Security, Standards & Laws for the Internet of Things

We have written about vulnerabilities in IoT devices before. There are several factors that work to the advantage of anyone seeking to compromise the confidentiality, integrity or availability of such devices: the lack of standards or (legal) regulations as well as the lack of update facilites in many devices.

 

It is a fact that more often than not, security falls by the wayside during the product development process. In other cases, announced features are initially omitted, to be added later, as soon as they are finished. Cynics may speak of “bananaware” which matures either en route or after sale – just like bananas, hence the name. Whenever a security issue is discovered, some effort is made to relieve the problem – until the next one rears its head. It has been said many times before: security needs to be part of the development process. It cannot be added later on once the development is already two thirds of the way complete. The entire issue is not limited to the software side of a product but the hardware as well.

More power

The key to making the Internet of Things possible is inexpensive computing capabilities with low power consumption. There are plenty of off-the-shelf components that are used which fit those requirements. Custom chips are only used if no other practical means of achieving a certain functionality is available.  Many devices that can be bought today do not have microprocessors (otherwise known as a CPUs), but microcontrollers instead. Most CPUs that we are familiar with are multipurpose devices that can perform a wide variety of tasks and have lots of computing power. Using a CPU would just be too wasteful and expensive in an IoT application. In contrast to this, a microcontroller that you would find in a smart thermostat or a refrigerator has a limited amount of computing capability, because it only needs to perform a handful of functions. Using low-powered hardware of course makes devices more affordable for customers, but for interconnections and true “smartness”, a lot of computing power is required – this is where cloud platforms come into play. The devices in our homes and in our pockets are no more than input and output devices of a cloud platform that users have no direct control over. We will get into more detail about this later in this article. Other than just being an inexpensive alternative to a full-fledged CPU, microcontrollers also lack some security features that are present in modern CPUs – and even on modern CPUs hardware security is not without its share of problems.

Less security

Process isolation makes sure that certain memory areas are inaccessible to other processes. This ensures that system processes remain stable and cannot be tampered with easily. On the hardware side, this is achieved (among other things) by using a Memory Management Unit, or MMU for short. In simplified terms, an application needs to ask the MMU first before being able to access an area of memory. In microcontrollers, this MMU is often missing.  The lack of an MMU is not the only issue that potentially compromises security. With the time-to-market in the consumer market getting ever shorter, manufacturers struggle to secure their platforms properly and the lack of certain security features in the hardware itself does little to make the job easier.
To make life even more difficult, adding security often compromises performance and/or the “user experience”. This mix makes for a delicate balance which tends not to be in favor of security. In theory, all it takes to elevate privileges is flipping one bit in a specific memory area. In offline applications with no network connection at all this would not be a cause for major concern, but when adding a susceptible device to a network, it is definitely a reason to start worrying. Never connecting an IoT device to any network would theoretically address the issue, but it would also defeat the purpose of those devices.