IoT Security Just Went Mainstream
First, the good news; It just got much easier to explain IoT and IoT security to your grandparents. The bad news is that <stuff> just got real.
Earlier this week, we read an article on how Charlie Miller and Chris Valasek took over a Jeep Cherokee's controls remotely, while sitting in Miller's basement, ten miles away from the said-SUV…on a highway! Miller and Valasek not only toyed with air-conditioning and windshield wipers, but also cut the acceleration! As a result, this morning Chrysler issued a voluntary safety recall to update the software in over 1.4 million vehicles.
Issues like this are disconcerting, but we all know this is just the beginning. Products, including automobiles, have to incorporate security from the first stage of the product development - the very start of the design phase. The ONE rule in security is that it always evolves. OEMs, software designers and hardware developers have to design with security in mind. These groups have to understand where the implementations are being sourced from, including basic cryptographic operations in the software design and how the product architecture is designed to evolve. While hiring a penetration-testing firm to provide a success report is smart, it remains largely insufficient if the products are built with embedded security that evolves with the architecture.
Mocana recommends answering the following basic (but critical) security questions when designing a product, whether it’s a toaster or an automobile:
- How is the device's internetworking segmented? What is authorized to access what?
- Can this device be tampered with? What are the potential security holes?
- How can the team ensure security updates? How are these updates authenticated? How are they decommissioned?
- How will these devices connect for secure network services?
- How will the device handle the authentication of third-party data? For example, how will I stay assured that this is a real map?
Without appropriate attention, funding and authority in these organizations, such life-threatening product flaws are bound to recur! C-level executives need to reassess how their organizations are set up to ensure a cross-organizational strategy to assure security before the product is made available for public consumption.
Mocana has built security libraries and solutions to secure the Internet of Things (or M2M devices, as was the term of the yore). Mocana's KeyROM, in particular offers security controls to automakers such as the ability to "lock down" all communications (Bluetooth, Wi-Fi, Radio etc.) to devices, unless it is trusted/signed with the right security certificates.
More details from the principals are expected at BlackHat next week. While you're at there, stop by our booth #122 to talk to our team that will showcase KeyROM, among our other IoT solutions. Click below to download our KeyROM datasheet.