Secure IoT robots – before it’s too late

​Smart technology has made it easier for people to know what’s happening inside their homes and take control of things like heating and cooling, electricity consumption and entertainment options. But before we knew it, we created mini data centers in our homes—ones that don’t have system administrators to worry about such as configurations and security controls. And with more devices incorporating machine learning and AI, the necessary security measures need to be in place. Failure to do so and our homes will become a hotbed for cyber attacks and a danger to ourselves.

Go to the profile of Cesare Garlati
Sep 14, 2017
Upvote 0 Comment

The current state of connected devices presents a major threat to consumers due to a lack of security in place to defend against cyberattacks and without realising, these devices have sprung into our homes. Computers, white goods, TVs and game consoles have or are being developed to connect to IoT. Now, robot devices have found their way into our homes with the attraction to make human lives more efficient. However, robots present an extreme danger to the public if security is not properly addressed. Many manufacturers and developers are too preoccupied by sales, and rush to get their products to market, with security left as an afterthought. Security should be implemented at the development stages of the production lifecycle otherwise, if robots continue to lack the necessary security, they will become a danger to human life.

Hackers and security researchers have all infiltrated devices which have led to some chilling outcomes. For example, researchers were able to hack into a popular house robot and program it to wield a screwdriver and stab violently at a tomato. This exploit is an example of how potentially calamitous the scenario could get should a robot be hacked, especially in a home setting. If on the manufacturing line a hacker could configure new code to adjust certain measurements or rule for the robot, the final product could be compromised and this would potentially endanger the consumer.

In the home setting all smart devices, including robotic devices, are connected to the home router, which is the online equivalent of your front door. It represents a critical way-in for hackers due to it being the central hub that connects almost every device in the home. No homeowner would leave their physical front door open but the same cannot be said for the home router, which is being left exposed, unprotected and open to attack. The gravity of the issue is escalated further as its being estimated that by 2022, a typical family home will contain more than 500 smart home devices, making the home a very attractive target to attackers who want to infiltrate the devices and data.

What needs to be understood by consumers and manufactures alike, is that it’s not just about the data that can be stolen from connected devices – it’s about how these can be hijacked in volume and directed at one target, which could be an innocent human. From causing extreme internet service outages to becoming deadly weapons with catastrophic outcomes, the consequence of IoT security not being taken seriously is a very real and tangible problem.  That is why the time is now to start taking measures to secure these devices at the most basic level: the hardware.

When it comes to securing IoT in the home, people can take a number of actions to improve security:

Open source – an end to proprietary security by obscurity and instead a 100% “Darwinist” focus on quality, usability and robustness. Code is becoming increasingly complex so let’s get as many eyes on it as possible. And open standards could overcome the dearth of connectivity expertise in the industry.

Secure boot – ensure IoT systems will only boot up if the first piece of software to execute is cryptographically signed by a trusted entity. It needs to match on the other side with a public key or certificate which is hard-coded into the device, anchoring the “Root of Trust” into the hardware to make it tamper proof.

Hardware-assisted virtualisation – this will containerise each software element, keeping critical components safe, secure and isolated from the rest and preventing lateral movement. Secure inter-process communication will allow instructions to travel across this secure separation in a strictly controlled mode. This approach improves on current binary approaches where applications are either trusted or untrusted at a processor level, allowing for as many independent, secure guests as possible.

The arrival of IoT and AI robotic devices into our lives is not a surprise, but users need to take more responsibility for the security in our connected homes until the industry as a whole steps up its security game. The prpl Smart Home Security report shows that a significant amount of users would pay a premium for more secure devices, but until manufacturers make this more of a reality by implementing the above best practice – the user does have to accept a large portion of this responsibility. By implementing the above advice, manufacturers can take some of the most dangerous security issues, helping to protect the user from the risk of personal data theft, fraud or worse.

Go to the profile of Cesare Garlati

Cesare Garlati

Chief Security Strategist, prpl Foundation

Cesare Garlati is an internationally renowned expert in information security. Former Vice President of mobile security at Trend Micro, Cesare currently serves as Chief Security Strategist at prpl Foundation – a technology nonprofit dedicated to enabling security and interoperability of embedded systems. Prior to Trend Micro, Mr. Garlati held leadership positions within leading mobility companies such as iPass, Smith Micro Software and WaveMarket. Prior to this, he was an engineering manager at Oracle, where he led the development of Oracle’s first cloud application and many other modules of the Oracle E-Business Suite. Cesare has been frequently quoted in the press, including such media outlets as The Economist, Financial Times, The Register, The Guardian, ZD Net, SC Magazine, Computing and CBS News. An accomplished public speaker, Cesare also has delivered presentations and highlighted speeches at many events, including Embedded World, Mobile World Congress, Gartner Security Summits, IDC CIO Forums, CTIA Applications, CSA Congress and many editions of the RSA Conference. Cesare holds a Master in Business Administration from U.C. Berkeley, a BS in Electrical Engineering and Computer Sciences, professional certifications from Microsoft, Cisco and Sun, and he is a Fellow of the Cloud Security Alliance.

No comments yet.