SAN FRANCISCO — The Internet of Things, along with everything else, is insecure. The U.S. government wants to help with that and other security problems — if you still trust them.
Those were two of several messages from the annual RSA Conference here.
“We have a long way to go in IoT security just to bring designs up to the not-yet-adequate state of PC security,” Steve Hanna, co-chair of the IoT committee at the Trusted Computing Group (TCG), an industry alliance setting security standards for nearly a decade.
Hana was one of a handful of experts who gave a half-day seminar showing at RSA. They demoed ways cost-constrained embedded systems could adapt the group’s approach to providing a hardware-backed root of trust, something well established in x86-based PCs and servers.
“Without hardware security, IoT devices are as vulnerable as PCs were 15-20 years ago, perhaps more so because they only use software security and it’s rarely updated, so it’s pretty easy to attack and control a device,” said Stacy Cannady, the other IoT committee co-chair and a security expert at Cisco Systems.
Other experts such as Adi Shamir, the ‘A’ in the RSA algorithm, agreed. He noted the recent phenomenon of ransom-ware in which remote hackers lock up someone’s device and demand a ransom to fix it.
“Think about your smart TV being ‘ransomwared’ and you have to pay someone in Moldovia to get your service back,” Shamir said. “We failed in a particularly miserable way because there is no good security program to protect from ransomware…and it’s a very serious problem. Police in Maine had to pay $300 to get police computers released from scam artists,” he added.
Shamir’s lab at the Weizmann Institute of Science in Israel is conducting experiments to find security flaws in IoT devices. For example, it found a WiFi router gives a home LED lighting system its password in an unencrypted form. “Anyone who listened in gets the password,” said Shamir in the cryptographer’s panel, an annual highlight of the event.
What’s more Shamir’s group was able to write an app to break in and control the LED lighting system remotely. “It lets us rapidly change the amount of light even inside a secure perimeter, so we can leak information by flickering the lights and anyone sitting outside will get the information — I hope the NSA will not install these lights,” he joked, in a reference to the U.S. National Security Agency.
Another member of the cryptographer’s panel, Ed Giorgio spent 30 years working for the NSA helping it find ways to make and break codes. Some of his projects involved IoT-like designs.
“We tried to build constrained devices of about 100 flip-flops and 10 or so adders that ran cryptographic codes,” he said in a Q&A after the panel. “They found ways to break them, so we revised the designs until they got too big,” he recalled.
To help lock down commercial IoT devices, the TCG is writing profiles of its specs for specific classes of IoT devices. It already released a profile for car engine controllers. TCG’s embedded and mobile working groups are expected to publish profiles of their own later this year.
The group released at RSA a technical white paper on securing IoT devices. It is working on another paper aimed at managers, aimed at convincing them to spend the time and money (less than a dollar per node) to add a root of trust.
To read the full article, please click here.