A random look at IoT security
The traditional concept of a corporate security perimeter has been fading slowly for at least a decade. The cloud put it on life support and the IoT will kill it off for good. The IoT presents a whole new set of challenges and on a completely different scale.
The biggest security impact of the IoT is the massive increase in attack surface that it creates. In fact, the IoT is the security professional’s worst nightmare – lots of sensitive and often regulated data collected and stored on low-performance, low-power devices scattered across the country or the world. These are devices that are easy to tamper with, are in use for a long time and are hard to update. That’s not a good combination.
The recent WannaCry and Petra ransomware attacks dramatically exposed the dangers of using out of date software. But the economics of the IoT mean that devices such as smart meters will be in service for years and may only be touched twice – when they are installed and when they are replaced. Yet an IoT device deployed today will need to defend against attacks that haven’t even been thought of yet, says Richard Moulds, general manager at Whitewood Security.
Trusting the identity of millions of remote devices and proving that messages and commands haven’t been tampered with or eavesdropped is no simple task. IoT devices don’t have a sense of suspicion and can’t be easily trained – they simply apply a set of tests to verify trust and blindly accept the result.
All IoT devices need to talk – the question is, how secure are their communications? They rely on encryption to protect data but how strong is that encryption? The strength of encryption often comes down to how good the cryptographic keys are that lock and unlock access to data or systems and it’s whether these keys can be guessed or stolen that makes the difference.
Companies are getting better at protecting keys but as computers get faster and with quantum computers around the corner, cracking keys is becoming more feasible. And If keys can be guessed then the game is up.
Surprisingly, making truly random keys is harder than you would think and IoT devices are notoriously bad at it.
Almost all keys are generated by an operating system, but software is deterministic, pre-programmed to act in a certain way. If software does something random, we call it a bug! To trigger legitimate behaviour that is actually random, the operating system looks for sources of randomness – defined as entropy – usually by sampling some aspect of its physical environment. Everything from user mouse clicks and keyboard strokes to radio noise and timing jitter in the hardware can all yield entropy.
But IoT devices can suffer from entropy starvation. They tend to be low-power and low-cost devices, designed for a specific task and with very limited access to randomness. The same is true in the cloud. By abstracting cloud applications from the physical world, they are cuts off from their main supply of entropy.
IoT devices might spend most of their working day in a dormant state and have access to very few sources of entropy, if any, and yet are expected to spring to life, generate perfectly random keys and communicate securely.
The challenge is to create a source of entropy available to billions of IoT devices and cloud applications that will stand the test of time. Quantum-based entropy may be the answer. Quantum entropy is the nearest you can get to perfect randomness by exploiting random behaviour at the sub-atomic level, which is fundamentally random and unpredictable by any attacker, even with a quantum computer.
The next challenge is actually deploying entropy to IoT devices consistently and at scale. The idea of remote delivery of entropy from a centralised source may offer the way forward – the concept of ‘entropy as a service.’ In time, entropy might be considered an essential ‘utility’ service in the same way that atomic time and date services are delivered to servers and devices today.
This may sound like a problem to worry about in years to come, but Siemens was recently forced to do a major software patch because it was discovered that the encryption in some of its IoT building controllers wasn’t very strong, because they had no randomness and hence were generating the same keys.
Furthermore, Edward Snowden’s disclosures claimed that a newly standardised Random Number Generator (RNG) had been purposely weakened. It’s effectively impossible to spot the difference between a truly random and non-random number – and that’s a problem when all crypto and therefore IoT security depends on them.
The author of this blog is Richard Moulds, general manager at Whitewood Security