Designing with security in mind

5 mins read

Ken Munro of Pen Test Partners talks about the urgent need to design with security in mind.

Pen Test Partners are a UK cybersecurity firm that specialises in high-end penetration testing, a systematic process that looks to probe for vulnerabilities in an application or network. It’s essentially a controlled form of hacking in which the ‘attackers’ find weaknesses that could be exploited by criminals.

Penetration testing looks to assess a system for any potential weaknesses caused by what could be improper system configuration, hardware or software flaws, or operational weaknesses in process or technical countermeasures.

An experienced penetration tester looks to mimic the techniques used by criminals without causing damage.

Pen Test is able to take an independent perspective on the security by design recommendations advocated by various regulatory bodies and works with manufacturers to help design in security features.

Awareness of security is certainly growing among consumers. Recent research carried out by online electrical retailer, reichelt elektronik, found that among UK consumers safety and privacy worries were actually dissuading some from buying digital assistants.

The survey found that 72% were concerned with the misuse of data; 56% wanted to know more about how communication was being monitored, while 48% were worried about the risk of hacker attacks.

Commenting Thomas Kruse, product manager at reichelt elektronik, said, “Voice assistants on devices are great pieces of technology that can make our lives easier, but in the wake of data breaches and hacker attacks technology companies and retailers need to communicate security messages better. Brands and retailers have a role to play in helping to inform and educate customers on how to stay safe.”

The need to better educate customers was highlighted by Pen Test last year, when it carried out tests that found that thousands of hot tubs could be hacked and controlled remotely because of a vulnerability in their online security.

The organisation’s ‘ethical hackers’ were able to show that it was possible to make the tubs hotter or colder, as well as control the pumps and lights, via a laptop or smartphone.

The company behind the product, Balboa Water Group (BWG), responded by pledging to introduce a more robust security system for owners and said the problem would be fixed.

However, the company’s failure and the way in which it sought to address the problem was criticised as taking away the users’ right to both privacy and security.

Poor security

This was just one of many devices tested and found to be vulnerable by Pen Test and, according to the organisation’s founder, Ken Munro, “Manufacturers are still not taking security seriously enough, and until they do consumers will have to remain vigilant.”

While the BWG hack, and the vulnerabilities it found, was hardly critical it did highlight the fact that too much of current consumer IoT security is, as Munro says, “Not in a good place….and these findings underline that.”

According to Munro over the past five years that Pen Test has been looking at security in consumer products, things haven’t improved.

“In many cases, especially when it comes to consumer goods, things have actually gone backwards.

“I think it would be fair to say that, with the exception of a few companies, very few actually understand the impact that poor security, or getting security wrong, can have.

“This has been made worse by new entrants looking to create smart technology and aiming to get to market quickly. The problem of security is simply getting worse.”

Munro says that many more companies are now entering the consumer technology space.

“Barriers to entry are low and that brings with it a whole new set of challenges,” he suggests.

Munro makes the point that many of the companies now working in this space have been involved in developing mobile apps and are use to being able to update apps over the air to fix any security flaws.

“That approach will not work with hardware. If you design in a security flaw, you are in a different situation entirely if your device doesn’t support over the air updates. Too many companies are selecting hardware that doesn’t have security features, simply in order to save on cost.”

He warns that it’s a problem that besets the consumer space.

“Manufacturers are still not taking security seriously enough, and until they do consumers will have to remain vigilent.” Ken Munro

“Products are vulnerable. Development lifecycles are lengthy when it comes to hardware and if you’ve failed to implement necessary security features, or have chosen the wrong architecture or platform, then to put it bluntly – you’re screwed!

“Before Christmas Pen tested some smart Christmas lights; the manufacturer had chosen to use a chip set with zero security functionality.

“There was no trust execution, random generation of secure storage for credentials. The company ended up pulling the product and having to start with an entirely new architecture.

“A similar thing happened with the Wi-Fi kettle from Smart. There were security concerns with the first architecture, so they brought in a security architect – a very good one – who went back to basics and designed security into a new architecture. If they’d done that in the first place they would have avoided the PR disaster that followed.”

Think secure

“When it comes to delivering a secure product the first thing companies need to think about is security – it is easy and relatively cheap to design in at the beginning of the process. It doesn’t have to be expensive, shouldn’t delay you getting to market or obstruct the growth of your business,” says Munro.

The key is asking for help early on.

“You need only spend a single day arming yourself with questions and better understanding standards in order to avoid pain later,” he says.

“Security doesn’t have to be a big overhead. If your device is found to be insecure, or vulnerable, what is the cost to your business of pulling it from the market? Keep shipping it, or face going bust? Too many companies back themselves into a corner.”

Munro says that the IoT brings with it the risk of super-systemic vulnerabilities.

“Find a fault in one device and it’ll be in all of them; and mobile apps make devices extremely vulnerable and exploitable. A lot of platform providers support multiple manufacturers. So, while a security problem may affect a few thousand devices, because the problem is with the backend service it could actually impact millions.”

The importance of due diligence is critical, according to Munro.

“Ask the right questions and better understand the development process; are suppliers following the correct security protocols; ensure that in contracts there’s a clause entitling you to get your money back should security become an issue; ensure you see all documentation and carry out a thorough risk assessment.”

Munro suggests that security needs to be built into all procurement processes.

“The lack of understanding is shocking, but needn’t be,” he says. “There’s all sorts of advice and guidance available.”

Munro points to Secure by Design, which has been published by the UK’s Department for Digital, Culture, Media and Sport (DCMS) and which promises an effective foundation for legislation.

“This is broad reaching, providing guidelines for manufacturers, mobile app developers, service providers and retailers. It states default passwords should not be used, credentials and security sensitive data should be stored securely, and software kept updated.”

While a good start, he says that there is still work to be done.

“For example, the initial proposals recommend a vulnerability disclosure policy but didn’t require vendors to issue a fix; it suggested the use of unique passwords but failed to address the issue of entropy; and it did not address the over-use of permissions on mobile apps.”

In the US SB-327 mandates some basic security standards for smart consumer tech and will come into effect from January 2020.

In Europe, the Cybersecurity Act, which came into effect in 2018, saw the European Union Agency for Network and Information Security (ENISA) become the permanent EU agency for cybersecurity and the creation of a certification framework for certifying connected cars and smart products across all EU member states.

All of these developments should be welcomed, says Munro, but so many of the problems associated with security are simply down to a lack of planning or awareness.

“It’s certainly not rocket science,” he concludes.