Small steps in securing the IoT

  • July 14, 2024
  • Steve Rogerson

Warwick University in the UK has set up a department to provide IoT security testing. Steve Rogerson had a chat with its principal engineer Miroslaw Malinowski.

Miroslaw Malinowski demonstrates the automotive simulator at the recent Aesin conference in the UK.

One of the big problems when it comes to security with the IoT is not what we do tomorrow but what we did last year or even five years ago. There are millions of IoT devices already out there that do not have the capability to be upgraded with the latest security patches.

These devices are often left to do their jobs without maintenance or updates and if someone now or in three years’ time finds a vulnerability, it can be exploited, and that can be used as a gateway to an organisation.

It was against this background that about a year ago researchers at the University of Warwick in the UK set up a laboratory to offer end-to-end security resilience testing for IoT devices. It was initially for internal use within the university’s WMG manufacturing group (warwick.ac.uk/fac/sci/wmg) but has since expanded to offer such services externally.

The laboratory is called IoT-Setec, which is an acronym for IoT Security Operational Test & Evaluation Centre, and last week I had a chat with its principal engineer Miroslaw Malinowski.

“The idea was a facility to do research and security testing for IoT devices,” said Miroslaw. “All the parts within WMG use IoT devices and have engineers to set them up but may lack expertise in security, so now they can use our expertise.”

They found there were not many laboratories in the UK that could do end-to-end testing for IoT devices.

“Not many people are taking security with IoT devices seriously or considering that they could be an entry point to their network,” he said. “You could buy a £50 router or network switch but testing that can cost £1000, so people don’t do a proper assessment because it is too expensive. We can provide security testing for this.”

As an example, Miroslaw told me they were working with some medical IoT devices to do risk assessment and vulnerability testing. This could be a wearable that gathers data and sends it to a mobile phone and onto to the cloud.

“So how can you create a risk model on such a diversified system?” he said. “That is what we do.”

As another example of the type of work they take on, he showed me an automotive simulator that looks at low level data such as braking and torque. This was being used as part of the University of Cambridge’s Cheri project – another acronym for Capability Hardware Enhance Risc Instructions (www.cl.cam.ac.uk/research/security/ctsrd/cheri) researching memory errors that can provide access to operating systems within IoT and automotive.

“You can exploit these errors,” he said. “These are the worst errors because they can give you direct access to the operating system.”

At the moment, IoT-Setec has five people, but the operation is part of a larger cyber research facility at the university with 40 people.

“We have ambitious plans for the lab to grow,” Mirolsaw said. “We want it to be busy all the time, but it is still early days. We have had funding and we have done a couple of projects to show we can deliver, and now we are open for business. We can provide the expertise to show a device is secure and do all the testing that is required.”

He said a vendor may not know all the components used to build a product: “We can help,” he said.

And such help is needed as much of the IoT exists in small, often forgotten sensors at the edge of networks. Many have little room for security and low or no capability for upgrades, yet can be a route for bad actors to access more critical systems. I have come across the WMG at Warwick University many times and been impressed with the innovative work they do in the automotive field. It is so nice to see them applying some of that talent to securing the IoT.