Forbes Magazine had an interesting article last month about security vulnerabilities in home security products from SimpliSafe, Samsung, Comcast and others. The author highlighted the usual vulnerabilities including default passwords and unencrypted signaling, but, there was one quote that I found particularly interesting.
When quoting the security expert Dr Andrew Zonenberg the author wrote “SimpliSafe has also installed a one-time programmable chip in its alarm, meaning there’s no chance of an over-the-air update. It means there’s no patch coming, leaving all owners without a remedy other than to stop using the equipment, Zonenberg said.”
A one-time programmable chip? Meaning you ship the product and hope that you never have an issue! Can you imagine designing a system that could never be fixed? Where would Microsoft or Apple be if they could not send security updates to their customers? It seems SimpliSafe has learned their lesson and will soon be releasing hardware that allows over-the-air firmware updates.
I believe we can learn two lessons from this story.
1) There is a hardware talent gap. Our reliance on cloud and application development has created a shortage of good hardware and embedded software engineers. The essence of virtualization is the separation of physical hardware from the operating system. It seems some engineers have developed mental hypervisors and no longer understand the dependence of software on the underlying hardware.
When designing a new product, even a purely software product, I would recommend hiring a few electrical engineers. They will be able to explain how keys should be stored in a TrustZone or how a Trusted Platform Module can enhance software security through attestation. Even if they end up performing tasks similar to software engineers their skill set is imperative for the future security of your products.
2) As Benjamin Franklin said, “If you fail to plan you are planning to fail.” Most companies’ product design and development process begins with generating a Technical Requirements Document (TRD) and an Operational Requirements Document (ORD). At TELEGRID we add another document, the Security Requirements Document (SRD). The SRD is developed by our Cybersecurity Subject Matter Experts (SMEs) and is based on NIST requirements and DISA Security Technical Implementation Guides (STIGs). It is a forward looking security document to ensure product flexibility. It helps engineers view the product from a different perspective and identify future security threats.
We need to remember that cybersecurity is a game of cat and mouse. We must break our mental hypervisors to ensure the future security of both our product’s software and its hardware.
Eric Sharret is Vice President of Business Development at TELEGRID. TELEGRID has unique expertise in secure embedded systems, secure authentication, PKI, and Multi-Factor Authentication (MFA).
Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc. The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.