Menu

IoT FEATURE NEWS

CIA, NSA and the IoT: What We Learned

By

In his June article, The NSA wants to exploit IoT devices for surveillance and sabotage, Pierluigi Paganini foretold: “Thanks to the Internet of Things devices, we become nodes of a global network, hacking this network allow spies to spy on everyone. This is also the intent of the U.S. National Security Agency who is working to develop cyber espionage capabilities through IoT devices.”

Although the recent release of WikiLeaks documents credits the CIA as developing and co-opting an arsenal of technology targeting a wide range of IoT devices, the result remains the same. Consumer and business devices including Smart TVs, Apple and Android phones, routers, and other everyday devices are actively used to eavesdrop on voice and data communication.

Using a connected device to collect information is nothing new, but the widespread activities reported by Wikileaks are on an unprecedented scale. It is also one of the first times we’ve recognized that IoT devices are targeted. Let’s look at WHY and HOW these IoT devices were targeted.

Attacking the IoT
The need to secure any computing device should be obvious by now, but many companies developing IoT devices are still completely ignoring ignore security precautions or are implementing it as a hack only when vulnerabilities are actually exposed. Unfortunately, companies that view security as a critical feature and are pursuing a full product lifecycle approach to securing their devices and networks are in the minority.

Organizations with the resources of the CIA and NSA can develop effective cyberattacks against a wide range of IoT devices and will continue to do so even as new defenses are developed.  Their respective teams realize that innocuous IoT devices contain easily exploited vulnerabilities that do not require sophisticated cyber-attacks to expose. Often, the devices have backdoors for remote access by service technicians, weak or no authentication methods, or default passwords where the manufacturer doesn’t simply enforce a change.  The ease of compromising those devices hardly requires a nation-state.

It is surprising however, that many devices that include basic cyber-security defenses also often fall short.  They may provide a level of protection by encrypting network traffic, or harden the device using code signing for trusted boot or provide other defenses against cyber-attacks.  In many cases, however, these measures don’t go far enough. Each device is different, but most fail to provide security on all the device’s interfaces, leaving something to exploit or attack.  For example, some IoT devices have smartly implemented SSH to provide secure communication, but unfortunately used an identical shared key for an entire manufacturing run.  If that shared key is then compromised, and it will be, all devices using the key are vulnerable. 

Addressing the problem
Device security can no longer be viewed as an option.  Developers must address security during the earliest design stage of a device and set the bar high.  Even if it is not practical to implement a full security roadmap in your next product release, it is important to get started. If you can create a base of security in your device, you can build upon it in subsequent releases.

Secure remote update capability, intrusion detection, and security management are critical features and a great starting point. Those features detect attempted attacks against a device, provide strategic notifications of the attacks, and take the proper action to mitigate attacks. 

Conclusion
The CIA debacle is a reminder criminal hackers aren’t the only ones looking to exploit security vulnerabilities.  The overwhelming conclusion is the increasing emphasis on the importance of security in the IoT. The only way to stop attacks is to take security seriously. Regardless of the device or application, it is critical to build in security from the beginning.  

David West is the Director of Engineering for Icon Labs, a leading provider of security solutions for embedded devices. You can reach him at [email protected]




Edited by Ken Briodagh
Get stories like this delivered straight to your inbox. [Free eNews Subscription]


SHARE THIS ARTICLE
Related Articles

Rising Edge Computing Investments to Reach $350B by 2027, According to IDC

By: Alex Passett    3/27/2024

Worldwide spending on edge computing is expected to surge (and then keep going) for the foreseeable future, according to the International Data Corpor…

Read More

ZEDEDA Adds Lisa Edwards as New Board Member, Seeks Opportunities to Strengthen Operations and Scale

By: Alex Passett    3/26/2024

Earlier this morning, ZEDEDA announced the addition of Lisa Edwards to its board of directors.

Read More

An Existing IoT Collab, Emboldened: Digi International and Telit Cinterion Transform Solutions with 5G RedCap Integration

By: Alex Passett    3/25/2024

The ongoing industry collaboration between Digi International and Telit Cinterion signals strong support for the mainstream showcasing of 5G for IoT a…

Read More

Telit Cinterion's 5G LGA Modules, Powered by Snapdragon from Qualcomm, to Create a Big Leap in IoT Connectivity

By: Alex Passett    3/25/2024

Telit Cinterion recently unveiled its FE990B34/40 LGA family of modules, powered by the Snapdragon X72 5G Modem-RF System from Qualcomm Technologies, …

Read More

Embracing Innovation in Mining: The Role of Network-Aware Applications in the Digital Transformation

By: Special Guest    3/21/2024

Shabodi leverages private 5G network capabilities and enables the development of network-aware applications to enhance operational efficiency, automat…

Read More