Swimming with Sharks in the IoT
Hackers, like sharks, can sense blood. Not literally, of course, but they can detect the slightest vulnerability in your code; and when they do, they go in for the kill. This, understandably, makes intelligent device manufacturers nervous, and is why some of them will go to great lengths to cover up security flaws – even if it means blocking vital research.
Just last year, Volkswagen took High Court legal action to silence claims that the keyless ignition system in its luxury cars could easily be compromised. According to the report that eventually surfaced, thieves were able to intercept signals sent between the electronic vehicle immobilizer and key fob, and crack the code within 30 minutes! The implications of this type of cyber theft are huge; not only could it end up costing the company millions to fix and do irreparable harm to its brand, it also poses serious road safety issues.
Another company defensive about its ability to provide robust security is tech giant Oracle, which has seen an uptick in customers reverse engineering its code in order to uncover security vulnerabilities. In an unusual act of self-censorship, the company took down a rant it posted online on the subject, fearing the inevitable backlash.
Confidence in the tech industry took another hit recently when Juniper confirmed that its ScreenOS operating system has been vulnerable for years. The global provider of networking equipment had no choice but to issue a security announcement warning customers to patch their enterprise firewalls against bad code. Juniper had good cause for concern as this code was designed to enable attackers to take over its devices and decrypt VPN traffic.
Speculation as to who planted the unauthorized code there began to grow. Documents stolen by whistleblower Edward Snowden pointed to the NSA as the probable culprit. In a twist worthy of a John Grisham novel, the documents identified Cisco – Juniper’s largest rival – as another victim of government tampering. Cisco was quick to deny the rumors, claiming that the security of its code is rock solid due to a strict no-backdoor policy. However, the company’s decision to begin an internal code review to find “malicious modifications” suggests that perhaps it’s not quite as confident in its own implementation as it would have you believe.
Expect the unexpected
In a connected environment like the IoT, where a fresh attack surface is born virtually every time a new device enters the market, these types of hacking attempts are par for the course. While it isn’t possible to completely eliminate the threat of unauthorized use and reverse engineering, there are preventative measures one can take to ensure their code, and by extension their device, is as safe as today’s technology will allow.
In my presentation at LicensingLive! 2015 and accompanying blog post, I explore various techniques you can use to protect the core of your device and create a more secure connected experience.