SECURITY INTERNET OF THINGS
becomes part of a huge botnet
network, and we see a denial of
service attack, then the people that
lose out are third parties, whether it’s
Net ix, CNN or Twitter.
“When you have those
characteristics within a market, it
leads to market failure, and the
only way that you can intervene and
change that is through regulation.”
Juggling standards
Security regulation is certainly a focal
point for governments across the
world but for IoT manufacturers, as
Bernard points out, with investment
in security comes higher component
costs; hardly a reward for doing right
by their end users.
Silicon Labs senior director of
product marketing for IoT Security,
Gregory Guez said that the motivation
hasn’t changed from a known good
have been worried they would
to add security may be found
outside regulation.
“We’re at a time where
there’s going to be a big
shift with new security rules
(SB327), where the State of
California will mandate that
all IoT connected devices
need to come with reasonable
security features. Things like
making sure devices don’t have
universal passwords, executing
trusted rmware, came into
action at the beginning of the
year.
“I think that’s going to be a
game changer. We are going to
see some big lawsuits happening
and companies who feel they can
make a product without thinking
about security are going to have to
start taking it more seriously from
the beginning of the design. It can no
longer be an afterthought.”
“The UK Government is looking to
introduce guidelines that they want
manufacturers to voluntarily sign
up to. The National Cybersecurity
Centre worked with the DCMS to
come up with these secure by
design principles that, if adopted by
manufacturers, would move things
forward quite substantially” added
Parsons.
“To date, nothing has happened
voluntarily, so we will now move
through to an era of regulation and
that’s what will ultimately create the
drive for the manufacturer to invest in
security.”
Securing the things
Experts agree that the best route of
security is to install it at a physical
level but reiterate that cost and
pro tability are big factors when
manufacturing devices.
“The best way to maintain the
integrity of a system is to have a
hardware route of trust” added
Parsons. “If you want to have a
secure boot process in a platform
where you can verify the rmware
state, the only practice really that
can withstand any reasonable attack
is where you have a hardware-based
route of trust.
“Within ARM based platforms,
you’re talking about TrustZone,
while within Intel based platforms,
its TPM (Trusted Platform Module).
Ultimately it comes back to some
fairly straightforward and basic good
practices and a good starting point is
that route of trusted hardware.”
“If you look at connected home
devices for instance, it has being
growing so fast and a lot of people
have been focused on time to market
and releasing products rather than
being concerned about security” said
Guez.
“The lack of standards has
been allowing them to proceed
without really taking security into
consideration, and that’s been a
tough battle for us. “We would go
to a customer and start talking
about security but rst there is a
cost, because we integrate a lot of
hardware that increases the price
at the SOC level, but on top of that
there is also a layer of complexity.
“If you’re thinking about the
consumer market, where everything
is driven by time to market, I think
security could actually delay your
product, maybe by a few months or
even longer. I think some companies
lose out to their competitors, just
because their product takes a longer
time to be produced and released.”
However, with a security hole still
in hardware of devices, questions
can also be asked of the systems
that enable the vast majority of
devices. As Duckin points out,
there is more than one area where
devices can be ‘got at’.
“Sometimes the bugs or the
problems are in the device,
sometimes they’re in the cloud
service that the device uploads its
data to, and sometimes they’re in
both.
“If the data being uploaded is
being stored on a cloud server which
is completely unprotected, once
you’ve gured out where to look,
what URL to go to, what endpoint,
you could see the data by changing a
number in the URL.
“That can be xed but do you
want to carry on trusting that cloud
provider when they’ve made a blunder
that big? The other problem is that
there may be something fundamental
about the device that means that,
even if they harden the cloud
service side, the device itself is still
insecure.”
“The lack of
standards has
been allowing
companies to
proceed without
really taking
security into
consideration
which has been
really a tough
battle for us.”
Gregory Guez
Security is often
an afterthought,
especially in
inexpensive
consumer devices
www.newelectronics.co.uk 24 March 2020 29
/www.newelectronics.co.uk