The case for security in Linux-based IoT devices (part 1)

Are you among the embedded system OEM and software consultant adding Internet connectivity and services into devices that were not originally intended to do so? If you are, then you know that by connecting these products to the Internet, customers are discovering new forms of revenue and, in some cases, entirely new business models. What’s more, they are able to make their current products both more valuable and cost-effective.

As we continue to see more Internet-connected devices, we must acknowledge that they will be vulnerable to attack, remotely disabled, or compromised in some other undesirable way – each scenario seriously threatening the entire underpinning of these new business models.

Consider the following example in the world of home automation. It is one of the biggest consumer applications for the Internet of Things (IoT), and potentially one of the most lucrative for attackers. What could a criminal do with information stored in what might be considered a rather harmless home-automation device like an IP-connected smart thermostat? Well, these devices are built to learn your habits. They are designed to recognize or “learn” when you are home and when you are away, so that they can optimize the industrial computer used to heat and cool your house. You can guess where I’m going with this. They’ll know your habits and track your routines – sensational fodder for someone thinking about stopping by uninvited.

Remember the case of the Samsung Smart TV? In order to be able to respond to voice commands, it constantly “listened” to your chatter, interpreted it, and then might even send it to “authorized” third parties. Yes, I am serious. The Smart TV was demonstrated to be hackable (what isn’t without lock down security) back in 2013. This is a perfect example demonstrating the need for multiple embedded system accessibility levels. In the in-vehicle system case, there was only one user account possible, and that user could access anything on the device[1][2].

Security through obscurity

In many past instances, product developers would rely on the fact that their in-vehicle system devices were too few and too uninteresting to hackers to attempt to exploit them. In other words, these devices were obscure – ostensibly unknown nodes on a network. Unfortunately, this strategy will no longer work. With what is expected to be billions of devices connected to the Internet in next five years (with tremendous variety of functionality), these once “no interest” devices will become quite tempting as targets for exploit.

To address how security by obscurity will no longer work, let me offer an example of how a website is being used to search for Internet connected devices:

refer to: