https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Editorial Submissions
    • Advertise
    • Strategic Partners
  • IOT World Events
Iot World Today
  • NEWSLETTER
  • Home
  • News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Editorial Submissions
    • Advertise
    • Strategic Partners
  • IOT World Events
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Health Care
  • Retail
  • Analytics
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


Getty Images

Crash Test

Why IoT Security Needs Something Like Crash Testing

Too many organizations assume they’ve got a handle on IoT security, instead of asking: “What if an attacker targets my system?”
  • Written by Brian Buntz
  • 8th November 2019

How would you feel about the prospect of purchasing a car that hadn’t been crash tested? Or about a vehicle that scored poorly in a crash test?

In the case of the latter question, sales would likely crater. That happened in 1998, when the Austin Metro supermini automobile known as the Rover 100 fared poorly in a EuroNCAP crash test. Video footage of the test revealed a spectacular explosion of glass and severe crumpling of the front half of the vehicle upon a 30 mile per hour collision. The rear end lifted on impact, pulling the entire car up into the air. A simulated side collision was almost as brutal. Not long after, the manufacturer pulled the car from the market. 

Crash testing is an excellent metaphor for cybersecurity, said Ted Harrington, executive partner at Independent Security Evaluators at the IoT Security Summit. The idea is to find problems in a controlled environment — before it is out in the real world. 

[IoT World is North America’s largest IoT event where strategists, technologists and implementers connect, putting IoT, AI, 5G and Edge into action across industry verticals. Book your ticket now.] 

Harrington preached a similar strategy when developing or implementing IoT technology, which he termed the “break-to-build method.”  

Just as carmakers design cars upfront with the hope of surviving collisions, organizations seeking to tamp down cybersecurity vulnerabilities need to anticipate attackers’ intentions. “You would be surprised how many organizations completely skip this step, and how many organizations do not even know what a threat model is, let alone, having one implemented,” Harrington said. “That’s the foundational document that helps you understand where to allocate your resources.” 

The next phase is what Harrington terms “the break stage.” In essence, it involves looking for mistakes in IT technology — in other words, security vulnerabilities, and addressing them. “Again, you would be surprised how many organizations skip this part of the method,” Harrington said. “There are all kinds of reasons for that,” he added. Popular excuses Harrington cited include: “‘Our developers are already too busy,’ ‘The road map already is all accounted for,’ ‘Our customers aren’t asking for it,’ or, ‘Frankly, I just don’t want to deal with it.’” Harrington said he hears such excuses every day. “But you can’t get better if you don’t fix the problems, and then finally, you need to do it again and again and again and again,” he added. “Security is not a linear process. Security is a never-ending loop. And for many individuals, that’s frustrating, because there’s no clearly defined finish line.”

And because there is no such thing as perfect security and because attackers are always evolving, it is difficult to decide how to secure an IoT product or project should be.  

It is further difficult for a given organization to develop an objective vision of its cybersecurity posture. Harrington thus recommends the use of third-party security experts. “You have to be working with somebody independent of the political winds in your organization, independent of whatever biases there might be,” he said. Your organization needs “someone who spends every waking moment of their life thinking about the attacker. You don’t do that if you spend every moment thinking about how to build your company.”

When hiring a company to perform a penetration test, there are two fundamental options: black-box and white-box testing. In the former, an attacker-for-hire has virtually no knowledge of the target. “This is essentially like flying with a blindfold on,” Harrington said. In white-box testing, the penetration tester is granted access to information about the system and can collaborate with the company’s security experts and engineers. White-box testing typically entails a high amount of collaboration. 

The white-box approach is substantially more effective than the alternative, Harrington said. It enables an organization to identify a higher volume of problems while identifying solutions to those problems. “Let me explain this in a story. We’re in the privileged and grateful position to serve one of the largest chipset manufacturers and their security mission,” he explained. The company in question manufactures chips used in many industrial IoT devices, smart city applications and so forth. 

“And they recently approached us and asked us to do a black box test. I actually thought [the executive at the chip company was] joking at first because they only ever wanted white-box tests,” Harrington recalled. When he asked for clarification, Harrington learned that an executive at the company requested a black-box test. 

“Here’s what we decided to do. We decided to do both [a white-box and black-box test],” Harrington said. 

For the black-box portion, Independent Security Evaluators allocated 200 person-hours. After the end of that time, the company found four security vulnerabilities. “Out of these four, two of them, the customer already knew about,” Harrington said. “The third issue was a misunderstanding by us of how the system works.” Because Independent Security Evaluators wasn’t familiar with the system they were testing, they made an incorrect assumption about why an input in the system created an output. “The fourth issue was, in fact, a previously unknown critical security vulnerability, and so that was super valuable to this customer.” But because of the black-box nature of the test, the company couldn’t advise how to fix the problem. 

In the white-box testing experiment, the company employed separate staff to allocate the same 200 person-hours in the assessment. “We found 21 previously unknown critical security vulnerabilities in the same system,” Harrington said. “And for every single one of those issues, we were able to articulate at least one solution for how to fix it.”

Returning to the crash-testing metaphor explained at the outset of this article, a variety of potentially destructive approaches are needed to get a clear sense of risk. “What’s a lie in this context that we hear commonly? The idea: ‘Oh, no one would think to do that,’” Harrington said, referring to potential ways to hack a system. If a white-hat security expert can think of a potential vulnerability, so can an attacker. 

“The point is, there are misconceptions that often hold us back that we don’t even realize we have,” Harrington said. Many of which are based on false assumptions of security rather than asking, “what if?” “What if your system is expecting a positive integer and we put in a negative integer? Or this field is expecting a password of 20 characters, and we put in 2000 characters? What if this field is expecting text, and we put in a command?” Harrington asked. “This is how the most catastrophic security vulnerabilities are found. And yet, most security testing doesn’t go to this level.”

Harrington points to an example with Ethereum, the cryptocurrency, to illustrate his point of how seemingly strong security protections can be defeated. His firm set about trying to predict the key that keeps Ethereum wallets secure. “Now, these keys are supposed to be unpredictable — statistically impossible that you could guess it,” he said. “To put it in context, this would be like: I go to the beach. I pick up a grain of sand. I throw the grain of sand back on the beach. The next day, you come to that same beach you pick up a single grain of sand, and it’s the same one — except multiply that by every beach in the world and multiply that by 1,000 planets,” Harrington said. “That’s the likelihood of being able to guess an unpredictable Ethereum wallet key — statistically impossible.” 

Independent Security Evaluators proceeded to ask a series of what-if questions and consequently discovered 752 predictable Ethereum keys. “The asset value in those wallets was $54 million, just sitting there for the taking,” Harrington said. “We actually caught someone in the act of stealing all of that money with this vulnerability.” 

Tags: Security services Security Features

Related


  • Facial recognition
    2020 Predictions: Black Hats Begin to Target Facial Recognition Technology
    Research interest in defeating facial recognition technology is booming. Adversaries are likely taking notice, but don't expect widespread adoption overnight.
  • 6 IoT Security Predictions for 2020 
    As we transition to a new decade, there is growing maturity in the field of IoT security, but also a wave of new risks.
  • 8 IoT Security Strategies and Advice From Experts
    IoT security is a different animal than IT security. Two experts share feedback on how to minimize IoT-related cyber risk. 
  • Digital trust
    IoT Security: Open-Source Effort Promotes Enterprise Trust 
    The Linux Foundation’s Project Alvarium aims to harness collective wisdom to create enterprise trust and drive IoT security. 

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • ICS Security Attack Enables Remote Control of Buildings
  • Beyond AI Marketing: A McAfee Data Scientist Sheds Light
  • Overlay Security on IoT Networks to Conquer Vulnerabilities
  • 6 IoT Security Reminders Three Years After Mirai

News

Rockwell Smart Factory Technology Tackles Skills Shortage

4th December 2019
view all

White Papers

Copper Horse Secure by Design IoT

3rd December 2019

IoT: Putting the “smart” into smart cities

17th November 2019
view all

Special Reports

How Edge Computing Technology Is Reshaping the IoT Landscape

13th December 2019
view all

Webinars

Data Collection in Industrial Environments Made Easy

12th November 2019

How IoT Analytics Can Elevate Your Business to the Next Level

5th November 2019
view all

Galleries

5 Considerations Before Flying Taxis Take Flight

  • 2
28th January 2019

5 Autonomous Vehicle Technology Uses in Shipping and Logistics

  • 2
23rd October 2019
view all

Industry Perspectives

The Edge and IoT: Insights from IoT World 2019

5th June 2019

IoT World: A Day in the Life With Vertica

28th May 2019
view all

Events

Channel Partners Conference & Expo

9th March 2020 - 12th March 2020

Internet of Things World

6th April 2020 - 9th April 2020

Connected and Autonomous Vehicles

6th April 2020 - 9th April 2020

Channel Partners Evolution

29th September 2020 - 2nd October 2020
view all

Twitter

IoTWorldToday, IoTWorldSeries

Earlier this year we spoke to @Microsoft's Singapore CTO about #AI for good, #deeptech startups and working with… twitter.com/i/web/status/1…

14th December 2019
IoTWorldToday, IoTWorldSeries

RT @Oracle: #Data is the rocket 🚀fuel for smart city 🏙️ transformation,” according to Susan O’Connor, Global Director of Smart Cities for @…

13th December 2019
IoTWorldToday, IoTWorldSeries

McKinsey Q&A: How Protecting Consumer Data Can Pay Dividends dlvr.it/RLFMvk https://t.co/HAj8DrxTUY

13th December 2019
IoTWorldToday, IoTWorldSeries

How Edge Computing Technology Is Reshaping the IoT Landscape dlvr.it/RLFMtZ https://t.co/QQBKnzwxHG

13th December 2019
IoTWorldToday, IoTWorldSeries

7 IoT device security guidelines for securing smart home gifts this holiday season. dlvr.it/RLFD2C https://t.co/YkTxMZfVrk

13th December 2019
IoTWorldToday, IoTWorldSeries

Which of the Big Three cloud services is best for your #IoT project? @IoTWorldToday have researched performance, pr… twitter.com/i/web/status/1…

13th December 2019
IoTWorldToday, IoTWorldSeries

Save up to $5,900 on your Internet of Things World pass. Join us at IoT World 2020 in San Jose and get your confere… twitter.com/i/web/status/1…

13th December 2019
IoTWorldToday, IoTWorldSeries

Explore the IoT World 2020 event brochure, including attendee demographics, the conference program overview, networ… twitter.com/i/web/status/1…

13th December 2019

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Cookies Policy
  • Privacy
  • Terms
Copyright ©2019 Informa PLC. Informa Telecoms & Media Limited is a company registered in England and Wales with company number 00991704 whose registered office is 5 Howick Place, London, SW1P 1WG. VAT GB365462636. Informa Telecoms & Media Limited is part of Informa PLC.
Websites are now required by law to gain your consent before applying cookies. We use cookies to improve your browsing experience. Parts of the website may not work as expected without them. By closing or ignoring this message, you are consenting to our use of cookies.
X