With the power of modern computers, it wouldn’t take too much to run a brute force attack to obtain the password
Companies need to increase the knowledge within their business on the range of cyber-vulnerabilities

At one time, embedded devices, such as access control components communicating with application software, used proprietary protocols like RS485. Use of proprietary protocols kept these devices safe from attack. However, in this article TDSi Technical Director Mike Sussman explains that the growth of the Internet of Things (IoT) involves a move toward IP-based systems and open standards that leaves modern systems, including embedded devices, more likely to be targeted by a wide range of criminals.

Cyber-attack ‘s impact on IoT devices

So, what exactly are the vulnerabilities and impact on cyber-attacks on IoT devices? Let me give you one example. In a typical access control system, if someone tries to enter an invalid PIN more than four times, then the reader would be locked and an event raised upon which action can be taken. What about invalid passwords when logging in to an embedded system? I bet that the majority of systems will let you keep trying without any preventative shutdown measures in place. With the power of modern computers, it wouldn’t take too much to run a brute force attack to obtain the password and therefore gain access to the device. In fact, at the recent Mobile World Congress, a leading security expert used a brute force attack to gain access to poorly protected CCTV cameras. You might say that this doesn’t impact security; however, if I were to say that one camera was in a primary school and another monitoring retail tills and payment terminals, would this change your mind?

Is security industry prepared for breach in cybersecurity?

Adoption of policies such as Cyber Essentials, a key Government requirement for those supplying them, as well as increased security policies such as ISO27001 and membership of bodies such as the Cyber-security Information Sharing Partnership (CiSP) should be the norm for anyone working within the security field

Do we, as an industry, address these issues? I’d say that at the moment very few companies are addressing this level of detail (but I bet some will now!). The industry is changing, and there is a lot of focus on identity fraud and preventing physical access to buildings; however, we now need to look at what can happen when people take over the access control system remotely – open doors (or even lock personnel inside). It is fairly easy to utilise “off-the-shelf” embedded processing boards and build an embedded device with no security. Unless you work within the security field you might not even think of these threats and just concentrate on the application.

Ways to tackle cyber-threats

So how do we address this? Companies need to increase the knowledge within their business on the range of cyber-vulnerabilities and keep abreast with what is happening within the threat landscape. Adoption of policies such as Cyber Essentials, a key Government requirement for those supplying them, as well as increased security policies such as ISO27001 and membership of bodies such as the Cyber-security Information Sharing Partnership (CiSP) should be the norm for anyone working within the security field. Unfortunately, this is not the case.

All companies should increase their cyber knowledge and ensure that there is a security specialist within the development teams. Increased testing of embedded devices through the likes of penetration testing also helps to identify vulnerabilities and, once resolved, increases security.

These are interesting times, and even more challenging than in the past because the attack landscape is constantly evolving. As an industry, we need to work together to share knowledge and experience that will keep us one step ahead of the attackers.

Download PDF version Download PDF version

Author profile

Mike Sussman Technical Director, TDSi

An innovative Technical Director with a strong grasp of all aspects of a business, Mike Sussman specialises in software development and systems integration to provide interoperable systems that deliver business benefit and efficiency improvements.

In case you missed it

Alamo enhances security with Alcatel-Lucent solutions
Alamo enhances security with Alcatel-Lucent solutions

Alamo Colleges in San Antonio, Texas supports more than 65,000 students and 7,000 staff. It's five campuses and smaller regional learning centres connect students and staff, expan...

When choosing an access solution, make total cost of ownership a key part of the calculation
When choosing an access solution, make total cost of ownership a key part of the calculation

Digital access control has well-known benefits over traditional security, of course, but also costs attached to each stage of its lifetime. However, these costs are not fixed. Many...

The Camp: Enhance security with ASSA ABLOY Aperio wireless locks
The Camp: Enhance security with ASSA ABLOY Aperio wireless locks

As a provider of future-oriented business education, The Camp sought an access control solution as forward-thinking as their courses. Their campus site near Aix-en-Provence is div...

Quick poll
What's the primary benefit of integrating access control with video surveillance?