Tide of malware threats turning against the network of devices

Regardless of whether it’s a mobile phone, iPod, printer, car entertainment system, or surveillance hardware, any device that can connect to the network is the next frontier for attack.

As connected devices proliferate, the number of nodes that must be secured increases, especially as the line between enterprise networks and embedded networks blurs. In the following discussion, Adrian calls attention to the risks of malware infiltration through connected embedded devices and presents a proactive approach to rethinking security.

With the surge of malware that threatens to invade, steal, corrupt, and destroy sensitive and critical data across business systems, companies have diligently deployed reactive firewalls and anti-spam software. But it was only a matter of time before hackers began targeting devices as gateways to the network.

Security experts have been warning of this possibility for years. As Operating Systems (OSs) become more uniform and devices become more open, the odds of device attacks are steadily increasing. Regardless of whether it's a mobile phone, iPod, printer, car entertainment system, or surveillance hardware, any device that can connect to the network is the next frontier for attack.

Device software stagnation compromises security

Most people assume that devices are secure because they haven't been broken into, but that is not the case. The current state of device security is fairly weak. In the desktop space, processors are getting stronger and more powerful and OSs are becoming more secure.

However, the same is not true for devices; in fact, it's quite the opposite. Instead of making devices perform better or faster, the focus is on making them cheaper and smaller. Consequently, for the last 10 years, embedded devices' processing power, memory, security, and RAM have lagged behind significantly when compared to PCs. Complicating this further, devices do not have a surplus of CPU power to support security.

Another characteristic of devices increases security risks exponentially. In the past, devices were completely proprietary, but OS and application standardization has created opportunities for attackers. Many devices continue to age in the field without receiving updates for prior vulnerabilities found in OSs on the desktop. When all these devices' genetic code is the same and outdated - in a word, stagnant - an assailant can easily repurpose attacks for a PC to instead target a device or a large population of devices. More diversity among processors, OSs, peripheral selection, and data transfer options would help ensure device security.

Increasing malware frequency and sophistication

Another prominent concern is that the types and number of threats are increasing dramatically as malware and viruses are growing in complexity. Malware has turned into a profitable, serious business as shrewd attackers are specializing their trade using professional, advanced software techniques. In fact, some attackers that put malware on PCs can actually update the malware remotely, making it harder to detect and remove. This could easily cross over to devices, wreaking havoc on printers, routers, control platforms, and other applications for small form factor boards.

The Washington Post recently reported that, according to AV Test Labs in Germany, "Approximately 5.5 million malicious software programs were unleashed on the Web last year. That volume forced anti-virus firms to analyze between 15,000 and 20,000 new specimens each day - more than four times the daily average they found in 2006 and at least 15 times as many the company recorded in 2005. In the first two months of 2008 alone, AV Test found more than 1 million samples of malware spreading online[1]."

As data becomes more valuable, no device is safe. To users, a $40 wireless access point may seem insignificant, but to an attacker, it could mean an open door to millions of dollars' worth of information. Organizations and users must consider the potential value of data transferring through their devices and understand what it takes to protect devices from being overrun by malware.

Malware detection harder on faceless devices

In the PC world, it's easy to see if a computer has malware and unload and reload software if it is corrupted. PC users have more access to the programs running on their machines and can look into their process tasks.

Conversely, with most embedded devices, users can see their applications running but have no easy way of knowing what's going on behind the scenes. If a device slows down, the user doesn't know the true cause of the issue; it could be the network, the router, or the server. Most embedded devices are in this sense "faceless" to the user. This lack of visibility makes it very difficult to diagnose problems and recognize malware attacks.

When users misinterpret malware attacks as device performance issues, device manufacturers must remotely diagnose problems or deliver new patches or software, resulting in unnecessary labor expenses. These increased customer care costs pose a significant drawback in terms of device manufacturers' revenues and brand reputation, especially at a time when product life cycles and margins are continuing to decrease.

By incorporating security in devices during manufacturing, device manufacturers can avoid customer care costs due to malware attacks and maintain customer satisfaction and brand loyalty.

Current security models no longer suffice

With malware on the rise, current anti-virus and anti-malware models no longer meet device security requirements. In fact, companies can't add malware protection to innumerable legacy devices that exist in the field today. Network firewalls and other approaches do not work either because attackers can use cryptography to get past them. Those attacks are difficult to see, particularly when they are constantly evolving and changing.

The current approach doesn't work with wireless devices for many reasons. The sheer number of signatures updated per hour makes this method problematic. Storing signatures is impractical because small wireless devices have a fixed amount of memory. Meanwhile, the signature approach negatively affects performance and drains battery life because it requires more CPU power to communicate with the network for constant updates. Cost is yet another concern.

For legacy devices, device-based intrusion detection is more advantageous than signature-based detection. Some security systems protect the entire device application code and place minimal burden on the device. With intrusion-based anti-malware protection, security centers on monitoring changes in the device's behavior to detect malware. This offers stronger security but usually involves a trade-off in performance. While this type of device-based intrusion detection software should be used as an added layer of protection, it does not address the entire spectrum of security issues for devices.

Proactive approach to intrusion detection and prevention

Given the ineffectiveness of current antivirus and anti-malware models, developers must start creating next-generation devices that approach security in a comprehensive manner, detecting intrusion and protecting against security attacks. To truly protect devices, companies need an extensible security framework that secures all aspects of device data, access, and communications in a standard way.

Ideally, devices should contain a security framework designed and architected with software residing on the device and capabilities delivered across the network. Security software must have a small footprint and be asynchronous and event-driven to maximize the device's efficiency and performance in light of limited CPU resources.

Companies should start building a security roadmap within their organization and take a phased approach. A key first step is simply making security a priority and integrating security into the entire development process. In the interim, companies can take other steps to improve device security, such as:

  • Taking advantage of advancements in silicon to make devices secure in every respect
  • Using quality authentication techniques and secure protocols for devices
  • Protecting user information and user log-in information
  • Running code through static analyzers to look for potential vulnerabilities
  • Providing someone on the development team with Certified Information Systems Security Professional (CISSP) training to ensure that security meets standards
  • Thinking ahead to the event of an attack and developing a plan for how to respond if devices are invaded
  • Devising a way to update devices in the field to boost their immunity against malware attacks

Networking devices to the Internet brings tremendous risk as well as value. As devices now represent a vital part of the world marketplace, developers can no longer ignore lagging standards. Developers must be proactive rather than reactive and comprehensive instead of shortsighted when it comes to device security. By fixing the broken design philosophy for the network of devices, developers can guarantee that the value of being connected to the Internet continues to outweigh the risk.

Adrian Turner is CEO of Mocana, based in San Francisco, California. He has more than 15 years of international business experience. Prior to founding Mocana, Adrian was responsible for West Coast Business Development and Alliances for Kenamea, an enterprise communication firm specializing in reliable, secure communications. He also had P&L responsibility for developing infrastructure to support Philips Electronics' connected consumer and business devices. Prior to that in 1996, Adrian launched the world's first network of 225 coin operated Internet kiosks in the Australian market. Adrian holds a business degree in Marketing and Finance from the University of Technology in Sydney, Australia, and has completed the Executive Program for Managing Growth Companies at Stanford University.

Mocana Corporation
415-617-0055
Adrian@mocana.com
www.mocana.com

References

  1. Krebs, Brian. "Anti-Virus Firms Scrambling to Keep Up," Washington Post. March 19, 2008.