The prpl Foundation announces its visionary document for an open, hardware-led approach to make life-threatening flaws in connected devices a thing of the past
As the Internet of Things finds its way into ever more critical environments – from cars, to airlines to hospitals – the potentially life-threatening cyber security implications must be addressed. Over the past few months, real world examples have emerged showing how proprietary connected systems relying on outdated notions of ‘security-by-obscurity’ can in fact be reverse engineered and chip firmware modified to give hackers complete remote control. The consequences could be deadly.
A new approach is needed to secure connected devices, which is exactly what the prpl Foundation is proposing in its new document: Security Guidance for Critical Areas of Embedded Computing. It lays out a vision for a new hardware-led approach based on open source and interoperable standards. At its core is a secure boot enabled by a “root of trust” anchored in the silicon, and hardware-based virtualization to restrict lateral movement.
This guidance should be essential reading for everyone: after all, we all use these embedded computing systems and would benefit from better understanding the security risks and ways they can be mitigated. But it is also written for all major stakeholders in the supply chain who deal with security: from the OEMs and SoC manufacturers; to producers of routers, biomedical devices and set-top-boxes; to CPE, home entertainment and automotive designers and developers.
Threats just got deadly
Embedded systems and connected devices are already deeply woven into the fabric of our lives. They help to fly our planes, dispense life-saving drugs to our loved ones, steer our automobiles, and even operate ‘smart rifles.’ The only problem is they’re not secure. And in this environment that doesn’t result in data breaches and monetary losses. It could mean actual loss of life. Consider these three recent examples:
- Miller and Valasek hacked a 2014 Jeep Cherokee via its Uconnect on-board entertainment system. Finding port 6667 open, they managed to pivot inside via the D-Bus service to rewrite the firmware on the Uconnect head unit in a way which allowed them to send commands through the car’s controller area network (CAN) message bus. This allowed them to remotely control steering, brakes and other key functions.
- Runa Sandvik and Michael Auger demonstrated how the ShotView targeting system on Tracking Point Linux-powered rifles could be compromised in a similar way via its Wi-Fi connectivity. By exploiting software vulnerabilities they could prevent the gun from firing or cause it to hit a target of their choosing.
- The FDA was forced to warn hospitals in July not to use certain models of Hospira’s Symbiq, Plum A+ and PlumA+ 3 internet-connected drug infusion pumps, after it was demonstrated that they could be remotely hacked.
The problem with IoT ‘security’
All of these systems share the same traits, which make them vulnerable to hackers:
- They’re proprietary – but ‘security-by-obscurity’ no longer works. Their firmware binary code can usually be found online, or else reverse engineering is possible via debugging tools like JTAG and interactive disassemblers like IDA.
- Their network connectivity is their Achilles heel, allowing attackers to remotely hack them. What’s more, the engineers tasked with building these devices often don’t have the requisite TCP/IP skills, leading to weak implementations which can leave additional gaps to exploit.
- The firmware update system in many devices is fatally flawed in that it’s not signed. This means that an attacker could reverse engineer the code, modify it, reflash the firmware and reboot to execute arbitrary code. Those behind the recent Cisco router hack did this.
- Many allow for lateral movement within the hardware, ignoring the fundamental rule of Security by Separation. At present, the best we can do is processors which allow for only ‘trusted’ or ‘untrusted.’ But this is too simplistic for our modern world where a processor may have to keep numerous components separate and secure – from management of biomedical devices, to Netflix streaming, to banking applications.
A new approach
The prpl Foundation proposes a new way to overcome these challenges and engineer security into connected and embedded devices from the ground up. Vendor-led initiatives can be incredibly time-consuming and costly, yet the results are usually non-portable across homogeneous platforms. But under prpl, vendors can come together on a common platform, architecture, APIs and standards, and benefit from a common and more secure open source approach.
It’s built on the following principals:
Open source – an end to proprietary security by obscurity and instead a 100% “Darwinist” focus on quality, usability and robustness. Code is becoming increasingly complex so let’s get as many eyes on it as possible. And open standards could overcome the dearth of connectivity expertise in the industry.
Secure boot – ensure IoT sytems will only boot up if the first piece of software to execute is cryptographically signed by a trusted entity. It needs to match on the other side with a public key or certificate which is hard-coded into the device, anchoring the “Root of Trust” into the hardware to make it tamper proof.
Hardware-assisted virtualization – this will containerize each software element, keeping critical components safe, secure and isolated from the rest and preventing lateral movement. Secure inter-process communication will allow instructions to travel across this secure separation in a strictly controlled mode. This approach improves on current binary approaches where applications are either trusted or untrusted at a processor level, allowing for as many independent, secure guests as possible.
These potentially catastrophic IoT security vulnerabilities are no longer theoretical. The SYNful Knock campaign has shown us that attackers are already exploiting them to devastating effect. The prpl Foundation hopes this Security Guidance for Critical Areas of Embedded Computing will galvanize industry stakeholders to begin the journey towards a more secure Internet of Things.
The blueprint will lay the foundation in 2016 for a 2nd version looking into specific verticals such as automotive, and CPE equipment. It will provide more technical details including API definitions and definitions for product reference implementations (royalty-free) for those APIs.
* * *
“Great paper, very well laid out and easy to read and comprehend. Focus is around constructing the hardware and virtual layers of the endpoints to be designed properly to limit exposure should they come under attack. The four types of IoT systems mentioned in this paper (auto, medical, weapons, and airlines) can all have very personal ramifications to an individual’s health if something should go wrong.” – David Lingenfelter, Information Security Officer, IBM Security Systems and Co-Chair Mobile Group at Cloud Security Alliance.
“I read the document with great interest. It is a very good and comprehensive report which we do support. Our security expertise is mainly on network security and user authentication: device security is new to us but I see a lot common approaches with the network security.” – Rahim Tafazolli, Director of Institute for Communication Systems and 5G Innovation Centre at University of Surrey.
“I like the [document] approach as well as the flow of information. The security topics covered are appropriate and well written. It lays out the case for the dangers, problems and effect on ‘the individual way of life’ if IoT systems are not secured – as a single vulnerable coffee maker can give someone access to your whole connected life. I would even suggest starting a prpl Foundation working group to engage other IoT vendors.” – Mike Janke, Chairman & Co-Founder of Silent Circle
“The prpl document is a fine start for describing the security methods needed, and in general we agree with the mechanisms described in the document.” – Sherman Chen, VP of Engineering, Broadband and Connectivity Group, Broadcom
“[The prpl guidance] is an excellent document showing how to secure embedded computing in a world of IoT. Using detailed examples of recent hacks in embedded computing, it takes the reader step by step though the weaknesses and show how they can be overcome using methods like root of trust, secure boot process, separation of duties and secure development and testing. All the methods are described in details using infographics and examples.” – Jesper Jurcenoks, Product Manager Vulnerability Assessment at Alert Logic.
“Security of devices is a fundamental topic that goes together with their technological evolutions and feature sets; IoT will not scale up if each connected device will not be perceived as a trusted entity by end users; this document provides a great analysis on the subject” – Corrado Rocca, Head of HGI Marketing Committee, HGI
“As a security engineer I spend my professional life addressing inherent risk in network and control systems, from medical devices through to complex operational platforms. This paper neatly deals with many of the problems my clients struggle with and I recommend it to anyone that is interested in making our world more secure and resilient.” – Nigel Stanley, Practice Director – Cyber Security, TUV Rheinland OpenSky Ltd.
“The prpl guidance it’s hitting on several important points, such as separation and secure boot. With IoT, every endpoint can be individually attacked from a hardware perspective, which can be used as a stepping stone to further software attacks. A ‘break once’ in hardware can still lead to a ‘run anywhere’ in software, which is a risk to an entire ecosystem.” – Jasper van Woudenberg, Chief Technology Officer, Riscure North America