Secure the "Internet of Things" (IoT)

I'm going to digress from my usual posts about security and the rambling of notes for my personal projects into an actual article about something of substance: the Internet of Things. To those of us connected to the Information Security field we know how insecure these systems can be and is often the bane of our existence. I, along with many others, keep saying how bad IoT vendors are about securing their devices, to the point of wanting legislation, so I'm going to briefly play devil's advocate and put myself in their shoes. I find this process is helpful for my own understanding of how something works and hopefully, if you're an IoT developer, get an idea of our perspective.

So, the background first... I'm in the midst of developing a product & service that relies heavily on the Raspberry Pi platform and specifically the ODROID-C2 incarnation of the RPi. My requirements lean heavily on open source security tools and rather than making all of them work on Raspbian I chose to go with a security based Linux, namely Kali. Kali runs on the ARM platform, both the one that comes with the RPi-3B+ as well as the chip that comes on the ODROID-C2. Add to that the scripts to build the ARM version are open source. So, I decided to take the base Kali ARM system, modify it to suit my needs, and build my own version of it from scratch. This is very much an IoT project and is similar to what many other people need to do in order to get their software to run on the hardware out there. So, now I'm going into 'why' I have found the IoT world is so insecure and maybe a little on what we can do about it.

This brings us to the first thing I thought about: nearly all of it is homegrown software. If you are going down the Linux path you will be building things on your own. I'm also guessing many of the IoT developers don't have what I do, namely 20+ years using and managing Linux systems. As a result of needing to build from open source software, usually on your own, there's a ton of room to make mistakes. I get that, really, I do. But at the same time if you're one of these developers you should also realize this. Admit you're probably out of your depth and get help. Yes, it might cost real money and yes it might add time to your project but by all means do it. I myself was quite rusty on the internals of Debian (which Kali is based on) so I took a month to tear apart the basic process of building a Debian install (debootstrap, etc).

The next thing I noticed was a distinct lack of updated software, this is even more apparent in the IoT hardware world. I chose the ODROID-C2 because it comes with 2GB of RAM whereas the RPi-3B+ comes with 1GB and I need the additional RAM. This choice means I have to settle for whatever Linux distributions I can find that will work on this hardware, in my case Kali was one of the options. I will use a specific example of outdated software. When I started digging in to Kali ARM and the installer scripts I found that it uses an older kernel, 3.14, which puts it at 3-4 years old. A quick look at the Linux kernel site shows there were something like 79 revisions in the 3.14 tree, I'm guessing at least one of those was a security update/patch. So, why not just use a newer kernel you say? Glad you asked. I experimented with going to the latest 3.x release, 3.16.56, and it failed to compile. And that's just a small incremental update, i'm sure going to the 4.x kernel could be major surgery. Looking around the Kali ARM Github area I can see that issues go for months without responses, that there are only a handful of people working on it and of those only a couple appear to be active. I'm guessing support will be, ah, spotty at best.

So, what do you do? Continue to use a version of software that likely has vulnerabilities? Switch to a different distribution that might be more supported? Commit the time to make the latest release work (and donate it back)? I'm not sure which option I'll take at this point but it will likely be patching the more recent version and making it work. But what happens to other people using this, or comparable systems, that don't know how to do that? My guess is they just go with what works, possibly oblivious to the fact that what they're going to release is likely insecure. About that refrigerator running a 7 year old kernel...

As I have been developing this product I keep coming into situations where I am staring at what I consider to be "best practices" for security and catch myself thinking (and saying) "I'll work it out when I harden the device" which leads me to... You DO have a plan and time set aside for system hardening and security testing right? That's the phase in which you pretend like you're a bad guy and try to cause harm to your baby, seeing how much you can break in the process. Which leads me to... You DO have the ability to do this right? If not, again, GET HELP if you don't. There are people and companies out there that can do this. Yes, it will cost money and yes, it will take time but really, just do it. I have a suspicion many of the insecure devices we see never went through this phase. I'm also willing to bet many of the people that developed them didn't even know this was even a thing.

Now, the problem with the "I'll deal with it during hardening" is that things get missed, it happens, we're human and make mistakes. To counteract this you MUST fight the urge to "punt" until later and adopt secure practices throughout the entire development lifecycle. When gathering requirements, which I'm hoping you actually do, bake security in there. When you're actively developing use secure practices in your code, tools and processes. You DO know how to do this right? By now I hope you're getting the point here: get help when you need it. Again, yes, it might cost money and yes it might add time but you know it's the right thing to do.

Note how all the above represents a process of continuously asking the question "is what I am doing secure" and addressing those issues when they come up. I'm not punting to the next version to fix something, it gets done now.

/rant