Sobering IoT Stats and Vulnerabilities Place New Emphasis on Code Protection

There’s been an increase in chatter regarding the Internet of Things (IoT) as of late and frankly I’m not a bit surprised. The eCommerce Times suggests that IoT will be a $7 trillion (that’s trillion with a T) market in just six years (2020) and IDC estimates that there will be approximately 212 billion things connected to the Internet globally by that same year. That’s near unprecedented growth and should be some cause for concern.

Why the concern? Without proper protections, IoT devices, (including connected cars ), are often left exposed to vulnerabilities and security risks, including:

  • Lack of sufficient bus protection. The signaling and communications bus, CAN bus, lacks the necessary protection to ensure confidentiality, integrity, availability, authentication, and non-repudiation.
  • Weak authentication. It’s very possible to re-program the ECUs illicitly.
  • Misuse of the protocols. Denial of Service (DoS) attacks via CAN; malicious error messages can be used to trigger the fault-detection-mechanism in CAN.
  • In the case of connected cars… poor protocol implementation. For example… reprogramming the ECU while the vehicle is moving is not allowed, however it is possible to launch commands that disable the CAN communication and set the ECU into programming mode while the vehicle is moving.
  • Information leakage and corruption. Hackers can manipulate the diagnostic protocol by sniffing ordinary diagnostic sessions and injecting modified messages.

Sensor technologies in IoT devices need to be “hardened” to resist hacker attacks. Other software protection best practices include code protection starting at the source code level and white-box cryptography.  Code protection is a tool used to “harden” software application code to prevent reverse engineering and other techniques used by cyber-criminals to gain access to sensitive information and resources contained in applications. It achieves an unprecedented level of security by applying effective integrity protection, code obfuscation, anti-piracy, and anti-debug techniques to application code; whereas white-box cryptography keeps secret cryptographic keys well hidden within app code even during runtime. 

This August we should have some interesting data to post here at our blog. At the DefCon 23 security conference, hackers will be hosting a so-called IoT Village, where they will try to break and hack connected devices. It stands to reason that security flaws will be exposed, eyes will opened, and IoT will generate even more chatter, though perhaps not the kind it ultimately wants.

We’ll leave our post with some sobering thoughts and stats on IoT (link to that should have you thinking about security measures:

  • In 2008 there were more things connected to the Internet than people on the planet
  • In 2020, 90% of automobiles will be connected to the Internet (connected cars)
  • Despite its enormous hype, 87% of consumers have not heard of the term ‘Internet of Things’
  • Connected wearables will become a $6 billion market by next year

Be sure to check out the blog linked above for even more figures and stats.

Photo credit to Kurt Bauschardt.