As the haunting hour of Halloween nears, a universal holiday celebrated on the 31st October with its roots in pagan traditions and now better recognised as a commercial holiday during which people spend serious money, IoT Insider reflects on the “scary” side of cybersecurity: the risks of failing to secure embedded devices properly.
Embedded devices are specialised computing devices that perform a specific function within a larger system. They typically contain both hardware, like sensors, processors and communication modules, and software, to carry out particular tasks. In other words, embedded devices are the “smart” components in systems that allow them to sense, process and communicate data.
As an example, an embedded device within a smart thermostat could be designed solely for monitoring temperatures, adjusting HVAC settings and communicating data to users or other systems.
Because of how important they are to devices like smart thermostats and wearables – also industrial sensors and automotive sensors – the risks that are posed by embedded devices failing to be secure becomes immediately clear.
One of these ‘frightening’ risks includes device hijacking, where attackers can take control of unsecure embedded devices and use them to create botnets – perhaps the most well-known example of this being the Mirai botnet, which infected thousands of IoT devices and was instrumental in forming awareness about the cybersecurity risks and the subsequent need for better device design, cybersecurity implementation and regulation.
Other risks are network breaches, as embedded devices can serve as entry points into a network; data theft; device manipulation and service disruptions. Attackers can disrupt embedded devices by taking them offline, which can wreak havoc on different applications. In an industrial environment, for example, this could mean production downtime and loss; in healthcare settings, this could affect patient care.
It’s not all doom and gloom, however. Stephan Janouch, Technical Marketing Director, EMEA at Green Hills Software delivered a talk at the 10th edition of the IoT Security Foundation Conference where he shared 10 rules to building unsecure embedded systems – which looked at retrofitting security; open source software; tools; operating systems; certifications; AI; modularisation; separation; social engineering and updates.
After sharing his insights into the steps that would help companies to create unsecure embedded devices if followed, Janouch addressed each point in turn and spoke about good cybersecurity practices.
“When you’re talking about tools, you get what you pay for,” he said. “You can go with something cheap, and you’ll get the cheap tool. This may not make an obvious difference at first, but in the time you’re using it, how fast is the tool? How long does it take to compile code? How big is the code, is it efficient?”
Certifications, Janouch stressed, “are worth looking into. You have to think [that] in the long run, whenever you are doing your own certification, having certified modules and tools will save you time and money.”
The IoT Security Foundation Conference, which convened to talk about big topics related to cybersecurity including navigating regulatory requirements, secure by design and understanding the risks, showed how the IoT industry is coming together to talk through these joint challenges and share knowledge, to make sure that spooky events like device hacks and botnets become the stuff of fiction and horror films.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
