Endpoint

11/1/2016
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

7 Security Lessons The Video Game Industry Can Teach IoT Manufacturers

The Internet of Things has alarming holes in security. The industry should look to video games for some answers.

What's the most secure connected device in your house right now? Would you believe me if I told you it's your Xbox One or PlayStation 4? Criminals have been trying to find ways to hack video game consoles to run pirated software since the days of the original Famicom and Nintendo Entertainment System. To combat this, each new generation of game system has shipped with increasingly robust hardware and software security mechanisms, making consoles among the hardest computing devices to crack.

Since the tricks that pirates use to gain privileges on video game consoles are very similar to the exploits cybercriminals use to hack computers and Internet of Things devices, IoT device manufactures can learn a lot about effective security design from consoles. Here are seven security mechanisms used by video game consoles that could and should be applied to IoT devices.

  1. TPM/security coprocessors and crypto keys: A trusted platform module (TPM) is a microcontroller dedicated to security that is built into many modern computer processers. Among other things, these modules can securely store unique crypto keys for the devices they're installed on — both keys to identify the particular device and the vendor's public keys to validate vendor communications. Once the hardware has private and unique keys, it can use them to build security checks into the system.
  2. Secure boot: One way hackers attack embedded devices or video game platforms is to modify the boot or startup process, which might allow them to load malicious firmware or a different operating system. If you have a device with crypto keys stored in a protected place, you can use those keys to verify every step of the boot process, making it exponentially more difficult for attackers to load unsanctioned software. Validating each bit of software that the boot process loads makes it exponentially more difficult for attackers to influence or manipulate this process. 
  3. Signed firmware updates: A security module in the processor also allows devices to store and protect a manufacturer key, which a device vendor can use to sign all of the software with permission to run on the system. This prevents attackers from loading new firmware or an operating system, or even from loading illegitimate software, including malware. Some IoT device makers that want to keep their system open to modification may not want to implement this, but the approach should be considered for any device that involves sensitive customer data.
  4. Encrypted memory and storage: In the past, attackers have leveraged memory problems to learn secrets about a system they can then use to gain elevated privileges on video consoles. Badly implemented software sometimes stores sensitive information in memory (such as keys). If this information isn't encrypted, attackers could use RAM scraping techniques to learn some secret that might give them deeper access to the device. Again, a secure, unique digital key can help. IoT devices can use their private key to encrypt anything in memory or written to storage devices.
  5. Hypervisors: A hypervisor is the operating system on top of all your virtual operating systems. If you run a virtual version of Windows in Microsoft Hyper-V, that virtual version of Windows doesn't have direct access to the physical device's CPU, memory, or I/O systems. Rather, the hypervisor acts as a logical layer of separation between the virtual operating system and the actual hardware, and this also acts as a security feature. Even if an attacker finds a way to hijack a virtual machine, he won't immediately gain full access to the physical device unless he can also gain control of the hypervisor itself.
  6. Online checks: Online key validation and health checks successfully fight piracy. Modern software uses the Internet to securely call home to a vendor's domain and validate whether the software running is properly licensed and unmodified. IoT vendors can use these same secure mechanisms to require their devices to call home with health information. If the vendor detects anything out of the ordinary, it can ban that system remotely.
  7. Regular, over-the-air updates: The software and video game industries have adopted regular, cyclical software update schedules using automated tools. Some devices allow over-the-air updates (OTA), which are installed automatically without requiring input or approval from users. This makes it much easier for vendors to plug many of the vulnerabilities attackers might use to hack the system. IoT manufacturers need to build automatic update systems into their devices so they can quickly push security patches when necessary.

It's worth noting that game consoles have more resources than many types of IoT devices. While it may be cost-prohibitive for IoT manufacturers to have security coprocessors in all devices, they can still learn from the security evolution of video game consoles. The process may be slow, but I predict we'll see IoT device vendors begin to adopt basic security practices by limiting unnecessary network services and communications channels, becoming stricter with default credentials, and using encryption more often for storage, network traffic, and secure boot. With billions of IoT devices out there and more to come, hopefully manufacturers will follow the gaming industry's example and begin implementing these security best practices soon.

Related Content:

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dfroud
50%
50%
dfroud,
User Rank: Apprentice
11/3/2016 | 8:57:15 AM
Are we talking apples and apples?
This is actualy more of a question than comment, because I honestly don't know the answer.

The IoT will eventually involve billions of devices, some ridiculously small, so how many of your 'lessons' are practical outside of a device the size of a game console?

I'm not suggesting that IoT manufacturer's are TRYING to do these things, they will do the bnare minimum to get by. If that. I also assume you're not suggesting that this level go into every IoT device? So how, or who can determine the right level of security with the many variables at play?
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.