Compared to the coverage data breaches receive, reporting on Internet of Things (IoT) flaws has been relatively sparse, despite some major research appearing lately that exposes the potentially life-threatening nature of security problems in embedded computing systems.
These flaws haven’t been exploited on a large scale yet because they require a great deal of time and effort to exploit, but there are already signs this is changing. Governments in particular have both the time and resources. A power outage attack on the Ukrainian grid just before Christmas involved hackers overwriting firmware at multiple substations , rendering them unable to receive commands. It has been widely blamed on Russian state actors, although definitive attribution remains difficult.
The most famous case was Miller and Valasek’s demo at Black Hat 2015 which showed how hackers could move laterally inside the computing environment of a 2014 Jeep Cherokee, re-flash firmware on a chip controlling the CAN bus and remotely control the brakes and steering wheel. At this year’s Black Hat they demonstrated the attack at high speed . It doesn’t take a genius to work out the potentially fatal repercussions of such a hack if carried out with malice.
It’s clear these IoT flaws are no longer theoretical. And that’s why prpl Foundation has continued its mission to help the industry build more secure embedded computing devices. The Security Guidance for Critical Areas of Embedded Computing outlined our hardware-based answer to these fundamental weaknesses. We believe the key to securing these systems lies in focusing on the silicon – because security becomes harder to interfere with at that level. So we’re espousing a root of trust anchored in the hardware, which means the firmware becomes tamper proof.
Our next major contribution was released last month. We’re very proud to announce the debut of the open-source prplHypervisor, an industry-first hypervisor that brings virtualization to embedded systems. Hardware-level virtualization is essential to keep critical components isolated and containerized, so even if one domain is compromised it blocks the lateral movement so often seen in IoT attacks.
Let’s not wait for the next major incident involving exploitation of these IoT weaknesses. We don’t want to see an airliner downed by a fleet of hacked and remotely controlled drones. Or key firmware inside a nuclear power station overwritten to carry out the wishes of a cyberterrorist group.
It’s time to get serious about IoT security, and we need your help. We invite the EBN community to take a look at the prplHypervisor and consider joining the project. Our work is based on open source and interoperable standards – to focus on the best quality code possible and force an end to “security by obscurity.” The code is available here: https://github.com/prplfoundation/prpl-hypervisor .
We look forward to your participation!