We are entering a period of rapid growth for IoT devices and services, which poses quite a few security risks.
The IoT has begun disrupting our daily lives by enabling an analytical revolution. Yet, while digitizing everything allows us to do things unthinkable decades ago, there are some drawbacks, like the increasing number of gadgets connected to the Internet, making data theft more attractive.
Unfortunately, for the devices to work successfully and smoothly, even commonly used private static IP addresses and VPNs can’t always ensure secure remote access to the device.
Natali Tshuva, CEO and Co-Founder of Sternum, a company that secures IoT devices from the inside out with real-time on-device protection and visibility, was contacted as a result to learn what security precautions are necessary for personal IoT devices today and what can be expected from this sector in the near future.
How did the Sternum originate? What has your journey been like?
I heard someone say that hackers are born - not made. I don’t know if that’s always true, but it was true for me. Even as a child, for as long as I can remember, I was always fascinated with technology. Coding just came naturally somehow, and at the age of 14, I was already studying for my undergraduate degree in Computer Science.
After graduating, I was recruited by the 8200 cybersecurity unit, which is basically the IDF equivalent of the NSA. I can’t speak too much about what we did there, of course. What I can say is that it was a transformative experience that got me deeply involved in cybersecurity and showed me things few people - even in tech - rarely get to see.
After my service, I spent some time in the private sector, developing high-value and high-impact security products. At that time, as a researcher, I was responsible for uncovering several zero-day vulnerabilities - mostly in Android/Linux devices and in embedded systems.
It was that experience that laid the mental groundwork for Sternum, since it made me realize just how completely broken the current IoT security approach was - specifically by focusing on retroactive patching and perimeter defenses – that was all but useless against the attacks that could be launched using the zero-day vectors I uncovered.
I was also studying for my Master's, and through that period – in my mind – I felt the idea of Sternum growing bigger and more defined. What I envisioned, and what would later become our product, was a way to protect any connected device from every attack by embedding security into the firmware. A self-correcting security solution is not dissimilar to what RASP and other deterministic protection solutions are trying to achieve on the application and data security fronts.
Taking these principles and adapting them to the IoT with a lightweight solution that works on even the simplest and most resource-lean devices, is the core idea of Sternum. And through this promise today, we can protect everything from insulin pumps and heart monitors to railway sensors, network gateways, and industrial control devices.
Can you introduce us to your platform? What are its key features?
- Security – EIV™ (Embedded Integrity Verification) is the security solution at the core of our product. At a high level, however, this is our unique solution that protects devices by deploying “hooks” across the firmware code and using them to identify exploitation attempts, regardless of the specific attack vector.
It could be a known vulnerability or a zero-day one; we don’t care. We also don’t care about what device you have or what OS it uses. Our solution is universally effective because what we monitor for is anything that interferes with regular software, firmware, application or OS function. Essentially, we look at the device from a hacker's perspective, understand how it can be breached, and make sure that it won’t.
In the event of an attack, once we detect any malicious activity, we block it and trace it back in a detailed timeline that helps understand exactly how the attacker was trying to get in.
- Observability – Our embedded presence on the device allows us to collect a lot of data, including having a full view of health metrics, resource utilisation, software changes, etc. It also enables our customers to collect their own logs, metrics, and data with our portable embedded observability SDK.
This enables our platform to double as a debugging and troubleshooting tool for the engineering teams, who can trace back any malfunction and create timelines of changes that led to an issue, even if not security related.
We created a robust set of customizable dashboards that support this functionality, and today we have engineers spending 3+ hours a day on our product as they work on developing or updating IoT devices.
It was a use-case we didn’t anticipate in the beginning, but started to invest heavily in, once we saw how our platform was being used. Interestingly, especially in the last year, more and more organisations have come to us looking for ways to streamline and speed up development.
- Anomaly Detection – This is the latest addition to our capabilities. We collect a lot of data (logs, metrics that the customers choose to collect using our SDK) and so we created an AI engine to look for anomalies, using these insights, which can be used for both security and debugging purposes.
For security purposes, this is a safety-net, to flag activities that look suspicious but not outright malicious. For engineers, this is an autonomous error and health monitoring tool that can identify emerging issues before they escalate into a full blown problem.
The solution is self-learning, so it works out-of-the-box, and it’s purpose-made for IoT.
In your opinion, what are the most serious vulnerabilities associated with IoT devices?
The IoT world is a chaotic mix of devices – old and new, with different operating systems, third-party libraries, and limited internal resources. It’s hard to pinpoint a specific vulnerability or a set of vulnerabilities that would be considered the most serious, and even if I was able to pinpoint one today, that wouldn’t be true for tomorrow.
The underlying issue is a lack of standardisation. Every manufacturer is caught in its own “IoT patching nightmare," chasing the latest vulnerability found on its devices. Meanwhile, firmware is the only true shared single-point-of-failure.
In a recent draft report from DHS, there is a quote saying: "The firmware layer is often overlooked, but it is a single point of failure in devices and is one of the stealthiest methods in which an attacker can compromise devices at scale...”
This summarises everything that we are working to address, and everything that the IoT industry should be really worried about.
How did the recent global events affect the IoT landscape? Have you noticed any new security issues arising as a result?
I think that 2020 and 2021 will be years of unprecedented digital transformation. This gave a huge boost to the IoT market, which grew by ~50% in the last two years, from 11.5B in 2019 to nearly 16B in 2021.
From a security point of view, this created a much bigger attack surface, and I don’t think that the security solutions are moving quickly enough to catch up.
Why do you think so many companies struggle to keep all of their devices under control?There are a lot of new devices, and a lot more legacy ones that are even less protected but still widely used. But the main problem is that the industry is playing a “catch up” game with patches.
It usually goes like this: a new vulnerability is announced, and a patch is issued a few days (sometimes weeks or months) later. However, by the time the patch is issued, and assuming it is immediately applied - which is a very generous assumption by itself – the attackers will already have had plenty of time to make their move.
Moreover, a lot of the zero-days that are being announced have already been exploited in the wild for a while before they are identified and documented by the White Hats. So it's a losing game, and the only way to create a winning condition is to change the rules and embed the security solutions in the device for constant real-time monitoring of health and security status.
This is already happening elsewhere in IT. For instance, you would never suggest not having your servers constantly secured and monitored. IoT devices are not different – they are infiltration points for APT attacks, things that hold valuable intellectual property or maybe even have the potential to endanger lives - especially in the case of sensors and medical devices.
I think more and more companies, and regulators, are starting to recognize that, but there is a lot of work that needs to be done to compensate for years of neglect.
Besides IoT security, what other cybersecurity details do you think are often overlooked by organizations?
It might be just my perspective, but I feel that the IoT is the most overlooked asset class in security today. That said, I think other things perhaps present a more complicated problem to solve, for example, the human element, which continues to be a challenge.
The other problem is the proliferation of security solutions. We have one for each problem: data security, cloud, endpoints, APIs, browsers… The list goes on and on. Orchestrating all of those different solutions is an unsolved challenge, and it creates information and security gaps and silos. For me, this underlines the need for a platform approach.
Speaking of individual users, what security measures do you think are essential for personal IoT devices?
I think that users don’t need to be security experts, they just need to be security-minded and expect to have their devices secure by default. However, they should never assume that they are because – today at least – chances are that they are not.
In a perfect world, we would all be conscious consumers that inquire about the security measures of our IoT, just like we check for food ingredients on the side of the cereal box. What we see is regulators starting to push the industry in that direction.
For example, recently the US government initiated a program together with NIST to develop an IoT consumer labeling program in order to create a standard for individual users to know how secure their IoT devices really are. To me, this is a step in the right direction.
Share with us, what does the future hold for Sternum?
In the Verizon Mobile Security Index report last year, 41% of respondents admitted to sacrificing IoT security to "get the job done."
Changing this paradigm is our next challenge. We have disruptive technology that works. Our goal now is to break through the brick wall of disappointment that prevents IoT manufacturers from testing “yet another” security solution.
On the initial call, the most common response we get - and I'm paraphrasing a bit - is: “this can’t be right."
After the POC, we hear things like “This is like magic!” - and this IS a direct quote.
We are not asking anyone to believe in magic, but we have built something unique and we are focused on getting it into as many hands as we can by putting out tech where our mouth is.