“If we are not careful,” warned Jothy Rosenberg, chief executive officer of the cybersecurity firm Dover Microsystems, “IoT could kill us all.” At the very least, the potential for catastrophe is great with legions of connected devices controlling everything from transportation systems to power plants.

Rosenberg is not alone in that assessment. Noted security expert Bruce Schneier’s latest book is titled “Click Here to Kill Everybody: Security and Survival in a Hyper-connected World.”

To reduce the risk of havoc, Rosenberg advocates hardware-based approach to IoT device security. His firm recently partnered with NXP Semiconductors, which will make use of Dover’s CoreGuard technology, which secures the processors used in embedded devices. CoreGuard monitors instructions the host processor executes, spurning those that clash with predefined security policies.

Ultimately, the technology could provide a sort of “herd immunity,” said Rosenberg, referencing the epidemiological concept that suggests if a significant proportion of organisms have immunity to a disease, they offer protection for those that don’t.

[IoT Security Summit is the conference where you learn to secure the full IoT stack, from cloud to the edge to hardware. Get your ticket now.]

“Think about this in the context of the Dyn attack,” said Rosenberg, referencing the IoT-fueled Mirai botnet’s takedown of a chunk of the internet in late 2016. “Let’s say you have a series of compromised devices like IP cameras. Each of those devices connects to 1,000 other IoT devices, and each of those connects to another 1,000. Extremely quickly, you have millions of compromised devices,” he explained. “Now imagine if that initial series of devices was immune to being taken. You just stopped millions of devices from being taken over.”

Hardware-based IoT device security has the potential to stop entire classes of attacks by preventing the exploitation of software vulnerabilities, which means an attacker’s attempt to remotely command a device is blocked.

When asked to explain how the technology could help thwart attacks on connected industrial targets, Rosenberg said “imagine CoreGuard is sitting on an industrial device and you have malware sitting on a computer that is networked with that device. What an attacker wants to do is take over the processor on that industrial device.”

One approach an attacker could use would be to launch a data-based attack, sending data across the network to the device and tricking it into doing the hacker’s bidding. A SQL injection attack is an example of this approach, in which an attacker uses ASCII commands that are legal SQL instructions but trigger an undesirable action. “The Equifax attack last year is an example,” Rosenberg said. “It got a database to dump a whole bunch of data out of channel it shouldn’t be doing.”

An attacker could also carry out a computing-based attack such as a buffer overflow that triggers a program to exceed the boundary of a buffer, which is a designated area designed to hold data. As a result, the program writes data to memory locations outside of the buffer.

“We can stop a buffer overflow attack with CoreGuard because it’s looking at every instruction. It knows every buffer that was created in the runtime during the time that the program executed,” Rosenberg said. “And we also know what the size of each buffer is. We can state very strongly: We can stop every buffer overflow attack. That attacked computer whose user clicked on a phishing link that then tried to do a buffer overflow attack would be stopped.”

For data-oriented attacks, CoreGuard can enforce policies designed to prevent an intruder with IT network access from extending their reach to sensitive devices such as networked industrial devices. “CoreGuard can set a policy that basically says: ‘All data coming in over the network is automatically marked as untrusted’ and as data rather than code,” Rosenberg said.

“And so for example, if it’s SQL data coming from outside, it’s flagged untrusted,” Rosenberg said. “The only thing that can make it trusted is to have it processed by the sanitization routine, but CoreGuard knows when it that routine is called.So what CoreGuard is doing is basically saying: when suspicious data arrives to be sent to the database, it’s blocked. It can’t be executed as code to dump the entire database out of a port.”

An attacker hoping to cause a blackout by attacking a utility protected by CoreGuard by using such attacks would be unsuccessful, Rosenberg said. “If data comes in with a command for a transformer to lower the voltage to, say 30 volts or change the alternating current from 60 Hertz to 10 Hertz, we could prevent that.”  

The same principle applies to IoT use cases for other safety-related applications such as transportation or for medical applications.

“We’re seeing a difference in people in these industries saying: ‘We need more security. What we’re doing isn’t working,” Rosenberg said. “So I think that there is a recognition that just applying more software-based security isn’t going to work.”