IoT security tips: Five ways developers can help thwart IoT malware threats

Leonardo Lima, Spec Lead of the JSR 363, shared an eye-opening talk at JavaOne 2016 about the Internet of Things and the potential hazards of living in a world with perhaps too much connectivity. The fact is that many popular devices that people use every day are simply not secure. Leonardo highlighted a recent HP study that investigated 10 commonly used connected devices. 70% had security exposures, with an average of 25 holes or risks per device that exposed the home network. Inadequate password requirements were found in 8 out of 10 devices, and 70% could readily allow hackers to identify a valid account through enumeration.

Why isn’t security a top priority for IoT?

From hard-coded accounts on cameras to known security flaws like Poodle that made Mattel’s talking Barbie hackable, there are many causes for the current state of IoT insecurity. In the case of the Barbie doll, it may simply have seemed like a low risk application with too little risk of exploitation to bother with better security. For web and mobile cameras, lax security is usually geared toward ease of configuration and maintenance. After all, security and accessibility are almost always mutually exclusive priorities.

Another reason IoT is so insecure is because the market for connected solutions is so hot right now. It’s easy to focus on design and production, kicking security farther down the line where it can be someone else’s problem. In Lima’s words, “Often, security is not the highest priority especially with today’s fast paced development cycles. Everyone wants to just get the next product out and be the one to receive funding from a VC firm and then sell the company before they get hacked.”

Is the problem really that serious?

From device spoofing to malware, information disclosure, and DOS attacks, there are many ways a compromised device can become a threat. The risks posed by lack of IoT security are three-fold:

• The device itself may be damaged, controlled, or used in unwanted ways
• Data and personal information associated with the account may be stolen and used for identity theft or other purposes
• The device may be used as a vector to access additional systems

Lima’s gripping story of the high-tech wireless car-jacking of a Jeep Cherokee should be enough to give anyone pause. Even more alarming was the account of the electrical agency in the Ukraine that fell victim to the first publicly acknowledged attack on critical utility infrastructure. That cautionary tale offered a peek at what cyberterrorism might look like in the IoT era.

How can these problems be solved?

First of all, there are some things that simply shouldn’t be connected. As Lima succinctly pointed out, when things are added to the Internet of Things, “Stuff can happen to your things.” Of course it’s not the gadgets that are really important, it’s the potential impact on human lives through access to those things. For this reason, Lima won’t use a camera to send a live feed of his young child at home to his phone. It’s just not worth the risk of invasion of privacy.

Five quick tips for developers:

• Decide whether it is really worth the risk to connect with IoT
• Balance the need for ease of configuration with the need for security
• Understand the many ways a device can be compromised and the potential outcomes
• Pay attention to known vulnerabilities and apply all patches and upgrades
• Use secure elements and APIs to increase device and data security

There are also ways that Java can help with IoT security. In fact, Java libraries contain cryptography architecture for PKCS#11, TLS, and more. In addition, there are secure elements that can be used as a safe place to execute sensitive code and store hardware identity and private keys. These tiny, tamper resistant components include an entire processer with CPU, RAM, a crypto engine, and more. The Java Card platform can be used for portable trusted identity services in both consumer-oriented and enterprise environments, keeping private data private.