As increased device connectivity risks national infrastructure, OEMs must up their game with security
From our kitchens to our cars, offices to warehouses, connected devices are becoming an increasingly intrinsic part of everyday life.
According to Vernon Turner, senior vice president of the International Data Corporation [IDC], approximately 80 billion devices will be connected to the internet by 2025. It is clear, therefore, that our reliance on connected devices to power our cars, businesses, and homes, will only continue to grow as time goes by.
While the increased use of such technology means we now live far more convenient lives than we did in decades past, it does, however, bring its own set of challenges. With the number of connected devices constantly growing, so too is the threat of cyber-attacks committed against them.
New data shows that the cost of cyberattacks in 2022 was $6 trillion and that, by 2025, they are projected to cost the world £10. 5 trillion yearly. While attacks can be carried out against individual devices with the aim of stealing user data, other attacks can have much further reaching implications.
In fact, in some cases, cyberattacks can even pose a serious threat to national infrastructure.
How are attacks carried out?
Distributed Denial of Service [DDoS] attacks provide an example of a type of attack that has the potential to have a national or international impact.
They are increasingly common, and are typically carried out from compromised devices.
Their purpose is to render a target device unavailable to its intended users, either by temporarily or indefinitely disrupting the services of a host connected to a network. This is achieved by getting the device to send repeated requests for information to a server or end point with the intention of overloading it.
The result is that the target device either becomes overwhelmed and starts to expose vulnerabilities or goes offline. Either outcome has the potential to cause massive disruption.
In May 2021, the Colonial Pipeline in the United States was targeted by cyber attackers, who infected the pipeline’s digital systems, causing it to be shut down for several days. The shutdown affected consumers and airlines along the East Coast due to the resulting fuel shortages, and the incident was declared a national security threat.
While the primary objective of the attack was the acquisition of sensitive data, its impacts were felt far broader, and the incident illustrates the devastating effect such attacks can have. To make matters worse, those who commit such attacks have an almost untold level of power over target countries if left unchecked.
In addition to hijacking key infrastructure, attackers motivations may be financial, terrorism related, or simply to disseminate ‘fake news’ that influences public debate and opinion. Meanwhile, fake data can enable financial market manipulation, crash traffic lights, or overload electrical grids.
It can also disrupt logistics, confuse air traffic controllers, reroute emergency vehicles, influence urban planning, or rationalise otherwise unpopular decisions. The possible implications of fake data can be vast and potentially devastating, and the task of tackling its proliferation is an incredibly difficult one.
However, it is possible, and cost effective, to ensure that data is coming from legitimate connected devices and, in doing so, separate the genuine data from the artificial.
Who suffers?
While there are many potential victims of IoT attacks, different groups are affected to varying degrees by different types of attacks. For example, wider society and consumers are mostly impacted by data and device fakery, given that these can affect the functionality of devices, as well as how their personal data is used by criminal entities.
Data abuse and DDoS attacks, meanwhile, are likely to have a significant impact on enterprises and retailers, as well as individuals. This is because such attacks erode trust in organisations, undermining their resilience, reduce service availability and can also have severe financial implications.
The fact that the impact of data breaches and cyberattacks can easily go unnoticed means the general public may not take the issue of cyber security as seriously as they should.
As a result, it is seldom that consumers spend time reviewing the level of protection that original equipment manufacturers [OEMs] are providing in their devices. It is also equally fair to say that, up to now, many OEMs have not made this a focal point of their advertising.
This is often due to the perceived complexity of how to communicate such a message effectively.
However, as the devices we carry and interact with on a daily basis become more sophisticated and collect more data about us, this is an issue that consumers and device OEMs alike will need to increasingly focus on.
OEMs must up their game
It is not only the way that OEMs communicate to consumers about device security that needs to be assessed. OEMs must also consider whether the level of security that is present in their devices is still fit for purpose in the face of ever-increasing attacks. In certain cases, OEMs do not consider security to be an intrinsic part of the design process, and instead regard it as a mere afterthought.
By taking this approach, however, OEMs are inadvertently making it easier for cyberattacks to be carried out against devices that are ill-equipped to protect themselves.
As such, OEMs must understand that security needs to be ‘baked in’ to their products, and shouldn’t be seen as a simple add-on piece of functionality. Cybersecurity is not a basic ‘function’ of a device – it is a core value that should permeate throughout every aspect of the product and the software architecture.
Furthermore, OEMs should not think of compliance with cybersecurity regulation as a checklist of items that need to be addressed. Regulation is almost always in place for a good reason, and it is just as much in the best interest of OEMs to comply as it is in the best interest of consumers that devices are protected.
However, due to the time it takes to create standards this means that cyber security regulations are often the absolute minimum a company should be doing to protect its customers and users. This means adopting a company-wide mindset that cybersecurity must be a key part of the design process and a philosophy of how the company protects its own data.
This is not merely to prevent ‘bad actors’ from doing amoral things with devices, but is a demonstration of an OEMs commitment to addressing the various security concerns of users. It’s also important that OEMs don’t inadvertently enable back actors to bypass device security through a lack of focus on how information is managed with the company, for example by protecting cryptographic keys or disabling debug or engineering modes in the final build of software.
Despite this, matters are exacerbated by the fact that the term ‘IoT’ is too loosely defined when it comes to regulation.
Clearer and more focused scope is needed to make it simpler for OEMs to interpret what is required of them and their products.
This is because the vague definition of IoT fails to capture the huge complexities involved in a single IoT device. Regulation tends to focus too intently on the basics – namely, to secure by default, and to keep software up to date.
While these are undoubtedly positive steps, they barely manage to scratch the surface of what is actually needed to ensure that devices are safe, and to give users confidence in them. IoT devices contain a huge amount of software – and device makers tend to make significant use of Open Source Software.
This is a ‘good thing’ because open source software libraries are often very mature and have had significantly more effort put into them than device makers themselves could afford. However open source comes with a catch.
Almost all of it comes without any sort of warranty whatsoever.
This means that whilst it is cheap for an OEM to use, if there is a subsequent need for an update – because of an attack or compromise, there is no guarantee that the original authors of the code (or anyone else) will be motivated to fix it.
OEMs cannot in all honesty warrant devices based on software that itself has no warranty. Many OEMs simply take on the risk of potential security threats themselves, or push uncertainty to customers, many of whom are unlikely to understand the full extent of the risks.
Wherever problems are found, it is generally a good idea for OEMs to update the faulty software – and typically this means taking the latest version of a library or package that may have ‘evolved’ somewhat since the OEM first selected it.
It is crucial that updates are never carried out blind – the OEM must check that there will not be a negative impact – for example in terms of performance or battery life. Given that software libraries often depend on other software libraries, this is an immensely complicated endeavour.
This ongoing maintenance cost and responsibility is often overlooked – but applies to every device and grows over time. The extent of the risk associated with ‘blind updates’ was made clear when the LOG4J vulnerability broke.
LOG4J in its original form was a simple logging framework which posed no security risk – but it evolved into something much more dangerous and was adopted by millions of other software projects who did not appreciate the increased risk.
The fallout from the log4j debacle has led to the US government to require that ALL device OEMs list all software used to aid in the identification of future risks. This is known as the ‘software bill of materials’ [ref] and is itself a significant additional cost for OEMs to bear.
To be clear, 90% of IoT is software, but the vast majority of software libraries come without any sort of warranty whatsoever, meaning there is little recourse for OEMs if their device is attacked or compromised in some way.
As such, many OEMs are simply taking on the risk of potential security threats themselves, or pushing uncertainty to customers, many of whom are unlikely to understand the full extent of the risks. Wherever problems are found, it is generally a good idea for OEMs to update the faulty software.
However, it is crucial that updates are never carried out blind – the OEM must check that there will not bed a negative impact. This means that every device has an ongoing maintenance cost that grows over time which, naturally, can become costly for them.
How Trustonic is helping
Trustonic is a leading provider of the industry-leading Trusted Execution Environment [TEE] – an environment for executing code in which those executing the code can have high levels of trust in the surrounding environment.
As such, we have the solution to help OEMs ensure that the core foundations of their device are implementing the highest level of security in order to meet and exceed the latest cybersecurity legislation.
Our hardware-backed security is recognised as a gold standard for the consumer IoT industry. We recently certified our TEE using the industry-standard Common Criteria Protection Profile, defined by GlobalPlatform, and achieved a class-leading EAL5+ certification.
Our TEE has also been deployed in more than 16 million vehicles and growing, sitting at the heart of the next generation of secure vehicles. Using a hardware-backed secure environment to perform critical operations, e.g., encryption and biometric authentication, and providing a trusted environment for applications and services will provide a robust platform for building future secure solutions.
OEMs choose our solution because, as a strongly certified component, it makes its considerably easier for them to meet both ETSI EN 303 645 and UNECE WP.29 requirements than by using alternative approaches.
Connected devices have become a truly intrinsic part of our lives in recent years, and play a hugely significant role in our daily routines. Despite the benefits that they bring, they can also compromise our privacy, safety, and national infrastructure if they are not correctly designed and prepared with security standards in mind.
OEMs owe it to their customers, themselves, and wider society to ensure that users can confidently use their products.
