Synopsys: IoT is feature-rich, but security is still insufficient

Have you ever thought that hackers are collecting, transmitting, and even analyzing your privacy through the smart home products you use? They can use only a computer to know the status of sockets, lights, or other devices in your room, and even issue commands to control these devices. "Security" has become a compulsory course for the development of the Internet of Things industry.

How to prevent IoT hacking? Make sure the software is secure before it's released. Synopsys says it's not that hard. So why don't many IoT device manufacturers do this?

First, let’s take a look at several recent IoT security incidents:

Google's Nest smart home cameras hacked

NBC News reported that an "enthusiastic" user of smart home technology told the station that he heard some noises in the baby's room and upon checking, he found a "deep male voice" emitting from the Nest security camera installed there. The cyber intruder also took control of the room's thermostat, setting the temperature to 90 degrees Fahrenheit.

Smartwatches can be targeted by hackers

The Norwegian Consumer Council has analysed four children's wearable phones/smart watches. These devices are designed to allow parents to communicate with their children and locate them.

After analysis, the Consumer Council reported "critical flaws" in the products, which could allow hackers to "take control of the app, gaining access to a child's real-time and historical location and personal information". Hackers could even "contact children directly without the parents' knowledge".

Bluetooth devices can also be hacked

Researchers from Brazil's Federal University of Pernambuco and the University of Michigan in the United States studied 32 smartphone apps installed on 96 of the best-selling Wi-Fi and Bluetooth-enabled devices sold on Amazon.

They found that “31% of apps do not use any encryption to protect device-app communications; 19% use hard-coded keys. A large portion of apps (40-60%) use local communications or local broadcast communications, thus providing attack paths that exploit encryption or use hard-coded encryption keys.”

Is too rapid growth good for the development of IoT itself?

IoT applications have begun to penetrate our lives and are growing explosively. But there is still a serious problem in the IoT industry: manufacturers tend to fix vulnerabilities after a breach or after security researchers discover vulnerabilities. They don't build strong security into their products before they are released to prevent problems.

At the same time, Larry Trowell, chief consultant at Synopsys, pointed out: "As more professionals join the IoT industry, the rate of devices undergoing security testing is increasing. And security testing tools are becoming more sophisticated."

Calls for government regulation of the Internet of Things

Despite this, IoT security incidents are still emerging one after another. Some experts call on the government to regulate IoT security.

Larry Trowell pointed out that the main problem with government regulation is that technology is developing faster than legislation. He said: "Every element of the Internet of Things will produce new technologies, and in most cases, these technologies are not yet secure enough."

Open source management needs to be strengthened

"Design flaws, security vulnerabilities, and weak passwords are the main factors that cause IoT threats," said Guoliang Yang, senior security architect of Synopsys' Software Quality and Security Department. "At the same time, the IoT industry also needs to pay attention to the safe use of open source code."

The Internet of Things requires countless software to support it. However, developers often pay more attention to the software code they create and ignore the open source code used, which gives hackers an opportunity to take advantage. For example, not long ago, hackers stole data from the analysis service Picreel and the open source project Alpaca Forms, and modified their JavaScript files to embed malicious code on more than 4,600 websites.

According to the 2019 Open Source Security and Risk Analysis (OSSRA) report released by Synopsys, 91% of the audited code bases in the IoT industry in 2018 used open source code, and the percentage of audited code bases with license conflicts was 72%.

Yang Guoliang emphasized: "Of course, we are not saying that enterprises should stop using open source, but they should be proactive in open source management and build security into the Internet of Things from the beginning."

How to prevent IoT hacking

So how can we properly implement IoT security solutions?

Larry Trowell puts it this way: take it seriously.

He added: "People pay attention to driving safety, and they have seat belts, frames, air bags, and make cars safer. People notice these problems and realize their importance, so they will demand changes. Often these changes first happen in top-of-the-line models, and then they are forced to be configured in ordinary vehicles."

“It’s up to security professionals to explain why these things are important and how to address them,” he said. “If we only do one of those two tasks, we’re not going to be effective.”