Based on materials from android-softwares.com
The concept of the 'Internet of Things' (IoT) is no longer exotic for any of us. The topic invariably causes a large number of discussions. Someone even calls the Internet of Things the next revolution after mobile, while others, on the contrary, say that there is more noise here than real benefit. The truth, as usual, is somewhere in between. But one thing is for sure: the number of devices connected to the Internet is growing and growing rapidly. Previously, it was only computers – desktops, servers and laptops – but now almost every device has at least the potential to go online. From cars to door sensors, it's hard to list everything that can connect to the internet these days.
According to research, by the end of 2016 there were already over 6 billion devices on the network, and by 2020 it will reach 20 billion. Why are they connected to the Internet? So that they can send information to the cloud, which can then be processed and used for different purposes. Want to control your kettle from your phone? As easy as pie. Looking to equip your home with security cameras for security while you're away? As you wish!
However, there is one problem with all these connections. Communication takes place in both directions. And if the device can send data to the cloud, then you can communicate with it from the cloud. This is where the roots of the security problem lie. If a hacker can gain control of the devices, chaos will inevitably ensue. Is this the key flaw of the Internet of Things?
We saw something similar recently when cybercriminals launched a DDoS attack on Dyn, DNS provider Twitter, SoundCloud, Spotify, Reddit and others. The point of a DDoS attack is to disrupt the functioning of Internet services so that users cannot access them. This causes negativity for users and poses potential financial losses for websites. Such attacks are possible because they use numerous (thousands, even tens of thousands) computers around the world that are coordinated to perform a single action. Usually these are desktop PCs running on Windows that have been infected with a virus. At a certain time, the virus is activated, and the computer joins a botnet – a network of remote computers that carry out the attack.
DDoS attacks are nothing new, and the described mechanism is familiar even to people far from the intricacies of the computer world. However, there was something very special about the attack on Dyn. It was not organized by a PC, but by connected devices such as security cameras or networked storage devices. According to security expert Brian Krebs, a new virus has recently been developed that scans the network for devices that are part of the Internet of Things and tries to connect to them. If access to them is simple – for example, using a simple factory login and password – the virus connects and downloads malware.
So we got to the root of the problem. Too many connected devices (millions!) Use default logins and passwords to access the Internet. All these endless admin / admin or root / root. The reason for this is currently simple, inappropriate software. One of the important conditions for the development of the Internet of Things market is the low cost, availability of devices for users. Internet connectivity is a selling point, perhaps a whistle, but a unique proposition at the same time. However, adding this functionality should not be limited to running on a processor Linux (or RTOS) and then adding web services. The right thing to do is to make these devices secure. It is not difficult to get confused with security now, but it means additional costs. The folly of a short-sighted approach is that neglecting safety can make a product cheaper – but in many situations it can cost more.
Let's take an example Jeep Cherokee. Charlie Miller and Chris Valasek carried out a famous hacker attack on Jeep Cherokee, exploiting a vulnerability in the remote control of some functions. They drew the company's attention to the existing problems, but in Jeep they were simply ignored. What Jeep actually thought about Miller and Valasek's study remains a mystery, but no consistent action was taken. And when the details of the attack were made public, the company was forced to recall more than a million vehicles to fix a software vulnerability that cost it billions of dollars. If the software had been improved from the start, it would have been much cheaper.
And if we go back to the IoT devices that were used to attack Dyn, in this case, the cost of security errors is not made up of the losses of manufacturers, but of companies such as Dyn, Twitter and others.
Internet of Things security – a must-have list
In light of the attacks described, and given the current deplorable state of security in the first generation of IoT devices, it is important that designers of such devices take into account the following important points:
- Authorization – in no case should you create a product with a default password that is the same for all devices. Each device must have a complex, randomly generated password that it receives during production.
- Debugging – You should never leave any debug access on a production device. Even if you are tempted to leave access on a non-standard port using a complex, hard-coded, randomly generated password, eventually the password will be picked up.
- Encryption – Any communication between an IoT device and the cloud must be encrypted. Use SSL / TLS wherever possible.
- Privacy – you should definitely make sure that no personal information (including, for example, Wi-Fi passwords) gets to a hacker who gains access to the device. Encryption must be used to store data, as well as Salt.
- Web interface – any web interface should be protected from standard hacking techniques such as SQL injection and cross-site scripting.
- Firmware Updates – Bugs are part of the harsh reality, and often they are just unpleasant, nothing more. But security bugs are very bad and even dangerous. Therefore, all IoT devices must support over-the-air updates. And these updates should be verified before being sent to devices.
You might think that this list is exclusively for IoT device developers, but it is not. Buyers can play a role too – to refuse to buy products that do not offer a high level of security. In other words, don't take IoT security for granted.
There are solutions
The first reaction from a number of IoT device developers (and possibly their managers) will be the logical belief that all this security will entail additional costs. Yes, it is, but, as mentioned above, otherwise things could be much worse.
There are three ways to create an IoT product based on a popular microprocessor or microcontroller such as the ARM Cortex-M or ARM Cortex-A line. Security can be included in assembly code. Nothing prevents you from choosing this particular solution. But it may be more efficient to use a higher-level language like C. So the second way is to apply C to pure hardware, which means that you control everything from the moment the processor is loaded. You will have to deal with all interrupts, I / O operations, network connections, etc. This is possible, although it will require significant effort.
The third way is to use the Real Time Operating System (RTOS) and the ecosystem that supports it. There are several options to choose from here, including FreeRTOS and mbed OS. The first is a popular third-party OS that supports a wide range of processors and motherboards, and the second is an ARM architecture platform that offers more than just an OS and includes solutions for many different aspects of the Internet of Things. Both options are open source.
The advantage of the ARM solution is that ecosystems include not only software for IoT developers, but also solutions for device implementation, firmware updates, encrypted communication, and even server software for the cloud. There are also technologies such as uVisor, a standalone software hypervisor that creates independent secure domains on ARM Cortex-M3 and M4 microcontrollers. uVisor increases resistance to malware and protects against leaks even from one part of the application to another part of the same application.
Conclusion
The key to IoT security lies in two areas: it needs to change the mindset of developers and at the same time educate consumers about the dangers of buying unsecured devices. Security technologies already exist and there are no barriers to using them. For example, in 2015, ARM bought the developer of the popular encryption library PolarSSL, simply to make it free on mbed OS. Secure communications are now part of mbed OS and are available for free to any developer. What more could you ask for?
In a world where billions of devices will be connected to the Internet, and therefore connected in a certain way with us, we must be confident that in the future, devices for the Internet of Things will become secure.