» Listen or download now on the podcasts page »
Cesare Garlati, prpl Foundation
Connected devices – or the Internet of Things (IoT) if you prefer – is a reality now. As Cesare Garlati of the prpl Foundation explains in this interview, we’ve been through a “major wave of evolution”, heading towards a situation in which all electronic devices are likely to have some sort of connectivity.
The problem is that the manufacturers producing these connected devices simply aren’t ready for the challenge of securing them. There are serious technical complexities and the right skills are thin on the ground. There’s also a constant pressure to keep adding more components to devices, more features, making them easier to use. Vendors focus on the user experience and features rather than security.
Some products may seem harmless – who cares if your car’s entertainment system gets hacked? But attackers may be able to use that as an entry, perhaps pivoting on to more serious systems that may be mutually connected via, say, the CAN bus. And some of the biggest concerns are about devices used in the healthcare industry, such as those that automatically deliver drug doses.
Often, the vendors developing these products are thinking in terms of automation, not connectivity. And the connectivity capabilities are commonly provided by libraries, APIs or other code that effectively becomes a black box. Garlati describes this as a kind of ‘original sin’.
This critical code is not signed and does not depend on any kind of secure boot – an attacker could replace software, even reflashing firmware, and the system will be none the wiser because there are no cryptographic checks on what’s being run. The prpl Foundation’s approach is to add a thin layer of software to provide root of trust and secure boot through virtualisation. With a secure, trusted hypervisor layer, the rest of the software can be run as guest applications.
For this approach to take off, says Garlati, the industry needs to embark on an education campaign and change the mindset of developers and vendors to one of, “if it’s not secure, it doesn’t work”.