We’re all sick of hearing it. Day after day, another “junk hack” pops up in the news. The stories are tiring and repetitive, and even well-established engineering firms can’t seem to escape the wrath of a recent college grad with a logic analyzer and an empty social calendar—so what is a blue team to do? Don Bailey explains that defense in the IoT is less about increasing the component budget or slopping on a few crypto libraries and more about the process of deploying, monitoring, and maintaining technology in a structured, rigid, and easily evaluated fashion. With a well-defined set of processes, we can antiquate the concept of junk hacking.
Making IoT security a simpler, succinct, and rich experience for developers and management is critical toward the success of the IoT, regardless of which verticals the product is deployed in. Don outlines strategies from three core concepts in IoT security: how to threat model physical and logical components not only from the technical perspective but from the perspective of how the security of these components change over time, with enhancements in adversarial capability and the decreasing costs of an attack; how to detect whether a component has been abused and the telltale signs that signify a clear delta between errors in the architecture and adversarial behavior at each layer of the product (hardware, network, and backend services); and how to incorporate changes in evolving threat models into the SDLC and analytics programs to secure the next generation of the technology and, more importantly, improve the posture of current products in the field.
IoT security can be simple. It can be cost effective. It can be practical. The only barriers to these goals are the processes and policies that are typically overlooked. By adhering to a few simple guidelines, IoT security teams can force adversaries to focus on antiquated IoT systems, because the challenge of attacking modern IoT technology will be too steep.
Don A. Bailey is a world-renowned security researcher and an expert in Internet of Things technology and embedded systems. The first security researcher in the IoT field, Don broke ground in 2011 by remotely hacking into a telematics system, turning on a vehicle’s engine, and unlocking its doors. With this demonstration (the first of its kind), Don inspired a new area of interest into telematics, automotive systems, and embedded security. After several more public, groundbreaking projects, he won a DARPA grant to evaluate the full scope of risk in the IoT space. His research was used as the foundation of the GSMA IoT Security Guidelines, which were released at Mobile World Congress in February of 2016. Don is currently developing secure IoT platforms at Lab Mouse, where is resides as the founder and CEO. He has given over 40 unique talks on security over the past decade and has given 8 Black Hat Briefings talks.
©2016, O’Reilly UK Ltd • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org