"Security Inside: Setting Your IoT Devices Apart from the Competition" by David Dewhirst

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

From the ThreeTwelveCreative Blog by David Dewhirst:

‘Earlier this week I spent some time talking with Terry Dunlap, founder and CEO of Tactical Network Solutions in Columbia, Maryland about what he views as a potential tsunami building on the IoT / M2M horizon: The susceptibility of the vast majority of IoT devices currently on the market to attacks aimed at their vulnerable embedded firmware.

With an estimated 87% of IoT device OEMs yet to implement any kind of security on their embedded firmware, tsunami is probably an apt description of the potential devastation that could occur following an attack on connected devices in our increasingly connected world. What that devastation might look like is as varied and broad as the IoT ecosystem itself. Consider, for example, a vulnerability discovered in some implantable heart devices that could have allowed hackers to remotely control a target’s defibrillator or pacemaker; or the My Friend Cayla doll that’s recently been banned in Germany (the opposite of Hasselhoff!) because it’s susceptible to hacking as well as being capable of surreptitiously streaming audio to remote servers; or the December 2015 attack that took down the Ukrainian power grid for hours through a sophisticated attack that, among much else, “overwrote firmware on critical devices at 16 of the substations” of the grid.

In the case of the implanted heart devices no one has been injured or killed, and although issues still remain with the implants themselves the U.S. FDA considers that the highest-risk vulnerabilities in the attendant transmitter units have now been patched by the manufacturer. We’re fortunate in that regard, but the fact of the matter is it’s only a matter of time until the next, potentially fatal security failure is exploited: The growing ubiquity of connected devices in IoT and M2M applications is a huge opportunity for those who would inflict physical or financial harm.

What’s particularly galling, according to Terry Dunlap, is that cybersecurity risk exposure through unsecured embedded firmware is a problem that’s already been solved.

“Embedded firmware is vulnerable to the very same hacks, like buffer overflow attacks, that we identified and fixed years ago in desktop applications,” says Dunlap. “We can fix this in embedded firmware right now; we have the tools to analyze and correct these things. But in their haste to go to market, most connected device manufacturers simply don’t want to take the extra time.”

Successful hacks and exploits are costly in both the societal and financial sense. According to an analysis by Cybersecurity Ventures, cybercrime will cost the world more than $6 Trillion by the year 2021 — a rise in cost that aligns, not coincidentally, with the upwardly-curving growth in connected IoT and M2M devices. And companies who are sacrificing long-term security for the short-term gains of getting to market marginally faster are just kicking the can down the road.

I’ve written a few times already about the opportunities that underserved niches in the IoT ecosystem present, and about the possibilities inherent in Industrial Internet of Things (IIoT) analytics, for example. But if the opportunities for cybercrime are growing because most devices have not been properly secured, a huge opportunity also exists on the flip-side of the cybersecurity coin: If the embedded firmware on the device you’re taking to market is properly secured, you have a built-in differentiator that sets you apart from the majority of similar devices being fielded by your competitors.

Think about the competitive advantages that affords. Think about the value proposition your device offers when it’s secure out of the box, and won’t need to be recalled or patched. Think about how your selling into sensitive industries like the financial and medical sectors might be made easier if you can say upfront that you’re not going to have to do an OTA update on someone’s heart implant.

Think about the opportunities to own your segment when you’re the only OEM to offer “Security Inside,” and you’re sitting in that sweet place of having no one who competes with you on that front, because nearly 90% of OEMs are not currently securing their embedded firmware. 

And lastly, if you want to use the value proposition of properly secure embedded firmware in your devices as a differentiator, do it now — securing your firmware is neither terribly difficult not terribly expensive, and it won’t be long before security becomes simple table stakes instead of a unique value proposition. 

The time to move is now — let’s get moving.’

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
100 Followers
About Tactical Network Solutions
Are you concerned about risky, vulnerable embedded firmware in IoT devices, connected medical devices, automotive ECUs and industrial control systems? You're not alone. Since 2007, Fortune 500 companies and governments around the world have sought out Tactical Network Solutions for reverse engineering training programs, firmware evaluations, and cyber risk mitigation strategies. Clients are excited to leverage our automated firmware evaluations and consulting performed with the proprietary Centrifuge IoT Security Platform. The evals are completed with NO access to source code on compiled images containing a Linux-based root filesystem compiled for either MIPS, ARM, or X86. We also support QNX (a real-time operating system) and Docker containers. TNS evaluations have revealed thousands of hidden attack vectors including erroneously placed private crypto keys, insecure binaries with highly vulnerable function calls and other rampant security holes on embedded firmware. Our community of clients includes firmware developers, underwriters, law firms, governments and intelligence agencies worldwide who share a common goal: to discover hidden attack vectors in IoT and connected devices.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel