MY TAKE: Can embedding security deep inside mobile apps point the way to securing IoT?

By Byron V. Acohido

The full blossoming of the Internet of Things is on the near horizon – or is it?

Enterprises across the planet are revving up their IoT business models, and yet there is a sense of foreboding about a rising wave of IoT-related security exposures.

Related: The security and privacy implications of driverless vehicles

Some 25 percent of 700 organizations surveyed in five nations reported IoT security-related losses of at least $34 million in the last two years, according to the 2018 State of IoT Security study sponsored  by certificate authority DigiCert.

Similarly, software security company Irdeto polled 220 security decision makers in the healthcare, transportation and manufacturing sectors and found 80 percent experienced a cyberattack on their IoT devices in the past 12 months, sustaining, on average, $330,000 in losses.

Cyber criminals know a good thing when they see it. IoT systems introduce added layers of network complexity, which translates into an enlarged attack surface. Threat actors gleefully recognize that IoT is being implemented off of an already huge and poorly defended attack surface: legacy networks.

Clearly, IoT won’t begin to approach full fruition until and unless a few deep-seated security weaknesses get adequated addressed. I had the chance at  Black Hat USA 2019 to discuss this with Mark Hearn and Catherine Chambers, of Irdeto, a 50-year-old software security and media technology company based in Amsterdam.

Irdeto recently introduced a new service—Trusted Software – aimed at developers of mobile apps. The service enables app developers to conveniently embed top-shelf security into the source code of their new mobile apps, as a final step, just before distribution to user.

More on this below. The meat of our discussion was about what it will take to make IoT as secure as it needs to be. For a full drill down, give a listen to the accompanying podcast. Here are my takeaways:

Source-code security

It’s stunning to consider that we’ve only scratched the surface with respect to deploying the hundreds of billions of IoT devices it will take to turn on our smart homes, smart hospitals and smart workplaces – as well as push autonomous vehicles into mainstream use.

Consider the exponentially higher number of connections this will require: each IoT device will connect to tiers of software, which will, in turn, tap into endless microservices, and so on. Each connection, left unsecured, will present a fresh attack vector.

It is at this deep level – the source-code level —  that Irdeto is seeking to help companies get a grip on IoT security. It has begun adapting its flagship technology, Cloakware, to help lock down key components of evolving IoT systems.

Irdeto has long been a pioneer of advanced source-code security. Cloakware is the technology Irdeto pioneered to help Hollywood preserve digital rights and deter pirating. Cloakware, as Hearn explained to me, is a collection of security techniques, applied at the source-code level, that makes reverse engineering and tampering extremely difficult.

As digital transformation has picked up steam, Irdeto recognized a few years back that its brand of source-code security ought to be extended to the proliferation of apps, microservices and IoT devices part and parcel of digital transformation.

So it began upgrading Cloakware to work in many different computing languages, as well as extending its services into sectors outside of media and entertainment. This led quite naturally to Irdeto coming up with a long-run strategy to supply source-code security to key components of emerging IoT systems.

Skill shortage relief

Trusted Software is part of that strategy. It’s a subscription service to instill source-code security in app-store-ready apps. The developer or publisher first submits the app to Irdeto for a thorough security review to identify vulnerabilities. The app then receives a security upgrade, leveraging threat intelligence culled from Cloakware.

Chambers

“It’s as simple as dragging at your compiled mobile app into our online service, and applying these machine learning models to protect it,” Chambers told me. “Over the years, we’ve developed a lot of in-house security expertise. And over the last couple of years we’ve developed machine learning models, based on insights from our security engineers. We’re applying these models to tools that will allow companies to automatically secure their software.”

The service returns a protected app, ready for posting in the app store. In addition to leveraging Irdeto’s institutional knowledge of how to mitigate source-code level threats, the subscriber gets relieved of the burden of having to recruit and retain in-house security analysts.

At the moment, IoT device manufacturers, in particular, are feeling the impact of the dire shortage of experienced security analysts, Chambers says.  For these device makers, “developing mobile apps for controlling or configuring these devices is an area they haven’t worked in before,” she says. “It’s a whole new skill set. And they’re having trouble finding the right people, with the right expertise, to help them close some of these security gaps.”

Proactive prevention

Irdeto chose mobile apps as a beachhead, because that’s where all the action is. Smartphones are hubs of control and communication. But Hearn also believes the same approach of embedding dynamic security software — at the source-code level—could be a key to raising the security bar for things like the firmware in medical equipment and components of autonomous transportation.

Hearn

“We focused in on a service that allows companies to protect their mobile apps, quickly, because it was an area where many companies have an immediate need,” Hearn says. “What we’re doing will evolve and expand into other areas and move things to more of a proactive approach.”

Hearn foresees a day when data gathered by advanced telemetry get routinely fed into machine learning systems.  “If we start to get a sense that a hacker is playing with a particular device, we can capture that security telemetry early on, combine that with some of the machine learning, and now we can proactively prevent attacks from happening.”

I came away from my interview with Hearn and Chambers encouraged that a viable path forward is emerging. It’s a path companies must take to implement lasting IoT strategies. It will inevitably lead them towards much more deeply engrained security of IoT systems, and this is what will lead to realizing the full potential the Internet of Things. Talk more soon.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone