Designer! Do not forget security in your IoT system
Suddenly the central heating is switched off and a Finnish block of flats starts getting colder. A random service denial attack from China brought the central computer of the building automation to its knees.
The block of flats made a lucky escape. But what if the target was a hospital, an industrial site or a central part of the infrastructure? Or a smart building, or a branch of an enterprise?
”The threat is definitely not an exaggeration. IoT is part of everyday life for all people and businesses. Still, IoT security often has serious shortcomings, even very basic errors”, wonders cyber security specialist Harri Susi. He runs a software testing team at Etteplan’s Espoo office.
The threats are versatile and criminals are constantly developing new ways to exploit the security gaps.”An IoT device can be harnessed into a part of a bot network that performs denial-of-service attacks. The device can be harnessed, for example, to mine bitcoins. At its worst, a poor IoT device is a soft route to enterprise infrastructure and critical information systems. A backdoor can be used for example for attacks with ransomware”, Harri Susi warns.
Careful design and testing guarantee security
The biggest problem, according to Harri Susi, lies with attitudes.
”Surprisingly many designers take security lightly. At the last minute, they barely remember to close the unnecessary IP ports from the system’s production version”, Harri Susi wonders, shaking his head.
”It’s worth taking a data security specialist on-board already in the design phase of a project. Comprehensive security testing and a secure remote update mechanism of the embedded software are the two crucial items to remember”, Harri Susi reminds.
Harri Susi lists three basic data security requirements for any designer to keep in mind:
Confidentiality. Confidential information must remain secret for outsiders. Sensor measurement data shall only end up where it is intended.
Integrity. Data must remain unchanged, for example in case of a ’man in the middle’ attack.
Availability. The system must tolerate for example denial-of-service attacks.
Tosihack - competition for hackers
Tosibox is a Finnish data security product manufacturer. Tosibox products are used for establishing effortlessly a secure and fast connection to an enterprise system, control system or a measurement sensor from virtually anywhere.
Tosibox, Etteplan and Turkusec Associaton organize a hackathlon event called Tosihack in Turku on Saturday, February 3 2018 from 11am to 6pm.
”We invite experienced data security investigators to compete on which team finds the worst bugs within the device being tested. The discoverers of vulnerabilities and data security issues will be rewarded generously”, promises Harri Susi.
Tosibox will deliver the devices to be tested. Any means are allowed, including jtag debuggers and soldering irons. The organizers will provide food, refreshments and a nice party after the competition.
Both data security students and professionals are expected as participants. The jury consists of Mr Harri Susi and Mr Arto Kangas from Etteplan and Mr Jari Tenhunen, the CTO of Tosibox company.
Harri Susi, Cyber Security Specialist, Etteplan, Espoo
Arto Kangas, SW Embedded Specialist, Etteplan, Turku
Jari Tenhunen, CTO, Tosibox