Internet of things devices have been plagued by security issues and unfixed vulnerabilities for more than a decade, fueling botnets, facilitating government surveillance, and exposing institutional networks and individual users around the world. But many manufacturers have been slow to improve their practices and invest in raising the bar. At the Black Hat security conference in Las Vegas today, researchers from Panasonic laid out the company’s strategy for improving IoT defenses based on a five-year project to gather and analyze data on how the company’s own products are attacked.
The researchers use Panasonic home appliances and other internet-connected electronics made by the company to create honeypots that lure real-world attackers to exploit the devices. This way Panasonic can capture current strains of malware and analyze them. Such IoT threat intelligence work is rare from a legacy manufacturer, but Panasonic says it would like to share its findings and collaborate with other companies so the industry can start to compile a broader view of the latest threats across products.
“Attack cycles are becoming faster. And now the malware is becoming all the more complicated and complex,” says Yuki Osawa, chief engineer at Panasonic who spoke with WIRED ahead of the conference through an interpreter. “Traditionally, IoT malware is rather simple. What we are afraid of most is that some kind of a cutting-edge, most advanced type of malware will also target IoT. So there is importance to protect [against] malware even after the product is shipped.”
Panasonic calls its efforts to track threats and develop countermeasures “ASTIRA,” a portmanteau of the Buddhist demigods known as “asura” and “threat intelligence.” And insights from ASTIRA feed into the IoT security solution known as “Threat Resilience and Immunity Module,” or THREIM, which works to detect and block malware on Panasonic devices. In an analysis of Panasonic products running ARM processors, Osawa says, the malware detection rate was about 86 percent for 1,800 malware samples from the ASTIRA honeypots.
“We use the technology to immunize our IoT devices just like protecting humans from the Covid-19 infection,” Osawa says. “These anti-malware functions are built in, no installation required and [they] are very lightweight. It doesn’t affect the capability of the device itself.”
Osawa emphasizes that the ability to push patches to IoT devices is important—a capability that is often lacking in the industry as a whole. But he notes that Panasonic doesn’t always see firmware updates as a feasible solution to dealing with IoT security issues. This is because, in the company’s view, end users don’t have adequate education about the need to install updates on their embedded devices, and not all updates can be delivered automatically without user involvement.
For this reason, Panasonic’s approach melds shipping patches with built-in malware detection and defense. And Osawa emphasizes that Panasonic views it as the manufacturer’s responsibility to develop a security strategy for its products rather than relying on third-party security solutions to defend IoT. He says that this way, vendors can determine a “reasonable level of security” for each product based on its design and the threats it faces. And he adds that by deploying its own solutions out of the box, manufacturers can avoid having to share trade secrets with outside organizations.
“Manufacturers ourselves have to be responsible for developing and providing these security solutions,” Osawa says. “I’m not saying that we’re going to do everything ourselves but we need to have a firm collaboration with third-party security solution vendors. The reason why we make it built in is that inside of the devices, [there are] secrets and we don’t have to open it. We can keep it black box and still we can provide the security as well.”
Developing threat intelligence capabilities for IoT is a crucial step in improving the state of defense for the devices overall. But independent security researchers who have long railed against IoT’s black box model of security through obscurity may take issue with Panasonic’s strategy.