Could code signing help solve the problem?

Firms with poor IoT security are more likely to experience data breaches, DoS & more

Mike Nelson
© Shutterstock / Zapp2Photo  

Getting attacked is one thing, the resulting damages are another. Because as destructive as a cyber attack can be, what happens next makes the real difference. In this article, Mike Nelson explains how that difference is made by having your organization well-secured.

Enterprises are going to suffer from poor IoT security and it’s up to them to fix it. DigiCert’s 2018 State of IoT security has revealed what firms risk and the price they eventually pay for not securing their IoT rollouts properly.

These firms are 3.5 times as likely as their well-secured counterparts to experience a malware and or ransomware based attack. They are 7 times as likely to have experienced an IoT-based Denial of Service attack; they’re just as likely to have experienced unauthorized access to those devices and they’re 5 times as likely to have experienced some kind of data breach.

Getting attacked is one thing, the resulting damages are another. Because as destructive as a cyber attack can be, what happens next makes the real difference. Organizations that were well secured were still attacked but there were almost no monetary damages associated with those attacks. Poorly secured organizations could not say the same thing.  Over half, 54 percent reported monetary damages, 49 percent lost productivity, 43 percent lost reputation and 43 percent reported hits to their stock price and compliance penalties.

Much of that insecurity arises from the security of the connections within those vast IoT networks. Not just connections between devices but connections from the devices within a network to the outside world. IoT devices often need updating – partly due to the famously shabby security of many such devices – and third-party providers will often push new features and security patches to their product via Over-the-Air updates (OTA).

One common tactic is for a hacker to write malware, disguise it as an OTA update to a device and then proceed to enslave the devices it is claiming to update, bending it to their will. From there, there’s plenty an attacker can do. They could enlist that device into a botnet, or use that as a window ledge to climb further into your network.

Given the rabidly enthusiastic adoption of the IoT at all levels of business, there are and will be tonnes of new connections to each new adopter. If it’s those connections that are exposing a network to attack, then they have to be protected. More and more, companies are using code signing to help lock those new connections down.

SEE ALSO: Security measures to protect your IoT devices

Code signing allows organizations the ability to verify the integrity of a piece of software, and most importantly its source. By using public key cryptography, software authors can digitally sign their software, ensuring that its end user can trust the integrity of that code – that it was made by a trusted source and that it has not been tampered with since that signing.

The importance of code signing in the IoT has been demonstrated time and time again. Last year, two researchers demonstrated how an IoT pacemaker from medical device manufacturer Medtronic could be exploited in exactly this way. The researchers found that due to lack of code signing within the pacemaker, an attacker could deliver malicious updates to the device to remotely take control of it.

The true landmark example happened several years before. When Charlie Miller and Chris Valasek hacked the Jeep Cherokee at the 2015 Blackhat conference, the wider world gasped. This was one of the most profound examples of an IoT hack that had ever been publicly displayed – and thankfully it wasn’t found in the wild. Suddenly, hacking wasn’t just about data anymore. Hackers – in this fortunate case whitehats – could reach out and touch the real world in very real and very scary ways.

The key to the hack was the connection between the communications system of the car – called the CAN bus – and its head unit the increasingly computerized entertainment system that used to only consist of an AM/FM radio, and if you were lucky, a tape deck. Through that connection, Miller and Valasek could reflash a microchip which the CAN bus was depending on and turn the car to their own will.

Critically, noted Miller at Blackhat 2015, “there’s no code signing; you can update the chip, no questions asked.” It was largely that simple oversight that woke the world up to the malicious possibilities of the IoT and a frank reminder that as promising as the IoT could be, it could almost as easily be turned against its owners.

People are beginning to take the hint. Tesla, Elon Musk’s electric car company, has already pushed out code signing protection to their vehicles and more enterprises are taking the above lessons on board when it comes to the IoT.

Innovation is an exciting thing. No one’s denying that. But in that rush, organizations can open themselves up to potentially catastrophic vulnerabilities, by not considering the wider security oversights that their enthusiasm blinds them to. If organizations are serious about seizing hold of the innovative potential of the IoT, they’ll have to take account for their own security.


Mike Nelson

Mike Nelson is the VP of IoT Security at DigiCert, a global leader in digital security.  In this role, Mike oversees the company’s strategic market development for the various critical infrastructure industries securing highly sensitive networks and Internet of Things (IoT) devices, including healthcare, transportation, industrial operations, and smart grid and smart city implementations. Mike frequently consults with organizations, contributes to media reports, participates in industry standards bodies, and speaks at industry conferences about how technology can be used to improve cyber security for critical systems and the people who rely upon them. Mike has spent his career in healthcare IT including time at the US Department of Health and Human Services, GE Healthcare, and Leavitt Partners – a boutique healthcare consulting firm.  Mike’s passion for the industry stems from his personal experience as a type 1 diabetic and his use of connected technology in his treatment.

Inline Feedbacks
View all comments