The Internet of Things (IoT) has long been a game of rush-to-market, with production speed trumping security in the stampede, says ESET Southern Africa.
Securing millions of non-standard devices as disparate as home thermometers, smart TVs and cars is no trivial task. It is somewhat simpler if they have simple stripped down embedded processors, but often they contain full-fledged and powerful network-connected operating systems, with all the security problems those present.
In previous years, it was non-obvious whether vendors were attempting to create security solutions without a corresponding real world threat. But as we see Android-related malware numbers steadily climb, it is no longer rare to spot scams or worse, on the platform. Additionally, as the importance and placement of IoT devices in more critical applications increases (think: “cars”), keeping rogue processes contained – regardless of their origin – seems wise.
One approach is to make each operating process mutually suspicious, containerize ed and separate from each other. But development is slower than just bolting on a standard OS like Android and shipping the product.
The good news is that Android security vendors here are implementing increasingly secure environments, but the rate of adoption is still far outpaced by the number of new devices hitting the market with unknown and unproven security chops.
Back to the mutually suspicious, or trusted computing platforms. While more difficult to develop against, they are typically far more resistant to attack. This has garnered the attention specifically of the automotive, government, and critical infrastructure market segments.
For some companies such as Lynx Software Technologies have been at it for some time now, and offer unique ways to approach the problem, with everything isolated – cores, memory, application, system and other resources – to form a very breach-resistant constellation of digital barriers that would curb the spread of nasty things. This sort of “paranoia” is most welcome in applications like avionics or medical devices, where no one wants to see “bad things” happen, and fundamentally, no-one wants. Prevention is better than detection.
Also, the network security folks have focused squarely on defending against rogue threats found on networks you might not think to look at, like CAN bus on automotive, or even ICS-related protocols like Modbus, which have been lightly defended (if at all) for decades.
As the importance and popularity of IoT continues to escalate and people place more valuable information thereupon, scammers and more hardened cybercriminals, will continue to look for new ways of attacking and compromising the swarm of devices which now surround us.