificate chain verification.
Even if product developers expend effort on security, they rely very much on the security of the underlying platform. And these platforms, too, struggle to show that their security features are really secure.

The Real Issue of IoT Product Security

In theory, all these problems could be solved by more evaluations – many more evaluations. In practice, there will simply be too many IoT products for this to be feasible.

Figure 1: Relation security capability, versus evaluation capacity for IoT Platforms.

Solution to A Big, Difficult Problem: Break It Down into Smaller, Tractable Problems

The sheer volume and diversity of the types of IoT products poses a serious challenge for any approach. The solution is to split IoT products into two layers: a generic platform and a specific application.
The IoT platform and its various components can be thoroughly evaluated by highly skilled evaluation labs with oversight by expert certifiers.
The security of the product can subsequently be built on this solid foundation of the platform and, if necessary, efficiently tested.

Figure 2: IoT products as the sum of IoT Applications and IoT Platform components.

The application developer can then concentrate their development efforts on the specific functionality to be delivered by the application, rather than on providing security. This way, even IoT product developers with a limited understanding of security would be able to deliver secure solutions.

This approach has the following advantages:

• Reduction of overall development and evaluation effort: A thorough understanding of security will need to be present in a few platform companies, rather than tens of thousands of application developers.
• Reuse of evaluation results: The platforms can be reused by many application developers, which means the costs of a deep security evaluation of a platform can be shared by many application developers rather than be borne by a single one.
• Quick security testing of the application: As the security of a total solution will be provided primarily by the platform, the security evaluation of the total solution can be done cheaply and quickly by checking whether the application uses the platform correctly and a quick test of the application itself.

Conclusion

The security of “simple” IoT products can be assured in an affordable and meaningful way by splitting products into applications and platforms and performing security evaluations on the platforms and security testing on the applications.

Other high-risk applications have adopted similar approaches in the past [13]. It is to be expected that IoT platforms will add much-needed security to IoT products [14].

References

1. Alfred NG, “IoT attacks are getting worse -- and no one’s listening”, C|NET, 15 March 2018
2. Harald Bauer, Ondrej Burkacky, and Christian Knochenhauer, “Security in the Internet of Things”, McKinsey & Company, May 2017.
3. “State of the art syllabus”, ECSO, December 2017 - DCMS, “Mapping Security & Privacy in the Internet of Things”, https://iotsecuritymapping.uk, 2018
4. Syed Ali, Ann Bosche and Frank Ford, “Cybersecurity Is the Key to Unlocking Demand in the Internet of Things”, BAIN & Company, June 2018
5. Mike Hogan, Ben Piccarreta, “Draft NISTIR 8200: Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT)”, NIST, February 2018.
   Sanjit Ganguli, Ted Friedman, “IoT Technology Disruptions: A Gartner Trend Insight Report”, Gartner, 15 June 2017
6. Total Installed Base of 25 Billion Endpoint Units in 2021, “Forecast Analysis: Internet of Things — Endpoints, Worldwide, 2017 Update”, Gartner, 27 December 2017, https://www.gartner.com/doc/3841268/forecast-analysis-internet-things-
7. “Looking into the crystal ball: A report on emerging technologies and security challenges”, ENISA, January 2018
8. Security researchers have revealed some IoT devices and connected cars will survive being wiped and may leak sensitive information when exchanged. Source: “IoT devices leak previous owners' data”, February 2017, https://www.iottechnews.com/news/2017/feb/20/connected-cars-and-iot-devices-leak-previous-owners-data/
9. A North-American casino installed a high-tech fish tank as an attraction for its customers. This fish tank used advanced sensors that automatically regulated temperature, salinity and feeding schedules. A hacker gained access to the fish tank and managed to copy 10GB of data from the casino network to which the fish tank was connected. Source: DarkTrace Global Threat Report, 2017, www.darktrace.com
10. Researchers at Virginia Tech University and Dashlane analysts have carried out one of the largest empirical studies on password reuse and modification patterns. After examining a database of over 28 million users and their 61 million passwords, they uncovered an alarming figure: 52% of the users studied have the same passwords (or very similar and easily hackable ones) for different services. Source: “The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services”, March 2018, https://people.cs.vt.edu/gangwang/pass
11. The 2016 Dyn cyberattack took place on October 21, 2016, and involved multiple distributed denial-of-service attacks (DDoS attacks) targeting systems operated by Domain Name System (DNS) provider Dyn, which caused major Internet platforms and services to be unavailable to large swathes of users in Europe and North America. According to business risk intelligence firm FlashPoint and Akamai Technologies, the attack was a botnet coordinated through a large number of Internet of Things-enabled (IoT) devices, including cameras, residential gateways, and baby monitors, that had been infected with Mirai malware. Source: https://en.wikipedia.org/wiki/2016_Dyn_cyberattack
12. https://www.pentestpartners.com/security-blog/hacking-kettles-extracting-plain-text-wpa-psks-yes-really/
13. “EMV Security Guidelines: EMVCo Security Evaluation”, EMVCo, LLC, June 2016
14. Earl Perkins, Ruggero Contu, Saniye Burcu Alaybeyi, “Five Disturbing Trends in IoT Security for 2018, and What You Can Do About Them”, Gartner, June 2018

 

---

 

Dirk-Jan Out is the CEO of Brightsight, the number one security lab in the world with over 180 security evaluators. Dirk-Jan was co-editor of the CC and CEM and supported the setting up of several security schemes. His focus is on improving the time-to-market of CC, payment and IoT security evaluations. Brightsight has over 35 years of experience and is recognized by 9 CC schemes and over 25 other schemes such as EMVCo and PCI-SSC.

 

 

Carlos Serratos, Director Business Development at Brightsight, is a specialist in IoT and compliance. His working experience spans over four continents in the retail, financial and health markets. Before Brightsight, Carlos worked for more than 20 years for Japanese corporations, developing solutions for transaction points and managing projects and workgroups in the areas of fraud prevention and standardization. He is passionate about addressing digital trust as a business enabler to facilitate operations in the digital world.

 

Wouter Slegers is the CEO of TrustCB, the commercial certification body building and operating dedicated certification schemes with predictably short time to certification. Wouter is an IEEE professional member, ACM Senior member, JHAS secretary, and ISCI WG1 subgroup leader. He was instrumental in many of the world’s first certifications of innovative products and is a longtime driver of worldwide methodology and scheme improvements, all keeping high assurance at ever shorter times to certification. His motto for these approaches is “trust and verify”.