City and state authorities may be embracing Internet of Things (IoT) technologies to power ‘smart city’ initiatives around the world, but one expert has warned that the technology’s rapidly-broadening scope means IoT security must be addressed at an ecosystem level as a matter of public safety.
The widespread use of the QNX real-time embedded operating system – which is popular within automotive systems and a range of other applications – had pushed BlackBerry to expand its thinking about the best way to ensure security of embedded devices, the company’s chief security officer Alex Manea recently told CSO Australia.
Given the complexity of current IoT software, poor management and control over devices in the field and the natural incidence of potentially exploitable security vulnerabilities, he said, embedding the security within core hardware modules had proven to be an invaluable baseline that enables authentication of ancillary devices, components, and data transfers.
“A lot of people still think of cars as being hunks of metal on wheels, but they really are becoming mobile networks,” he said, noting that a typical luxury car can have 100 million lines of code underlying its systems. “If you have one vulnerability every 10,000 lines of code,” he said, “that’s a huge number of potential vulnerabilities in the car.”
“When you have so many different tiers of suppliers and components from dozens of manufacturers, it is really difficult to secure all of that. The real issue is where you put your root of trust – and we have found the most effective way is to inject that root of trust within the manufacturing process, then start building security from there.”
A number of public hacks, such as a 2015 demonstration that led Chrysler to recall 1.4 million Jeep Cherokees, have highlighted the dangers intrinsic to networked devices – but these are just the tip of the iceberg as entire cities put such devices into positions of managing public assets and safety.
The US city of Dallas, for one, this week announced that it would partner with Ericsson to build and host an advanced traffic management system that optimises traffic flow through an omnipresent network of sensors and cameras that dynamically control traffic lights, school-zone slow zones and message signs.
Closer to home, the Gold Coast Smart City Initiative will link a broad range of systems designed to automate the flow of traffic, improve public safety and more during the upcoming Commonwealth Games 2018.
Such investments may promise significant benefits for city planners and event organisers, but their reliance on potentially insecure networked devices could dramatically increase the potential for damage as new or existing vulnerabilities are exploited, The Italian Job style, for service disruption or actual harm.
As BlackBerry’s technical team has been demonstrating, even seemingly innocuous objects must be carefully secured and monitored: in one recent test hack, security specialists were able to compromise a networked tea kettle, extract the enterprise Wi-Fi authentication key and use that to access the enterprise network.
“The more you have these types of IoT devices making their way into the enterprise and the more you have them not being properly managed,” Manea explained, “the more your risk profile grows.”
Even hardware is not impervious to security problems, however, as the recently-discovered, CPU-based Meltdown and Spectre vulnerabilities have demonstrated. For this reason, BlackBerry has been working to leverage its years of expertise in managing mobile devices – its eponymous smartphones have long been associated with secure operation and fuelled a corporate reinvention around mobile device management (MDM) – into developing an IoT ecosystem that can address some of the systemic shortcomings of current approaches and mass-market devices.
With businesses installing IoT devices in large numbers – and without respecting their potential security implications – the clock is already ticking. BlackBerry, for one, has expanded its research into automobile safety and is looking into replicating its MDM success with a tool for managing QNX and non-QNX embedded devices.
Local industry initiatives like the formation of the IoT Alliance Australia (IoTAA), and partnerships such as a recently announced IoT testing and certification joint venture between Enex TestLabs and James Cook University, are creating a framework for the industry and expectations of operational rigour around security and other aspects.
The stakes are significant, but it’s a challenge that Manea is confident the industry can win – eventually. “It’s definitely a solvable problem,” he said.
“Logically, it’s not that different from the problem we solved 10 years ago, which was to take all these mobile devices connecting to the enterprise and manage them. The challenge with IoT is similar, and the solutions will be similar. We can put basic management capabilities that are going to grow over time as those devices become more sophisticated and more common within the enterprise.”