Home/ Blog/Posts Tagged "Internet of Things"

Who Is Responsible for IoT Device Security?

Posted on:

If this was a test question on a college exam, you would have a set of multiple choice answers, such as:

    A. The device manufacturer that initially builds the device.
    B. The device integrator, who builds the device into an end-user product.
    C. The value added reseller that distributes the device to consumers.
    D. The customer, who installs or sets up the device or third-party product in the end-user environment.
    E. All of the above.

The answer may be surprising to some, but it is of course “E. All of the above.” Everyone along the chain from manufacturing to integrating and using the product plays a role in ensuring that the device is properly set up to thwart improper access, device hacking and malware attacks.

Many people believe that security can be fully implemented by the device manufacturer, or that it’s possible to install a security-focused software program to detect and thwart hacking. But in fact, true device security is a combination of technologies, processes and best practices.

Why Device Security Requires a Multi-Pronged Approach

There are several key reasons why device security requires multiple technologies and practices across the chain from manufacturing to end-use:

  1. Each enterprise has a different security requirement. Retail and financial institutions that process transactions need a high level of security to protect customer data. Healthcare organizations that handle sensitive personal information also require a very high level of security. At the other end of the spectrum, there are many use cases in which extreme security is not required, and it does not make sense to take the extra measures, as it results in additional cost to the consumer.
  2. The threats change. The technologies and practices in use today may not be enough to thwart the attackers of tomorrow. See our previous post, Lessons Learned from the KRACK Vulnerability, for additional insights.
  3. Consumers do not want to pay for the amount and type of built-in security that businesses require.

Device Security from the Manufacturing Perspective

In this post, we will talk specifically about the key security measures that should be designed into the product by your device manufacturer if you are a product integrator or value added reseller, so that others further down the chain can implement proper security. For example, if you are seeking to incorporate one or more vendors’ embedded modules and radio frequency products into your product design, it is important to review the security measures taken in the manufacturing phase.

In these instances, the devices must enable secure functionality. The device manufacturer’s responsibility is to build in secure features, which can then be implemented by the integrator or end-user. As a best practice, the manufacturer should include a comprehensive set of controls that can be enabled as needed. These controls are essentially the laws that govern the product and ensure it behaves in a secure manner. In this article, we refer to this set of controls as a “manufacturer security framework.”

To demonstrate, let’s look at some specific examples.

Example 1: A Security Feature Implemented Within a Device

In this example, we will discuss a feature called “secure boot.” The intent of secure boot is to make sure no unauthorized code ever runs on the device. At Digi, for example, we have defined a number of controls within our manufacturer security framework for this purpose.

The controls we have assigned to secure boot include the following:

  • When the device boots, all code objects that are loaded are cryptographically verified as coming from the device manufacture.
  • When software is updated, all updates are cryptographically verified as coming from the device manufacturer.

While we require the secure boot control, our developer has many technical options for how to implement it. For example, when sourcing a manufacturer’s CPU, our developer must first evaluate the capabilities of that component to determine how to implement the control. In the case of secure boot, if the CPU offers the High Assurance Boot (HAB) feature, the Digi developer can implement the HAB on the product under development to meet the secure boot control requirement.

This security framework ensures that a full range of critical security controls is built in during the development of the product, but still provides the developer with some choice as to the method. When all security controls are in place and development is complete, each of these controls must then be tested and validated.

Example 2: A Security Feature Implemented by the End User

Another example of a secure code feature is the ability to do code validation on end-user code that runs on a device. With the future trend of edge computing, code validation and the infrastructure to support this on an edge device is becoming critical. Validating scriptable end-user objects does not happen at the manufacturer’s level, but at the end-user level. The manufacturer needs to support the functions to make this happen. End-users must then enable these functions on their devices and code upon deployment.

It is important to note that it is the validation of a control that ensures secure operation. This happens not only at the manufacturing level, but across all phases of product implementation. For a set of framework controls for end users to implement for device security, see the Center for Internet Security (CIS) site at www.cisecurity.org.

Digi’s framework of manufacturer security controls, called Digi TrustFence™, includes:

  • Secure boot
  • Authentication and secure connections
  • Encrypted storage
  • Secure updates
  • Certificate and policy management
  • Protected hardware ports
  • Device identity
  • Ongoing monitoring and support

The Digi TrustFence™ solution is not a single security feature, such as a software program that can be hacked. It is a multi-pronged approach designed to ensure that devices are secure from common attacks, and that device integrators and end users have the ability and functions needed to establish a secure configuration in deployment.

The intent of Digi TrustFence™ is to start the secure IoT story from the manufacturing perspective. If you are an integrator, or application developer, there are similar security frameworks such as the OWASP top 10 (www.owasp.org) for security controls on IoT devices. These frameworks provide controls that can be implemented at multiple phases from the manufacturer to the end user.

To continue this story, your own organization must assess what you have in place for a security framework. Does your organization have a set of published best practices? Does your supplier offer a security framework for its customers? Are you fully implementing all available controls to avoid any single point of failure?

>>Take a look at  Digi TrustFence for more details on how to solve security challenges across the IoT landscape.

Internet of Things Device Security: Five Simple Steps (video)

Posted on:

Device security is a critical and complex step in designing an Internet of Things strategy. Digi’s Chief Technology Officer, Joel Young, discusses five critical areas of IoT security.

Cover these, and you’re on the right path:

  • secure boot
  • authentication
  • protected ports
  • storage
  • secure connections

In this five minute video, Joel shares which questions to ask and what steps to take in order to ensure strong IoT device security.

You can get the transcript of this video here, and learn more about Digi TrustFence here.

Endress+Hauser Chose Digi Connect Sensor+ Cellular Gateway for Inventory Management

Posted on:

Endress+Hauser, a manufacturer of instrumentation measurement technology for the process industry, looked to Digi to help develop a more robust inventory management system to take better advantage of the data from their flow, level, pressure and temperature measurement devices.

“We are serving the chemical industry, oil and gas, pharmaceutical, food and beverage, primaries and water and wastewater reserve-focused industries,” explains Thiemo Fichter, head of product management inventory management solutions, Endress+Hauser. “There, we can measure pretty much every process variable.”

Most customers were still in the manual inventory monitoring mode, unable to automate the replenishment process to get product when and where they needed it consistently. Digi Connect Sensor helped E+H collect and deliver the information customers needed to make more timely replenishment decisions.

“We provide this inventory information into the business process. Our customers can get everything out of one hand, from the sensor in the physical world via the connectivity of the data, converting this into information up to the level where we integrate this information into our customer’s business process, their ERP landscape.”

In the video below, Ficthter explains why Endress+Hauser chose Digi Connect Sensor+ Cellular Gateway

Learn more about Digi Connect® Sensor+ here >> 

5 Lessons Learned from the Mirai DDoS Attack

Posted on:

Security is always top of mind when it comes to IoT devices and applications. The recent Mirai DDoS attack in October 2016 is an important reminder that IoT device manufacturers—and consumers—need to be vigilant with security, both out of the box and at home.

Recently, Andrew Lund, Digi’s Product Marketing Manager for Wireless M2M and IoT, shared his thoughts with IoT Evolution on the Mirai attack and what lessons could be learned to help improve security for IoT devices and applications. Below is an excerpt of five of Andrew’s best practices from IoT Evolution’s piece, which you can read in full here.

  1. Change default passwords:
    Given the attack vector that Mirai used, it’s clear that one area Device OEMs can make design decisions to increase security is with respect to passwords. The days of leaving the default password unchanged are over, so manufacturers must either force users to change passwords or create a “default” passwords that are unique to each individual IoT device.
  2. Don’t allow insecure ingress protocols:
    Mirai malware contains “killer” scripts that remove other worms and Trojans, allowing Mirai to maximize its use of the infected host device. But Mirai also goes one step further and closes processes that are used for remote ingress attempts, like Telnet, SSH, and HTTP.
  3. Secure remote management tools:
    Efficient, cost-effective method of remotely monitoring, updating and managing connected devices. Users can set performance parameters for healthy devices and create reports and alarms for suspicious activity. Using a remote manager that incorporates PCI-DSS and other relevant security certifications in the cloud such as HIPAA and NIST allow users to define a device profile, assign the profile to all devices in a group, and monitor and auto-remediate any variances. The best remote management tools can also restrict incoming traffic to only allow SSL connections, eliminating unencrypted TCP connections.
  4. Firmware updates:
    Firmware updates must be completed securely (authentication) and automatically, or at a minimum, users must be notified/prompted when a new firmware update is available.
  5. Packet encryption:
    This consists of basic encryption, such as FIPS-197/AES, to protect messages from unauthorized viewing or malicious changes. This method is easy to implement and use, especially in conjunction with private keys.

TO LEARN MORE, READ THE FULL POST HERE >>

Big Data and IoT Team Up for the Gaming and Lottery Industries

Posted on:

Online gaming and virtual gambling have risen significantly due to increased mobile accessibility, social media, technology advancements and expanded internet connectivity. Big Data and the Internet of Things (IoT) are proving to be even more of a game changer for these industries by collecting large amounts of data, from a variety of gameplay data sources, while rapidly connecting and communicating to thousands of sites.

You may experience this IoT evolution when you are playing Words With Friends® on your smartphone with college classmates across the country, or when you play poker on your computer with complete strangers across the globe. Regardless of your gaming or gambling experience, we all know how critical real-time connection is when we are trying to win. Now translate those wins into $6 billion of revenue, and the stakes of rapid connectivity are significantly heightened like for the world’s largest slot machine manufacturer International Game Technology (IGT) . With more than 400,000 point-of-sale devices in 100 countries, watch the video below to learn why IGT turned to Digi TransPort® LTE wireless routers to keep those bets and wagers flowing:

The 10 Security Factors Every Device Designer Should Consider

Posted on:

The following is an excerpt from our recent whitepaper, IoT Device Security, Built-in, Not Bolt-on: The 10 Security Factors Every Device Designer Should Consider. This guide was written to help you navigate security consideration before they become threats, so you can get back to designing the best IoT product or application possible.

The Rising Tide of Security Threats

Limited only by designers’ imaginations, the Internet of Things (IoT) is changing how people live. From medical devices and fitness trackers to tank sensors, smart thermostats, intelligent streetlights, water monitors, and more, the IoT is in more places than ever.

However, by relying on wireless networks, those hundreds of millions of IoT devices present a greater “attack surface,” making them tempting frontline targets for competitors, hackers, disgruntled employees, and other bad actors. Unfortunately, the tools and techniques we’ve applied to PC/smartphone platforms often don’t work well in the IoT, for several reasons:

  • Resource Limitations – Small-footprint IoT devices typically have far less battery power, processing speed and memory. They lack the power and sophistication required to support traditional security measures.
  • Data Complacency – Many companies view the data in their IoT networks as mundane and having little intrinsic value outside the organization. But many breaches are motivated by other factors, such as competitive advantage, social status, or revenge. The data isn’t the goal – the hack is.
  • Availability of Tools– The tools and expertise to analyze and modify embedded/IoT devices are widely available – even to hobbyists.
  • No Physical Access Required– One of the advantages of the IoT is that devices can be remotely configured/upgraded without the need for dispatching a truck. However, thanks to wireless connections, hackers don’t need physical access to devices such as USB or other I/O ports.
  • Interface Differences– Embedded devices have no GUIs, and error messages can be as basic as a coded series of beeps or flashing lights. This is particularly true for security status and control functions allowing for security alarms to be overlooked.
  • Hardwired Ports– These provide unfortunate opportunities for compromise. IoT solutions can’t simply implement a strong password over a TLS connection – the most common approach for PC/Internet applications.

IoT solutions need a different approach and the effort required to identify and mitigate unique security risks in embedded systems is often underestimated, if not overlooked entirely.

>> To learn more, read the full whitepaper here.

3 Holiday DIY Internet of Things Projects

Posted on:

With Black Friday and Cyber Monday behind us, the holidays are officially in full swing. To help get you in the holiday spirit, we’ve curated some of our favorite connected creations that take holiday celebration to the next level.

Here are some of our favorite Internet of Things-powered projects to keep you occupied this holiday season.

Enjoy!

Internet of Things (IoT) meets the Internet of Holidays (IoH)

The OpenDNS Security Labs team took a look at IoT patterns throughout the holiday season and examines the patterns that emerged.

Internet of Things Christmas Tree

Make your own IoT Christmas tree with this handy how-to from our friends at Instructables!

The IoT Holiday Lights Project

Find out what Twitter, a Christmas tree, and minions all have in common with this clever IoT holiday project.


Have you seen a worthy holiday IoT project? Let us know in the comments below, and we’ll add it to the list!

Planet e: Electronica and the IOT

Posted on:

digiThe Digi team had a great time at Electronica 2016, a trade show that takes place every other year in Munich.

This year over 73,000 attendees and 2,800 exhibitors helped the event live up to its billing as “the best place to see the entire world of electronics here—on Planet e.”

But, what impressed us the most was the number of applications and topics, as the Internet of Things (IOT) is bringing innovations that permeate every industry and product category.

Exhibits covered topics ranging from automotive and industrial process control to consumer wearables and connected health. Embedded computing and integrated sensors along with ubiquitous connectivity are truly transforming every industry.

Here are a few creative ways we saw engineers using embedded computing and connectivity:

To learn more about how Digi can help make your product smarter and connected to the IOT click here.

Contact a Digi expert and get started today! Contact Us
Have a Question?