Last Updated on March 24, 2022
In response to widespread concern about the Internet of Things (IoT) security, various guidance and legal statutes have emerged. These include comprehensive standards from trusted sources like OWASP, ENISA and the Cloud Security Alliance (CSA), as well as groundbreaking laws like California’s SB 327 mandating the most basic IoT device security.
But is more guidance better? Or do more standards just create confusion in the marketplace?
On a recent episode of The Virtual CISO Podcast, hardware hacker Joe Grand (aka Kingpin) shares his view on the value—and downsides—of today’s IoT security guidance. The show’s host is Pivot Point Security’s CISO and Managing Partner, John Verry.
False sense of security
Joe states upfront that he has “mixed feelings” about all the IoT security guidance that’s out there.
“It gives people a false sense of security,” Joe states. “From a positive perspective, all these different lists of recommendations are good, because if somebody doesn’t understand security—or even if they do—and they need to know what the most important things to protect are, that’s good. Having lists is better than not knowing how to approach the problem.”
“But implementing what is recommended is extremely hard,” Joe continues. “Even something like FIPS 140-2, which is a really common security standard for cryptographic devices. You have common criteria as well. And those are basically checklists of things: you need a certain level of physical security, certain encryption of data at rest and blah, blah, blah—which are great to strive for. But there are a lot of devices that claim to have passed the FIPS 140-2 evaluation that are still vulnerable, because humans are still implementing the stuff. If a human says, ‘Okay, I need to encrypt some data,’ but they don’t understand how to properly store the key, or they’re still using a general purpose microcontroller and storing a key in some accessible area of memory, they’re still following the standard and doing things properly and they can check it off their list. But it’s not implemented in a secure way to prevent an attack.”
Securing IoT is hard
“There’s lots of different guidance, and using those as a starting point is good,” relates Joe. “But really verifying that you’ve implemented it right, that’s the hard part.”
“The thing I think we’re going to see is more and more products that say, ‘Buy us, we’re secure, we’ve passed this test,’ but it doesn’t really, from a hacker perspective, mean they’re secure,” Joe adds.
But isn’t a device that claims to pass a test better than a device created by people who didn’t even know there was a test? Maybe. It all depends on the implementation.
In John’s view, at least having open, trusted guidance like OWASP ISVS or the CSA IoT Security Controls Framework “raises your floor.”
Joe agrees that applying standards probably reduce the attack surface: “If you can get rid of all the ‘low-hanging fruit’ that is really easy to pick off, either from a network level, application level, software level, firmware level, or hardware level, that’s probably going to be better than your competitor, and it might be slightly harder to break. But don’t blindly rely on certifications and don’t think that you’re going to be more secure because you’ve done those things. Just be aware that you could possibly still be compromised.”
Likewise, for those implementing IoT solutions, don’t just blindly trust what a vendor is claiming. You’ll still need some validation that your overall implementation is secure.
Click here to listen to this provocative podcast episode with Joe Grand: https://www.pivotpointsecurity.com/podcasts/ep-75-joe-grand-how-hardware-hackers-exploit-iot-vulnerabilities/
Want some comparative guidance on IoT security standards, including their key strengths and how they’re designed to be used? This blog post is a great starting point: https://www.pivotpointsecurity.com/blog/owasp-isvs-vs-csa-iot-security-controls-framework-which-to-use-when/