Zombie-proof your IoT design

-September 09, 2016

When asked about security features, many IoT device developers still express reluctance to implement protections. "There's nothing hackers would want from this device," many rationalize. But without cyber-security, your device risks being forced to join a zombie army known as botnet.

In case you have not heard of them, botnets are collections of connected devices that are running malware allowing an external party to use them without the owner's awareness. In particular, the abuser can make these connected devices accept and relay messages via their Internet connection. As the device user never sees these messages (they target a fourth party), this hijacking operation can go unnoticed indefinitely.

While an individual device may not be particularly interesting to an abuser (aka, a bot-herder), an army of them can be very useful. Two of the most common uses for a botnet are distributed denial-of-service (DDoS) attacks and dissemination of spam emails. A DDoS attack hits a specific computer, such as a web server, with massive numbers of messages in a short time frame. The goal is to bog down the computer with more messages than it can handle, causing it to slow down its service or even crash the software. Spam dissemination allows the bot-herder to send email messages that cannot be traced back to their source, for phishing or running other scams with little danger of being caught.

Traditional botnet recruits are insecure home network routers and personal computers. But with rising numbers of IoT devices in deployment, many of them with little to no security, the bot-herders are beginning to change their conscription targets. A recent survey reported in Dark Reading found a botnet based on the BASHLITE malware family with more than one million zombies, 96% of which were IoT devices.

Without increases in security for next-generation IoT designs, such zombie armies can only be expected to grow.

The problem, as many developers exclaim, is that "Security's too expensive!" It's true that many of the traditional security processes and algorithms require many more compute resources than small IoT devices can provide. Further, these processes and algorithms don't scale down effectively to match resource constraints. But if adding security into a design seems expensive, consider the cost of not having it. Companies have already had their products tank and their reputations shredded, and sometimes been forced into million-dollar recalls, because their IoT designs had eschewed security. And everyone pays if the bot-herders build and unleash zombie armies based on your unprotected design.

And cost may not be an issue for much longer. Devices like the Microchip ECC508 have started becoming available for tacking security onto microcontroller-based designs for under a dollar. There are also many efforts afoot to define and develop software security approaches for resource-constrained IoT devices. Eclipse, for instance, has a project underway to create a C-library for datagram transport layer security (DTLS) to be implemented in smaller designs, known as tinydtls. The US National Institute for Standards and Technology (NIST) is developing a plan for gathering together and standardizing lightweight cryptographic algorithms. NIST is also holding a workshop on the topic in October.

So, developers thinking of creating a new IoT device should at least stop casually dismissing security and start considering it as seriously as every other design tradeoff. Ideally, make sure that some level of security is in the specs and budget for the project, even if it's not full encryption. At least provide some protection against your product turning into a zombie.

Also see:

Loading comments...

Write a Comment

To comment please Log In