Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:00 PM
Paul Shomo
Paul Shomo
Connect Directly
E-Mail vvv

DARPA and Academia Jumpstart 5G IoT Security Efforts

With 5G IoT devices projected to hit 49 million units by 2023, researchers launch programs to keep IoT from becoming a blackhole of exfiltration.

Open standards were supposed to drive interoperability of Internet of Things devices, allowing cybersecurity software to interrogate devices across the network. Many vendors even hoped to install apps or agents inside IoT nodes; after all mobile devices allow this. Yet none of these approaches, APIs, or standards that products are built upon achieved wide adoption. With so little control and visibility into IoT, the coming wave of 5G devices should make security professionals nervous.

In response to 5G's potential to exacerbate an already complex problem of IoT security, researchers in defense and academic circles have launched programs to jumpstart R&D. This summer, the Defense Advanced Research Projects Agency (DARPA) released IoT research grants. And in a separate but parallel development, academic researchers at the Association of Computing Machinery (ACM) simultaneously launched a program allowing industry IoT experts to collaborate with academic researchers.

Related Content:

IoT Security Trends & Challenges in the Wake of COVID-19

The Changing Face of Threat Intelligence

New on The Edge: 9 Cyber Disaster-Recovery Planning Tips for a Disaster-Prone Time

5G Will Soon Redefine Cybersecurity
Gartner notes that the number of 5G IoT devices will expand from today’s 3.5 million units to 49 million in 2023. Gartner's past IoT predictions have been solid, though 5G has encountered curveballs, such as the impact of US sanctions on China's 5G mega-provider, Huawei, not to mention the uneven rollout of 5G service in North America.

Unsolved security issues can also hinder adoption. Analyst firm Omdia recently asked enterprise organizations about their biggest challenge in deploying IoT. The top answer: ensuring data, network and device security. This new world of 5G IoT devices will represent exceptional challenges for vulnerability management, threat hunting, and incident response.

SecDevOps and code analysis tools have made strides in improving application security. Yet it's not practical to expect IoT firmware developers to save us. Funding for device firmware is significantly less than that of traditional software, due to the per-unit costs to manufacture and ship hardware. Firmware development is also complex and hyper-specialized, often leaving security as an afterthought.

However secure they are, IoT devices end up under the purview of the CISO. While the security operations center (SOC) has historically had options to monitor data egress, this won't always be the case with IoT. Cybersecurity analysts should expect as little visibility into 5G as they have into cellular phone transmissions. 

The new Cellular Vehicle-to-Everything (C-V2X) networks will boast a one-mile range. C-V2X will enable connectivity between vehicles, infrastructure, and surrounding devices. While great for consumers, it provides rogue IoT nodes and compromised automobiles a plethora of networks to access. The share of 5G-connected cars will grow from 15% in 2020 to 94% in 2028, when 5G will be heavily used for C-V2X, Gartner projects. 

Securing local data networks won't be the only problem. "Cameras deployed by city operators, or used to ensure building security, and provide intruder detection, offer the largest addressable market" of IoT devices, notes Gartner's Stephanie Baghdassarian. While many will be consumer devices, a significant cross-section of IoT cameras are expected to become the problem of infosec analysts.

Imagine a world of AI-powered devices ingesting information through electronic eyes and ears, like humans do. Then consider, if compromised, how many surrounding 5G networks these devices may leak data through. 5G is shaping up to be a blackhole of data exfiltration.

DARPA Is Getting Involved
Analysts from the National Institute of Standards and Technology (NIST) believe quantum computing will render current encryption methods useless within 15 years, so it's not surprising DARPA put its focus here. Being single-use hardware, IoT devices may be deployed long after vendors cease patching vulnerabilities. IoT encryption needs to hold up for decades. 

This past summer, DARPA solicited "innovative research" around IoT cryptography. Its program, the Cryptography for Hyper-scale Architectures in a Robust Internet Of Things (CHARIOT), is offering millions in awards. 

In its fiscal 2021 budget, DARPA requested $1.1 billion in unclassified funding for projects related to cybersecurity. DARPA initiatives include boosting the human ability to recognize and hunt threats at scale, and more exotic AI advances. DARPA is also investing in AI tech for machines to reason in context.

Aligning Academia with Real-World IoT Problems
CERT's Leigh Metcalf is on a mission to align these disparate worlds. At the ACM, Metcalf has been instrumental in the open access academic journal, Digital Threats Research and Practice (DTRAP)

DTRAP is unique in that it invites practitioners and vendor experts to publish alongside and help to direct academics. DTRAP's upcoming issue, the Lifecycle of IoT (In)security, is recruiting folks with cyber street smarts, hoping they submit papers highlighting new threat vectors, unsolved problems, or underdeveloped approaches to IoT security.

Graduate degrees are not terribly common in infosec. Perhaps the time and money to study academic theory doesn't provide a certain enough return. Yet the inclusiveness of DTRAP is notable. Industry pros can now leverage their existing expertise to direct academic research toward practical problems, and gain the prestige of publishing in a peer reviewed academic journal. The Lifecycle of IoT (In)security is accepting submissions until January 2021. 

Along with academics, the ACM is expecting collaboration from IoT device vendors, hardware manufacturers, and those cybersecurity practitioners dealing with deployed devices. 

Innovation Sits Upon a Technical Foundation
These programs couldn't have come at a better time. IoT device manufacturers have difficult challenges ahead. They must secure the hardware supply chain, solve encryption, and drive innovative code analysis for firmware environments.

It's often difficult to sell one's peers on yet another standard or framework. Publishing a proposal in a peer reviewed academic journal might provide the credibility to launch the next great idea. The industry needs it, because the explosion of 5G IoT devices is coming.

Prior to becoming an independent analyst, Paul Shomo was one of the engineering and product leaders behind the forensics software EnCase. In addition to his work in the digital forensics and incident response (DFIR) space, he developed code for OSes that power many of today's ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
File Upload vulnerability exists in ArticleCMS 1.0 via the image upload feature at /admin by changing the Content-Type to image/jpeg and placing PHP code after the JPEG data, which could let a remote malicious user execute arbitrary PHP code.
PUBLISHED: 2021-05-13
Insecure permissions issue in zzcms 201910 via the reset any user password in /one/getpassword.php.
PUBLISHED: 2021-05-13
A malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common.
PUBLISHED: 2021-05-13
A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
PUBLISHED: 2021-05-13
A vulnerability was found in Linux Kernel where in the spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth without checking whether it is NULL or not, and may lead to a NULL-ptr deref crash.