September 11, 2015

Our Focus- IoT Security


In today’s rapidly advancing consumer space the so called “Internet of Things” or IoT currently occupies centre stage and the term seems to have gone viral, so aside from a rather poorly thought out acronym, what does the IoT mean for consumers and in particular the security of their data?

In the mad frenzy to jump on the IoT band waggon devices are being designed, manufactured and launched into the market in record time, but how robust are these devices and have corners been cut? We suspect the answer is somewhat mixed and unsatisfactory.

What mechanisms are deployed to prevent an remote attacker gaining access to devices in the consumers home? We have all seen the scare stores in the press, with smart TV cameras, baby monitors and the like being accesses remotely by hackers on the other side of the world. In many such cases the vulnerabilities exploited have been down to sloppy mistakes made by the manufacturer, for example the use of default passwords and open debug services that are left running. Such issues can be mitigated through correct software security implementation and its configuration. However there are cases where software security alone is not sufficient and there is a need for an embedded hardware root of trust.

Such cases arise when a device is deployed in a context where it can be physically accessed by one party but contains assets belonging to another. Two classical examples of this are PayTV receivers and automotive systems. A pertinent IoT example is a smart metering system where the meter may be at risk from physical tampering by an end consumer seeking to obtain free energy. Further, whenever a manufacturer wishes to prevent a device from being re-purposed or its software from being copied, then again, there is a need for underlying hardware protection.

In building such a system, IoT or otherwise, the same principles apply. It is not sufficient to rely solely upon software protection, the system must be founded on a secure underlying hardware platform that provides the means to secure both the software and the assets. At ESS we have a solid track record in defining such systems and can provide the expertise needed.