Last Updated on March 22, 2022
The Internet of Things (IoT) has basically become “all the things on the internet”—everything from sensors to smart door locks to biomedical equipment to smartphones to you-name-it. Every one of these billions of IoT devices is part of an “ecosystem” that connects it to one or more other things (often through software) so that it can do its job.
That’s a pretty darn big cyber-attack surface. If you’re a product engineer working for an IoT device manufacturer, where should you focus your efforts to help improve the security of a device?
On a recent episode of The Virtual CISO Podcast, our special guest was the well-known hardware hacker Joe Grand, also called Kingpin. Joe shares a wealth of knowledge about what makes devices vulnerable and how to think about securing them. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
Using our tools against us
Joe notes that even the hardware design process leaves hand-holds for hackers: “From a product level or a board level, there are a lot of things to worry about. Basically, the key thing is that anything a design engineer is using on the board to make it easier to design, test, manufacture or repair a device can end up being useful from an attack perspective as well. A lot of hardware hacking is taking advantage of things like test points, which are little connections on a circuit board to make it easier to take measurements of critical signals. Anytime an engineer puts a test point on the board, that’s a signal that the engineer needs to get for some reason. So, an attacker will go after any signal like that.”
Debug interfaces that let designers read and write memory and single-step through code and change parameters and registers are another convenient access point for hackers. All these kinds of interfaces are essential for designing, manufacturing and testing the device, and getting rid of them after the fact is time consuming and costly.
Another challenge is that most of the peripheral chips that engineers can use in typical devices don’t support things like on-the-fly encryption. This makes the whole embedded system vulnerable to snooping at the chip level, similar to how Wireshark can look at network traffic.
Of course, knowledgeable hardware hackers with physical access to a device can “reinsert” debug chips and test points, or even just take the chips off the board and play around with the inter-chip communications protocols on a generic “bread board.” Building chip-level encryption and other security measures is a lot harder and more expensive. Often cost and time-to-market become limiting factors.
What about tamper-resistant packaging?
Is ruggedized physical packaging, such as so-called “tamper-proof” packaging, of any value in securing IoT devices? For example, in some scenarios disrupting the packaging renders the device inoperable. On the downside, some manufacturers leave debug ports intentionally exposed through the packaging layer.
“That’s a hard question because this also costs money and it also depends on the threat or what you’re trying to protect,” Joe states. “What comes to mind is I recently broke into a cryptographic hardware wallet that had $2 million of cryptocurrency on it. Eventually, we’ll go public with some of that information, but that was advertised to have an anti-tamper mechanism or a physical security mechanism, which was an ultrasonically welded case. If you open that, that’s going to leave an obvious visual indication that it’s been opened, which might be a good piece of security if it’s a device in an installation that’s constantly being checked. But it didn’t prevent me, the attacker, from getting to the circuitry.”
“Some of the common stuff we see are security mechanisms that slow down the attack,” adds Joe. “This sometimes gives people a false sense of security because they say, ‘Oh, we have anti-tamper—we have epoxy covering the components to make it really hard to get to.’ But those aren’t true security features. Those are just some physical prevention. So, I wouldn’t rely on them, but they may be a good step depending on what your real worry is.”
Taking a risk-based approach
John advises taking a risk-based approach to securing IoT: “You want to make the fence high enough that it’s not worth it to the malicious individual to take the time to scale it. Like, a crypto wallet that contains $2 million, I’m going to be merciless in my pursuit of getting into that device. If I have the ability to screw with the farmer next door and mess up the watering of a half-acre of lettuce, I’m not going to invest much time in it.”
“I do think you have to be very cognizant of the risk, and what you’re protecting against,” John stresses. “I think in some cases these barriers aren’t definitive, but slow [the attack] down to a point where it’s a good strategy.”
“If they’re implemented properly,” Joe counters. “I’ve seen devices that are protecting chips, but then right next to it they have an open footprint that isn’t protected that connects to the same bus. Unless you’re thinking about the entire attack process, just spotting some epoxy on something or implementing a switch isn’t really going to stop anybody.”
“Security all comes down to making the attack sufficiently hard or time-consuming or expensive where it’s not worth it,” summarizes Joe. “With IoT devices, though, you might only need physical access, say, to one device. But now you have some piece of information that you can use as a stepping-stone into a larger network. Then that makes that effort worthwhile.”
“That’s really the whole… I guess you’d call it risk management or threat modeling,” Joe restates. “You have to threat model, as an engineer. But unless the people you’re trying to convince understand the problems, it makes it really hard. You need to not only have your engineers understanding security, but also then your management needs to understand what the risks are. Everybody up the chain needs to really understand the entire landscape of their devices, either from the design perspective or what they’re implementing in their own environment from other people.”
To hear this thought-provoking podcast with Joe Grand all the way through, click here: https://pivotpointsecurity.com/podcasts/ep-75-joe-grand-how-hardware-hackers-exploit-iot-vulnerabilities/
Looking for more expert guidance on IoT security? We recommend this recent podcast: https://pivotpointsecurity.com/podcasts/ep32-aaron-guzman-john-yeoh-how-iot-is-shaping-the-future-of-cybersecurity/