Ironically, Security is Easy

I thought I was pretty good when it came to cyber security at home, until I saw the measures my brother-in-law takes. He’s a software developer for a financial technology company here in New York, and I can’t tell if he’s flat-out paranoid, extremely smart, or maybe he’s just smart to be paranoid.

Security is tricky. In fact, it’s a lot like driving: everyone thinks they’re a good at it, until they hit something. My friend is at his wits end because his daughter just got two speeding tickets – in two months. She’s 21 and a student and everyone tells her she drives too fast, even her sister, but she won’t listen. It’s a classic case of the youthful invincibility syndrome. “I’ll be fine,” she says.

As techies, we’re in a particularly precarious position. We think we’re good at security, and maybe we are, compared to “normies.” We have all changed our passwords from what came with our routers, we’ve installed advanced firewalls, probably use Tor browser (most of the time), use two-factor authentication for everything, have our own VPNs, and have insanely long passwords. That’s great, and it’s right, and it’s easy to spend time on it because it’s our home, our family, and potentially our savings.

When we get to work, we have corporate security measures, which are probably decent. IT is doing its job, they can fiddle ad infinitum with their network settings and securing your laptops.

But what about our own designs? How dedicated are we to ensuring maximum security measures have been taken for the products we design and push out to unassuming clients and end users, the average consumer? Not very, apparently.

Michael Barr, president of the Barr Group, puts out an annual study on embedded systems. He’s a big proponent of maximum security and safety in coding, and he kicks off the 2018 infographic with the statement “The Internet of Insecure Things” (Figure 1).

Figure 1: The IoT is a great opportunity, for hackers. (Image source: The Barr Group)

Now, the topic of security is discussed everywhere, but Barr puts some numbers on the problem at the design level. As shown in the graphic, 22% of designers say they don’t even have security on their to-do list and many design best practices aren’t followed.

I’ve spoken with Barr about this, and to a lot of people at shows or at corporate media events, and the reasons are just as Barr outlines. There’s only so much that can be done: the product has to ship.

Compounding the problem is that taking the right security measures is only part of it: the product has to be tested, thoroughly. That takes time. A lot of time. With corporate breathing down your supervisor’s neck, the temptation is to ship and fix it later, with over-the-air (OTA) updates.

That philosophy may well work, for a while. Then the team moves on to another project, or the original product is a bust and no more updates are needed. That leaves a number of “orphan” IoT devices deployed in the field, in homes, in retail stores, in corporate environments, all with dubious security in place. Remember the casino IT system that got hacked through an IoT-connected fish tank? That’s not alarmist, it’s reality.

What to do about it: Push back or get pushed out

From a designer or developer point of view, the first line of defense is to push back. If it isn’t secure, get a deadline extension. Explain that if a product fails due to a security leak, it’s the corporate brand that’s at stake. No one wants to compromise that or be responsible for the consequences. Raise a red flag and explain, as Barr points out, that depending on the network to which a product is connected, the consequences of a hack could be serious: up to 25% of IoT devices could kill or injure people if hacked, according to Barr. Remember too, that it’s your own job security that’s at stake here, too. Don’t be an orphaned designer.

Now that you’ve bought some time, there is a lot that can be done to ensure sufficient security. Keep in mind that it often doesn’t have to be bulletproof: it just has to not be easy. Hackers are opportunists – all you have to do is show a decent wall, and they’ll look somewhere else for an open gate. There are plenty of those.

To start, close the JTAG ports on the MCUs, use secure boot, ensure your memory is protected, and that encryption keys are stored where they can’t be accessed easily. There are lots of things you can do, but the good news is that many IC vendors and cloud software providers have done much of the work for you already.

Just look here and you’ll find how to use the tools that Microchip, Amazon, Texas Instruments, and others have provided to help close those security loopholes to get you to market, very likely on time!

For example, see:

• Connect Designs Quickly and Securely to the Cloud Using Amazon FreeRTOS

  • Microchip’s Curiosity PIC32MZ EF development board
  • NXP Semiconductors’ LPC54018 IoT Module
  • STMicroeletronics’ STM32L4 Discovery Kit IoT Node
  • Texas Instruments’ CC3220SF-LaunchXL

• Add Firmware Security to an IoT Design with a Single Chip

  (Microchip Technology’s CEC1702 cryptographic controller)

• A Simpler Solution for Hardening Security in Wi-Fi Connected IoT Designs

  (CC3220 dual-core MCU from Texas Instruments)

• How to Secure IoT Device Communications with a Single Chip

  (the MAXQ1061 from Maxim Integrated)

These guides will put you on the right track, but dig deeper – and ask questions. Start by examining where you tend to get stuck, what issues you face, and what you’d like to learn more about.

The irony is that with all the help from suppliers and partners, and with some effort, security is easy. It’s doing it that’s the hard part.

In the meantime, do the simple things, like changing your passwords at home this weekend. Again. It may drive your family nuts, but they’ll thank you when their friends get hacked.