The Internet of Things (IoT) is growing at an unprecedented rate. In fact, it’s been predicted that, in the next three years, there will be as many as 30.7 billion connected devices. And this number is set to grow even more by 2025 to 75.4 billion.
Of course, this rise in the number of connected devices has its benefits. It’s been reported that IoT will lead to a 15 percent productivity increase in delivery and supply chain performance while some industries will completely transform. According to IDC, around 60 percent of global manufacturers will use analytics recorded from connected devices to analyse and optimise processes.
But with reward comes risk. The IoT is a prime target for cyber-criminals and without properly addressing security, the connected world cannot reach its full potential.
A cautionary tale
Malicious code on the IoT is no longer a theoretical possibility; it has already happened on a number of occasions. In 2016, for example, a botnet built from IoT devices was responsible for the largest DDoS attack in history, successfully bringing down much of the internet.
The ‘Mirai’ botnet, along with another IoT malware family ‘Bashlight’, seeks out and infects devices with default or weak usernames and passwords. Much like in the case of the 2016 attack, most of the devices in the botnet are webcams.
But imagine if an attacker gained control of a fleet of connected cars, or even introduced a malicious software update to a network of connected pacemakers? The potential for criminal activity via connected devices is huge and the consequences could be devastating.
Security, then, needs to be at the forefront of the device business. A better username/password scheme is, of course, needed but if code signing was implemented too, connected devices would be far less useful to attackers.
Having long been recognised as an essential part of computing security, code signing is a method to prove the origin and integrity of a file. In short, the creator of the file creates a digital signature of a hash of the file using a private key. Users can, then, obtain the originator’s public key and use it to validate that the party purporting to have created the signature in fact did so, and that the program has not been modified since.
Not signing your code, or for falling short on best practices, runs the risk that criminals will distribute malicious code through connected devices. And what’s worse, they can make it look like it came from you. These days, malware signed using stolen code signing credentials is increasingly common.
Getting it right
We must, therefore, ensure businesses are provided with the necessary hardware and software products, as well as the appropriate consulting services, to help establish trust and integrity in the connected world.
A secure code signing system requires developers to plan for encryption key management – using hardware security modules (HSMs) – and implementing cryptographic best practices, and these must be enforced in both the development and code release processes.
As industry standard bodies increasingly recognise these practices as mandatory, and as the number of IoT devices continues to grow, we are here to make it clear that implementing the correct lines of defence requires neither time-consuming nor arduous measures - only the right ones.
Of course, it’s not without its challenges, but it is doable. It is also necessary if we are to take advantage of the benefits the IoT promises to deliver.