Locking Down IoT at the Source | Part 1: How Vulnerable Is Your Manufacturing?
EPS Global
World-class solutions for leading EMS, Datacom & Telecom customers from 28 value-add and distribution centers globally.
In this episode of The Critical Lowdown, host Ciara leads a compelling discussion with cybersecurity experts Malcolm Kitchen (Global Security Specialist, EPS Global) and Shawn Prestridge (U.S. FAE Team Leader, IAR Systems) on the urgent challenges and solutions in embedded security for connected devices. As the number of IoT devices surges—expected to reach 42 billion by 2025—so do risks like supply chain attacks, counterfeit components, ransomware, and device hijacking.
Shawn breaks down common attack vectors, from firmware injection to gray-market hardware, while Malcolm explores how new regulations (like the EU Cyber Resilience Act and UK PSTI) aim to enforce stronger security standards. The conversation also tackles the double-edged sword of AI, which empowers both defenders and malicious actors, and addresses the business case for security investments—proving that proactive measures are far cheaper than the fallout from breaches.
Transcript
Ciara: Welcome, everyone, to our panel discussion on embedded security here on the critical lowdown. I’m delighted to be joined by two experts:
They’re going to help us understand the evolving security landscape for connected devices and explore practical approaches to implementing security from manufacturing through to deployment. Let’s begin by looking at why this topic has become so urgent in recent years. Embedded devices have complex manufacturing processes, pulling together components from a variety of sources with multiple touch points and often through different environments that make them particularly vulnerable to supply chain attacks. Shawn, can you tell us what the common attack vectors are?
Shawn: Some of the things that we’ve seen, especially in recent times, is supply chain manipulation where someone hijacks a particular component needed to manufacture a device and replaces it with a compromised component. Sometimes this is done very deliberately to compromise the device. In other cases, it could be that your contract manufacturer isn’t exactly on the up and up, and they find a device on the gray market that they can get much cheaper and therefore pad their pocketbook.
So there are many reasons why someone would want to do that. But other threat vectors people look at include firmware injection. Can I make this device do something completely different? When you look at hackers that do this, they often do it just to see that they can and to get street cred amongst other hackers. But occasionally they’re actually trying to push an agenda or they’re trying to earn quick and dirty money off of it.
Counterfeit gray market goods are a huge problem that we’ve helped some customers tackle. In one particular instance, a customer had a device that was available in the Asian market before it was available in the US and UK. The concerning thing was it was never intended to be part of the Asian market – it was only intended to be sold in the US and UK.
Another major threat comes from exploits in third-party libraries that you may be pulling into your code – that’s simply a common fact of life in software development. That’s why people are building SBOMs, or Software Bills of Materials, to be able to check those components for known vulnerabilities or CVEs.
A less common but still concerning threat is compromised manufacturing tools, where programming heads might actually be tampered with. While you don’t see that quite as much, there are so many different attack vectors that it has become a nightmare for manufacturers trying to produce devices and anticipate the various threats they face when designing safeguards. That’s the challenging landscape we’re operating in today.
Ciara: Presumably there’s a lot of consequences with these attacks. Can you run through some of those?
Shawn: Yes, absolutely. One of the more common threats we see today is ransomware attacks, where a device essentially becomes unavailable, or the data that has been collected in a database becomes inaccessible until you pay some sort of ransom to obtain a decryption key.
Device takeovers have also become very common. In a device takeover, a hacker essentially repurposes the device for their own ends. I’ve seen cases where on hacking forums, you can get IoT connected devices that basically act as VPN endpoints. If you want to bypass geo-restrictions on Netflix, you could use it for something as seemingly harmless as that.
In other cases, it could be much more nefarious, where attackers use a private IoT device to mask the fact that they’re actively attacking a nation state or military infrastructure, essentially hiding their tracks behind compromised civilian devices.
There are many reasons why these attacks are carried out. Some actors disrupt operations because a particular person or group has a grievance with a company and wants to cause operational harm or financial damage. Espionage is another significant concern – we’ve seen where software like Pegasus has been exploited to spy on journalists or potential political opponents in certain countries.
Another attack vector we’ve observed is botnet creation. This involves creating a distributed denial of service capability through networks of compromised devices that can be activated at any point.
There are numerous motivations and methods behind these attacks, but they all fundamentally stem from the fact that these devices aren’t properly authenticated. That’s really what we’re addressing here – how do we prevent these things from happening? The encouraging news is that there are some straightforward steps you can take to significantly enhance the security level of your embedded devices.
Ciara: Thanks Shawn. Have you any examples of these supply chain attacks?
Shawn: Well, some notable examples we’ve seen include Stuxnet, which was a sophisticated supply chain attack. How did Stuxnet infiltrate Iranian nuclear facilities at Natanz? There’s considerable speculation around this because most analysts believe it was orchestrated by nation state actors, given the extraordinary level of effort and resources involved.
SolarWinds was another significant example, where a malformed update slipstreamed in a backdoor – also attributed to nation state actors. Supermicro experienced issues where compromised parts and components were introduced into their supply chain. These are just a few examples of where these types of attacks have occurred.
What’s truly concerning is that these are only the attacks we’ve heard about. Taking a step back, you realize there are likely many more that remain undisclosed because they’re still actively ongoing. The most sophisticated attacks are the ones you never hear about. But as I mentioned, there are security measures you can implement to help prevent these threats.
It’s important to understand that security is fundamentally a cat and mouse game. As I like to say, security is not a destination, it’s a journey. As soon as you up your security game, the hackers will inevitably advance their cryptanalysis techniques or develop new methods to breach systems. However, you can make their job significantly more difficult by implementing robust security measures. That’s precisely what we’re going to explore further in this discussion.
Ciara: Absolutely. You’re right – there are likely many organizations quietly paying ransoms that never get reported, simply to resolve the issue and continue their business operations. But appropriately, we’re now seeing a wave of new security legislation being rolled out globally, from the EU Cyber Resilience Act to the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act. Malcolm, what’s the fundamental reason driving this regulatory push?
Malcolm: When we think about how many IoT devices are now being manufactured, various estimates exist. The latest figure I saw was 42 billion devices that are going to be in play by the end of this year, which is an absolutely massive number. As Shawn alluded to, if you manage to create a bottleneck or exploit the network effect within this vast ecosystem, you can cause serious damage to consumers. This is effectively what the legislation is doing: trying to protect us as end users who are using these IoT devices.
I often draw an analogy: think about when we all started using Windows back in the 1980s.
Ciara: You’re going back a bit there, Malcolm!
Malcolm: We weren’t thinking as much about Norton and the various virus protection tools we all run now! Just today, I’ve had several updates on my laptop protecting against viruses. With IoT, this protection needs to be implemented at the forefront of the device’s design and operation. That’s effectively what the legislation is all about.
Of course, it’s also protecting the manufacturers of these products. Counterfeiting, as Shawn mentioned earlier, is a major problem. The more security you implement, the fewer counterfeit products you’re likely to encounter.
The legislation addresses fundamental issues. One of the first things targeted was the use of unique passwords. This is an area where we’ve all been historically lax. Many IoT products used to be delivered with standard, predictable passwords. With this legislation in place, that practice is no longer acceptable, which is a very positive development.
However, this also presents challenges. Anything in manufacturing that isn’t standard or requires unique creation per device is inherently complex. Luckily, companies like IAR have developed Hardware Security Modules (HSMs) capable of uniquely injecting credentials like passwords into each device, which we’ll discuss in more detail.
Ciara: These regulations certainly create new obligations for manufacturers. It’s also important to remember that the challenges go beyond ensuring unique passwords with the delivery of the IOT device; Artificial Intelligence (AI) is simultaneously increasing the capability of hackers. How is AI changing the threat landscape for embedded systems, Malcolm?
Malcolm: Yes, AI is effectively a double-edged sword, Ciara. It’s a very powerful tool that many of us are likely getting great use out of. However, malicious actors are getting just as much use out of it. It significantly ramps up the capability of hackers.
Consider how they can automate malicious attacks; the potential is multiplied significantly. It certainly adds to the major risks we face. Also, AI lowers the barrier to entry, enabling individuals with less cybersecurity knowledge to attempt attacks on IoT devices. It’s definitely a double-edged sword that we need to actively protect against.
Ciara: Absolutely. With regulatory pressure, the evolving threats Shawn mentioned earlier, and the influence of AI all pushing the security agenda forward, we face a challenge.
In markets like consumer IoT, digital security adds cost to an already price-sensitive segment. Shawn, how can that additional investment be justified to business stakeholders?
Shawn: That’s an interesting question because we do hear people discuss that, and there are several ways to approach it.
Firstly, we’ve all experienced significant inflation over the last four or five years affecting nearly every good and service. It’s unrealistic to think that the prices of consumer goods and services won’t also see some inflation, partly because the components being added, even for security, contribute a small expense to the bill of materials. Therefore, you have to either eat the cost yourself or you have to consequently raise the cost.
But the interesting thing is that adding security to your device really doesn’t add that much cost. So when I say it doesn’t add much cost, depending upon what you’re doing, it could be, you know, a matter of single cents. And while that does increase your bill of materials, you can effectively put that into other price increases that you have. It becomes almost invisible to customers because they more or less look at it as, you know, I’ve seen the price of milk and gasoline, petrol continue to go up. So I’m not surprised that the price of everything else that we’re doing seems to also be creeping up.
Looking at it more holistically, we’ve seen instances, perhaps less frequently now but still occurring, where companies resist spending on security. Then, when their name hits the headlines due to a massive data breach involving leaked personally identifiable information (PII) – often because basic security protocols were ignored – suddenly, no expense is too great to fix the problem. As Benjamin Franklin said, “An ounce of prevention is worth a pound of cure.” Implementing some security upfront can prevent many of these incidents or significantly reduce their likelihood.
This ties into brand protection. Companies invest considerable time, money, and energy building their brand, finding their niche, and creating customer value. Damaging that brand through the liability associated with leaking personal information is a significant risk. Some customers attempt to sidestep this by claiming they don’t collect PII.
Modern research, however, suggests this is often a failure of imagination. Databases have what’s known as a K-anonymity factor (K-factor), indicating how many supposedly anonymous datasets need to be combined to effectively de-anonymize the data. I recall an example involving a British Prime Minister whose family was personally identified by a database researcher using supposedly anonymized NHS datasets, highlighting the reality of this problem.
There’s effectively no such thing as completely anonymized data because combining it with other seemingly anonymous datasets allows for individual identification. Most databases have a K-factor around 2.7, meaning, on average, combining just under three “anonymized” databases can identify 90% of the individuals within them.
So you have to get beyond the, well, it’s not my problem. It is your problem. You have to address this. And the legislation, particularly the GDPR in Europe, makes you have to care about this. And you need to take measures to try to address this. As we said, the great thing is, is that it’s not overly onerous to deal with this, as I know we keep doing a lot of lead up here. But there are some simple and easy ways that you can address this. And it doesn’t really cost you that much. So I’m going to leave that cliffhanger there for a second and see what other questions you have.
Ciara: For a relatively low cost, you are protecting yourself from brand reputational damage and safeguarding your brand. Also, it’s not just about preventing consumer data leaks; ransomware attacks themselves represent very costly liabilities that could potentially be avoided with appropriate security measures.