Pop Nukoonrat, Dreamstime.com
Cyber Resilience Dreamstime Pop Nukoonrat 608032f795899

Cyber Resilience for IoT: Securing Access to Embedded Devices

April 21, 2021
Because the internet essentially connects every device to every other device online, they all turn into network nodes and thus become vulnerable.

This article is part of the Communication and Systems Design Series: Fortifying Cyber Resilience in the IoT

What you'll learn:

  • Different ways hackers access IoT devices.
  • How to gird against these types of hacks.

Introducing cyber resilience to embedded IoT devices requires considering security at multiple layers and levels, for both hardware and software, from OS to application. Hackers can exploit vulnerabilities and attack a system in many ways. The first step, though, is for hackers to access the system. Consequently, the first layer of defense is to prevent such access from occurring.

The following are common ways that hackers can access embedded IoT devices:

Direct physical access

An attacker may have direct physical access to the system. This means the attacker is able to physically touch the device. A person who can touch a device has the potential to take it apart, replace the content of its internal memory, sniff its interfaces with an analyzer, type in commands, look over someone’s shoulder to compromise a passcode, and any other number of exploits.

Direct physical access can be prevented—or at least monitored and limited—in applications such as equipment in a smart factory, where access to the factory floor is managed by a keycard system. For many embedded IoT systems, however, physical access is impossible to prevent because of where the device must be deployed.

Consider smart devices in a home. A key factor in the market success of smart-home devices is ease of use, particularly ease of provisioning. For example, users might only need to press a button on the side of the device to gain access to the device. Thus, anyone inside the home can connect to the device, potentially with full admin capabilities. Many similar devices are used in the workplace. Gaining access to these devices potentially provides access to the IT network at large.

Physical proximity

With the ubiquitous presence of wireless technology, attackers don’t necessarily require direct physical access to attack a device. It may be enough that they can be within radio range. Thus, an attacker standing outside on the sidewalk could gain access to a smart home or smart building device.

Note that anyone can access a wireless device if they’re within range. That’s why security must be implemented across multiple layers of hardware and software.

Connected to the internet

Numerous vulnerabilities are potentially exploitable simply if a device is connected to the internet. The attacker doesn’t even need to have access privileges to launch a successful attack. For some scenarios, the attacker only has to be able to discover the device and send it messages or be able to intercept messages to and from the device.

Many connected devices can see messages that are intended for other devices. Imagine if a hacker replaced a hacked router in the workplace. Every message passing through this router could now be accessed.

Because it’s not possible to guarantee that a hacker can’t access a message as it’s being transferred across the internet, the message itself needs to be secure. Furthermore, a hacker could capture communications and duplicate them to try and force repeat behaviors from the system. This is possible even if the message can’t be read by the hacker. Therefore, messages must be secured from transaction to transaction and have security measures to prevent replay attacks.

As can be seen, there are many ways to exploit access. What’s important to realize is that access to a system isn’t completely preventable. By its nature, the internet connects every device to every other device online. As soon as a device becomes a network node, regardless of the form of access, it’s vulnerable. The best security, in fact, assumes that hackers do have access.

If we assume hackers can access IoT networks and the devices on them, our strategy must shift from preventing access to protecting it as best as possible. In terms of access, the security to put in place is for a device to require credentials and authentication before it accepts commands, data, code, or any other critical communications from an external source.

Next time, we’ll explore authentication to manage access and how it’s implemented in embedded IoT devices.

Read more from the Communication and Systems Design Series: Fortifying Cyber Resilience in the IoT

About the Author

Zhi Feng | Senior Principal Applications Engineer, Infineon Technologies

Zhi Feng is a Senior Principal Applications Engineer in Infineon’s Flash Solution team. He completed his Bachelor’s degree in EE from South China University of Technology, and his Master of Applied Science degree from the University of Ottawa in Canada. He has been with Infineon for 17 years, working in the NOR and NAND memory fields. His recent focus has been on building a secure embedded system with NOR flash memories.

Sponsored Recommendations

Comments

To join the conversation, and become an exclusive member of Electronic Design, create an account today!