IoT Cybersecurity Startup Landscape Part 4: Firmware Security

Brief introduction

There are currently more than 14 billion IoT devices in use at homes and businesses nowadays. Our reliance on connected devices will continue to rise in the long run as we increasingly leverage IoT to improve our quality of life. At the same time, IoT devices are getting more complex on all levels: hardware, firmware, operating system and application software.

One big problem nowadays is the lack of visibility within the supply chain of connected devices, which puts OEM/device manufacturers’ reputations and prospects at risk. OEMS are unaware of the 3rd party and open-source software they use for their product lines — this might include SDKs that were built with backdoors or unsecure user accounts configured on the software. Furthermore, device manufacturers might also not have visibility into the vulnerabilities within the firmware or the firmware updates that are rolled out.

Firmware is a class of software that provides low-level control for the hardware of IoT devices. Up until now, cybersecurity solutions have primarily been focused on securing the OS and application layers — information security is mainly addressed from the OS layer and up, with the hardware layer being assumed to be secured already. Firmware has been an unprotected attack surface that hackers have used to get into corporate networks. To make things worse, firmware code is typically difficult to patch, is not audited or verifiable and contains vulnerabilities.

What have been some of the consequences?

In the past several years there has been many high profile data breaches involving large enterprises and industrial organizations. The impact of firmware vulnerabilities range from minor performance decreases to having complete control over a device. For example: in 2016, the Mirai botnet infected more than 2.5 million IoT devices and used default firmware passwords to execute a DDoS attack that took down companies including Amazon, The New York Times, Netflix, etc

Unfortunately, the rate of growth of vulnerabilities in firmware will keep rising as devices are built increasingly complex — new firmware components often have millions of lines of code and are all susceptible to design flaws and bugs, which introduces new attack vectors.

Source: Eclypsium

Some of the most common firmware vulnerabilities include:

• Open source code: since IoT devices frequently use 3rd party open-source components with undocumented sources, firmware is often left as an
• Encryption keys: hackers can hack encryption keys to gain access to devices, perform malicious acts on devices or eavesdrop on communications
• Password hashes: lots of the firmware in devices still have hard-coded passwords that users cannot change, resulting in these devices being easy to exploit
• Hidden backdoors: these are intentional vulnerabilities planted into embedded devices to allow remote access using a secret authentication information (used especially in customer support)

What have regulators done so far?

In order to improve the security within supply chains, regulators around the world have come up with laws to enforce a base level of IoT Security. California’s new SB 327 law requires all “connected devices” to have a “reasonable security feature”. At the same time, FERC and NERC have updated their regulatory standards for critical infrastructure to include deep visibility and transparency into the authenticity and integrity of the software running on the grid. Utilities now are also required to perform firmware vulnerability analysis to improve supply chain security

The US Senate also recently passed the IoT Cybersecurity Improvement Act (H.R.1668) as a step to ensure the security of critical systems. H.R.1668 will help issue new standards and guidelines to the federal government on appropriate management of IoT devices controlled by a government agency. This will require organizations to monitor, manage and mitigate aspects such as supply chain risk, software vulnerabilities, active threats and other regulatory and compliance risks.

What are the startup solutions in the market?

Organizations everywhere are now ramping up their cybersecurity measures against hacking and also evaluating their supply chains for hidden vulnerabilities and back-doors. Unfortunately, traditional cybersecurity solutions such as perimeter firewalls and other legacy defenses are not able to address targeted IoT firmware threats such as zero-day exploits or careless insiders. Furthermore, penetration testing and vendor risk management solutions only give limited view of device risk and at a specific point in time.

For starters, the most common IoT firmware exploits can be avoided with good cybersecurity practices by the device manufacturers including firmware upgrades, inventory compilation for risk management and implementation of secure coding practices. Nevertheless, these measures are not enough to keep hackers out.

A new wave of startups has come up with innovative solutions to reduce risks for firmware components within connected devices, such as by analyzing the firmware throughout the supply chain and understanding the components used to build or update the product. The solutions we see in the market can be classified into a few types:

• Identify: solutions that help identify and understand firmware vulnerabilities so that businesses can more effectively manage risk and business needs
• Protect: solutions that implement controls to protect data confidentiality and integrity, while ensuring resilience of systems and assets
• Detect: solutions that provide real-time monitoring capabilities for both network and physical activities

So what’s next?

Device manufacturers will continue to uncover and address security vulnerabilities in their device firmware throughout the IoT device with security countermeasures such as secure boot, hardware-based firmware updates and strong authentication. There will be more solutions focused on securing the hardware, firmware and software components of all IoT devices for both pre and post market release. These will implement security-first designs in the software development lifecycle to secure both pre-market and post-market aspects of the devices.

For now, there’s only a handful of startups in the IoT firmware cybersecurity space. There will be many more to come into this sector in the near future as firmware security becomes an increasingly pressing problem. Many of these startups will begin by capturing a specific vertical and slowly expand into new verticals, while building channel partnerships with incumbent cybersecurity vendors to grow their customer base.

Supply chain security has already become a corporate boardroom priority, and I expect to see some consolidation in the next few years as incumbents look to offer comprehensive IoT cybersecurity solutions (including securing the entire supply chain).

This article concludes my series of IoT cybersecurity startup landscapes. I hope you enjoyed learning some interesting things about the cybersecurity sector.

Disclaimer: This blog represents solely my own opinions, not my employer’s.