7 Security Lessons The Video Game Industry Can Teach IoT ManufacturersThe Internet of Things has alarming holes in security. The industry should look to video games for some answers.
What's the most secure connected device in your house right now? Would you believe me if I told you it's your Xbox One or PlayStation 4? Criminals have been trying to find ways to hack video game consoles to run pirated software since the days of the original Famicom and Nintendo Entertainment System. To combat this, each new generation of game system has shipped with increasingly robust hardware and software security mechanisms, making consoles among the hardest computing devices to crack.
Since the tricks that pirates use to gain privileges on video game consoles are very similar to the exploits cybercriminals use to hack computers and Internet of Things devices, IoT device manufactures can learn a lot about effective security design from consoles. Here are seven security mechanisms used by video game consoles that could and should be applied to IoT devices.
- TPM/security coprocessors and crypto keys: A trusted platform module (TPM) is a microcontroller dedicated to security that is built into many modern computer processers. Among other things, these modules can securely store unique crypto keys for the devices they're installed on — both keys to identify the particular device and the vendor's public keys to validate vendor communications. Once the hardware has private and unique keys, it can use them to build security checks into the system.
- Secure boot: One way hackers attack embedded devices or video game platforms is to modify the boot or startup process, which might allow them to load malicious firmware or a different operating system. If you have a device with crypto keys stored in a protected place, you can use those keys to verify every step of the boot process, making it exponentially more difficult for attackers to load unsanctioned software. Validating each bit of software that the boot process loads makes it exponentially more difficult for attackers to influence or manipulate this process.
- Signed firmware updates: A security module in the processor also allows devices to store and protect a manufacturer key, which a device vendor can use to sign all of the software with permission to run on the system. This prevents attackers from loading new firmware or an operating system, or even from loading illegitimate software, including malware. Some IoT device makers that want to keep their system open to modification may not want to implement this, but the approach should be considered for any device that involves sensitive customer data.
- Encrypted memory and storage: In the past, attackers have leveraged memory problems to learn secrets about a system they can then use to gain elevated privileges on video consoles. Badly implemented software sometimes stores sensitive information in memory (such as keys). If this information isn't encrypted, attackers could use RAM scraping techniques to learn some secret that might give them deeper access to the device. Again, a secure, unique digital key can help. IoT devices can use their private key to encrypt anything in memory or written to storage devices.
- Hypervisors: A hypervisor is the operating system on top of all your virtual operating systems. If you run a virtual version of Windows in Microsoft Hyper-V, that virtual version of Windows doesn't have direct access to the physical device's CPU, memory, or I/O systems. Rather, the hypervisor acts as a logical layer of separation between the virtual operating system and the actual hardware, and this also acts as a security feature. Even if an attacker finds a way to hijack a virtual machine, he won't immediately gain full access to the physical device unless he can also gain control of the hypervisor itself.
- Online checks: Online key validation and health checks successfully fight piracy. Modern software uses the Internet to securely call home to a vendor's domain and validate whether the software running is properly licensed and unmodified. IoT vendors can use these same secure mechanisms to require their devices to call home with health information. If the vendor detects anything out of the ordinary, it can ban that system remotely.
- Regular, over-the-air updates: The software and video game industries have adopted regular, cyclical software update schedules using automated tools. Some devices allow over-the-air updates (OTA), which are installed automatically without requiring input or approval from users. This makes it much easier for vendors to plug many of the vulnerabilities attackers might use to hack the system. IoT manufacturers need to build automatic update systems into their devices so they can quickly push security patches when necessary.
It's worth noting that game consoles have more resources than many types of IoT devices. While it may be cost-prohibitive for IoT manufacturers to have security coprocessors in all devices, they can still learn from the security evolution of video game consoles. The process may be slow, but I predict we'll see IoT device vendors begin to adopt basic security practices by limiting unnecessary network services and communications channels, becoming stricter with default credentials, and using encryption more often for storage, network traffic, and secure boot. With billions of IoT devices out there and more to come, hopefully manufacturers will follow the gaming industry's example and begin implementing these security best practices soon.
Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.
Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio