Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

Better IoT Security Through Crowdsourced, Blockchain-Driven Platforms

A robust and effective decentralized system of vulnerability reporting and mitigation, leveraging cryptocurrency and blockchain technologies, could improve the security of the IT infrastructure on which everyone relies.
By Tae-Jin Kang
Oct 01, 2018

The Internet of Things (IoT) encompasses a wide range of devices, from connected refrigerators to insulin pumps. It has also been a popular solution for enterprise executives looking for ways to increase the quantity and quality of information about their businesses. The prevalence of these connected devices that line not just our homes, but also countless enterprises across all industry verticals, makes IoT vulnerabilities extremely target-rich and, therefore, incredibly attractive to hackers. And though a vulnerable smart toaster may not culminate in debilitating repercussions for our connected world, the rise of smart infrastructure and autonomous vehicles means that software security will soon be synonymous to the safety and privacy of all.

Is Open-Source Critical in the IoT?
We are developing, sharing, and adopting open-source software (OSS) at an unprecedented rate. A 2018 audit by OSS risk-management market leader Synopsys revealed that in just a span of one year (from 2017 to 2018), the average percentage of codebase that was OSS jumped from 36 percent to 57 percent, indicating that many applications now contain more open-source than proprietary code. The IoT industry is no exception. According to the same audit, open-source code comprises an average of 77 percent of scanned IoT codebases, demonstrating that this industry is built upon the foundation of OSS. This trend will only continue to grow because, by leveraging OSS, development teams can lower assembly costs and quickly add innovations, thereby saving months or years of originally required development time.

But OSS is not perfect. Whether software code is proprietary or open-source, it harbors security vulnerabilities. Supporters of open-source argue that the accessibility and transparency of the code allow the "good guys"—corporate quality-assurance teams, white-hat hackers and open-source project groups—to find bugs faster. Yet the same accessibility and transparency that make open-source so valuable also equip hackers with ready-made lists of security vulnerabilities that they can exploit if IoT OEMs and their third-party development teams have not fixed their software.

Is Our Connected World Secure?
The combination of the prevalence of IoT devices and heavy usage of OSS in this industry should warrant constant vigilance to ensure that these connected devices are secure. Yet recent events indicate that negligence rather than vigilance has been a recurring theme for IoT security. A vulnerability in a third-party open-source project named gSOAP, later called Devil's Ivy, was exploited by hackers to remotely access a video surveillance feed while denying the owner access to the feed. The fragile security of these connected home devices even prompted the FBI to issue "privacy and physical safety" warnings for smart toy sensors such as microphones, cameras, and GPS (see FBI to Parents: Beware, Your Kid's Smart Toy Could Be a Security Risk).

At Black Hat 2017, two security researchers demonstrated their ability to hack internet-connected car washes. They were able to close the entry and exit doors, thereby trapping the car and its driver, and remotely maneuver the car-washing apparatus to strike the vehicle. The hackers could stop the driver's attempts to escape by repeatedly opening and closing the doors, further damaging the car and potential injuring the occupants. In the same year, St. Jude Medical's cardiac device implants were revealed to contain vulnerabilities that hackers could use to tamper with the device's control of vital heart functions. St. Jude's failure to remediate the "universal code that could allow hackers to control the implants" invited the criticism of investment firm leader Carson Block, who threatened to short-sell the device's stock.

While some organizations fail to prioritize IoT security, more security-conscious companies leverage specialized security solutions to identify and manage the relevant issues in their codebase. Some choose to deploy software composition analysis (SCA) tools developed by security technology innovators such as Synopsys and Insignary, which equip customers with customized security reports so they can practice effective OSS risk management. But this is not an be-all and end-all solution.

To produce these reports, SCA tools leverage external databases of known OSS-related vulnerabilities, against which they map the customer's individual risk. Yet these databases are limited by their centralized management, which hinders them from addressing the escalating number of OSS projects and associated security risks. As a result, the information found in these databases is neither complete nor up-to-date, preventing organizations from remediating security vulnerabilities as efficiently and effectively as possible.

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations