This year we’ve witnessed several critical cyber attacks. Very recently, our nation was hit by the Equifax data breach, which has left half the country and its financial data incredibly vulnerable. In May it was the ransomware attack, WannaCry, which affected over 200,000 computers across 150 countries. In June a Petya-like attack in the Ukraine left hundreds of businesses inoperable. In a recent article by Inside Counsel, CEO of FairWarning, Kurt Long, explains that these attacks and the cyber criminals behind them are becoming more sophisticated and organized as “Cyber criminals have morphed into businesses with capabilities to organize and build large attacks.” By the year 2020, the number of exposed points of entry for cyberattacks will reach over 20 billion as more and more IoT devices are brought into homes, offices, and cars.
Sacrificing Security for Speed of Development
Recently, studies have found that not enough companies are taking the right steps to prevent cyber attacks. The U.S. Department of Homeland Security states there has been an increase in the number of companies that are taking on the much more “difficult and expensive endeavor of attempting to add security to products after they have been developed and deployed.” Today, too many attacks are occurring because platform developers are bypassing crucial security protocols in an effort to push products out in a timely fashion.
And if the IoT and more specifically connected security systems are going to survive, security needs to be the main point of focus and must be prevalent throughout a system’s embedded software, communications, cloud platform, and applications. Proven methods of encryption and sophisticated PKI are the key to resisting attacks and hackers who will find a way to exploit any unpatched vulnerability. The necessity of keeping all of your components patched and up to date is something that is best showcased by the recent cyber attacks and events at last year’s Defcon Conference, which resulted in the hacking of 12 out of 16 connected smart locks; one of the four locks that remained secure was powered by UniKey.
There are several recommended security protocols for IoT devices and platforms in place so that smart locks and mobile key platforms may not be subjected to the same kind of exploits that were discovered at Defcon 2016. For starters, one of the many methods of securing data transmission is the implementation of a robust Public Key Infrastructure, or PKI. PKIs are potentially a company’s greatest security asset, and could mean the difference between a resilient system and a hacker’s dream. A product’s PKI, especially those in the access control industry, should be designed to employ a unique shared secret for each phone, lock, and gateway in order to ensure secure communication. At UniKey, we treat each interaction between a user and our devices as unique interactions and as such they can never be replayed. Under UniKey’s PKI system, additional shared secrets are also produced every time a user attempts to pair their smartphone with a lock; adding another layer of protection against possible replay attacks.
Anticipate Attacks (Cryptographic Noncing helps prevent replay attacks)
Creating multiple layers of encryption and making sure your product’s PKI is up to par are not the only way to prevent cyber attacks. Developers must also be on the lookout for any bugs or attack surfaces in a system’s framework. Even if your company believes it has the most secure platform on the planet, routine security audits should be made on a regular basis. Additionally, it’s critical for platform and user security that companies understand and recognize the risks and limitations in their own platform, so they may implement preventative measures against botnets, DDoS, and man-in-the-middle (MITM) attacks, which have impacted several pieces of software and IoT devices across the nation.
To conclude, building access control that your customers can trust begins with the implementation of preventative security measures. There’s a very dangerous trend in place where IoT platform developers rush to get a device on stores’ shelves; leaving little time to properly fortify the software and hardware of the device. Ryan Dean of Altman Vilandrie & Company states that “there are lots of providers developing innovative [IoT] solutions, but when it comes to purchasing decisions, buyers are looking for a brand and product they trust.” In keeping up with the IoT trend, access control is going from legacy systems like RFID and magstripe cards to wireless, connected readers and deadbolts. As access control providers continue to make the move to IoT enabled, digital credentialing like mobile access control, it’s imperative that security remain at the forefront of every developer's mind. To learn more about building secure access control products visit www.unikey.com.