Tuesday, June 6, 2017

The Internet of Vulnerable Things

Introduction


Technological progress is resulting in computing systems that are smaller, cheaper and consuming less power. These micro-computing systems are able to be integrated into everyday objects; when coupled with ubiquitous wireless connectivity these devices form the “Internet of Things”. The IoT has the potential to improve our lives, but only if we correctly manage the security risks which are inherent to these devices.

Gartner tells us that 6.4 billion internet connected devices were in use worldwide in 2016, and that figure will reach 20.8 billion by 2020. That equates to nearly 10 million new devices being connected every single day for the next 4 years, massively expanding the potential attack surface of unsecured devices. As businesses deploy these systems to make decisions about operational improvement, or build their business strategies around the IoT, we must consider the vulnerability of the devices and the veracity of the data they generate.

IoT security interests Cisco and Talos greatly. As part of our goal to force the bad guys to innovate, we seek out and work with vendors to fix vulnerabilities before they can be abused. For example, we identified hard coded credentials within Trane thermostats. If discovered by a threat actor, they could have remotely logged into the thermostats and gained complete control of the devices. From there they would be able to conduct reconnaissance of local networks to launch attacks. We developed protection for our customers, and held off disclosing the vulnerability until the vendor released a patch to resolve the issue.

An insecure IoT device connected to a corporate network is just another computer that can offer a point of ingress for attackers. Once compromised, an attacker can use an IoT device to gather information from the network or launch attacks against other systems. However, unlike most networked computers, the IoT device is unlikely to have anti-virus software or security software installed on it. This means that an attacker can lurk there for extended periods with little risk of discovery.

Criminals are aware of the opportunities posed by the IoT. They have “recruited” poorly secured IoT devices to form the Mirai botnet, which launched the largest denial of service (DoS) attack in history, using the stolen computing power and Internet connectivity of insecure devices to disrupt services offered by Twitter, Paypal, Spotify and other sites off and on over an entire day. Criminals have also compromised vulnerable digital video recorders used in closed-circuit television (CCTV) systems. Not to wipe incriminating video surveillance footage, but to install malware to steal processing capacity and use it to mine bitcoins in order to make money.

Not only may the devices themselves be vulnerable, but the systems that use data collected from IoT devices can be leveraged to conduct some interesting attacks. For example, a team of Israeli researchers discovered that they could fool traffic information systems into believing that there was a fake traffic jam by spoofing traffic data from bogus IoT devices.

Insecure IoT devices that interact with the physical world can be compromised to alter their function. For example, electronic hotel locks allow visitors to use keycards to access their rooms. However, the communications port on these devices can be hacked to take advantage of inadequate security features on the lock to allow anyone with the necessary knowledge to open the door without a key.

Even unlikely items such as toys and homeware can be considered as IoT devices, and found to include network vulnerabilities. Hackers can compromise a connected Barbie to spy on you, and subvert baby monitors to monitor you and your children. You can even be “watched” through your Smart TV.

Pressures Lead to IoT Security Issues


As the world builds the infrastructure and deploys the devices that comprise the IoT, we as a society have the opportunity to apply the decades of good practices learnt as part of the development of the Internet – including painful lessons about the importance of security.

The premise of the IoT is built upon the idea of deploying many cheap, Internet-connected devices in many places. As the market develops, manufacturers are hurrying to bring devices to market at the lowest price possible, and few buyers are insisting upon security requirements as part of their procurement processes. This means that many IoT products are sold containing known vulnerabilities without, or with little thought to, how updates can be applied to devices in order to remediate security issues.

Considering security issues early in the design phases means that protection can be built-in within a system. Every feature of an IoT system – from the device itself, to the wireless communications, to the user interface, to the management interface – are associated with weaknesses which are well known and characterized. Similarly, defenses against these types of weaknesses are also well known. Specifying that security is a requirement for a system, and pinpointing the types of protection that are needed, leads to a system that is more resilient and less likely to be compromised, less likely to suffer major losses when a compromise occurs and easier to update to remediate issues when they are discovered.

Not addressing security issues comes at a heavy cost. Installing insecure electronic locks means that the locks might as well not be there. They can be hacked to open for anyone. Deploying insecure devices that connect to a corporate network is like leaving an office door unlocked overnight, allowing anyone to creep in and take what they wish. Vulnerable IoT products may be banned outright, e.g. the Internet-connected doll, Cayla, in Germany.

Security issues present in many forms. Resolving any single issue first requires awareness of the problem, an understanding how the issue has come about and how it can be remediated or mitigated against. Only then can we put the correct security strategy in place.

Software vulnerabilities are one such security issue affecting the IoT. Talos has a dedicated team hunting for software vulnerabilities in IoT and other systems. When we find a new vulnerability, we follow our published Responsible Disclosure Policy to ensure that our customers are protected and that the problem gets fixed. By sharing these findings, we can inform and protect the community at-large and contribute to the discussion on securing the IoT.

“Tricking” The IoT


Anyone who has been involved in writing code, or ensuring that an IT project is completed as required, on time, and on budget, will agree that writing software is hard. Creating software-based systems that meet requirements is difficult enough. To be secure, the system must not only do what it is supposed to do, but never do anything else.

Vulnerabilities are simply weaknesses in a system that can be used to “trick” a system into doing something that it wasn’t supposed to do. Often, vulnerabilities lurk undiscovered because we need a specific set of circumstances to find them, i.e. we won’t encounter them unless we specifically probe for them. Once an adversary discovers them, they gain access to resources and data, or even the ability to run code in ways that the system designers never imagined or wanted.

Any system containing software will almost certainly include vulnerabilities. In this respect, the IoT is no different from any other computer device. Continuously considering security as part of the requirements, system design and development will help identify potential mistakes early so that they can be rectified. The further down the development process that a security issue is identified, the more expensive it is to fix.

Despite best efforts, it is almost certain that a final system will contain vulnerabilities. Encouraging the responsible disclosure of vulnerabilities combined with a rapid “fix” process helps minimize risk and exposure to harm. It also means that the software engineering community can learn for the mistakes of others and not make the same mistakes twice.

IoT Risks In Real Life


One of the key issues that Talos sees time and again is hard coded usernames and passwords within systems. When discovered, an attacker can uses these to gain access to all the devices that share these default credentials across the world. Just last year we disclosed this exact issue within Trane thermostats. We worked with Trane to ensure that the problem was fixed.

IoT systems require management interfaces to control the operation of the devices, and to process collected data. In addition, we recently discovered a way that attackers could take control of an IoT installation controlled by LabVIEW and also found how attackers can exploit an Aerospike database to take control of the platform.

What Needs to Change


Nothing will change unless people are aware of the issue. Being open about vulnerabilities when they are encountered helps users consider their own security requirements and assess additional security features that they may wish to deploy. It helps them prioritize their patching regimen, or even better, simply inform them as to why an automated system update has been applied. Keeping quiet about security issues benefits nobody except attackers who wish to use the vulnerability to attack systems.

Vendors must ensure that the software they develop is designed, developed and tested to be as secure as possible. Despite best efforts, hackers will discover vulnerabilities and systems will need to be patched. Making the patching process as quick and easy as possible (preferably automated) enables the distribution of security updates, with new features and functionality. For businesses and consumers to truly embrace the convenience and power of IoT, they must feel fully confident that we’re building IoT with security foremost in mind.

Protecting Your Systems


The upshot: Make security part of the procurement process. Ask vendors about how they discover and resolve vulnerabilities. If their answers don’t meet your expectations, don’t make the purchase.

Segment networks that contain IoT devices. There is no need to have a potentially vulnerable connected thermostat on the same network as your customer database. Separate networks so that, if a device does become compromised, the potential for damage is limited.

Protect IoT devices with appropriate network security measures. IoT devices are computers and require the same security measures as any other networked machine. Protect them with firewalls to block unpermitted network connections, and use IDS/IPS systems to block and alert on the presence unauthorized network traffic.

Plan how you will keep systems fully patched, how you will learn about required patches, and what you will do if a vendor is unwilling or unable to release a patch.

Don’t overlook management systems. Databases and dashboards are associated with many security risks, notably that of authenticating users and assuring the integrity of data collection. Verify that a single compromised device can’t result in the leakage or deletion of your entire database. Similarly, ensure that a graphical front end isn’t vulnerable to Cross Site Scripting (XSS) attacks that could lead to an attacker gaining access to sensitive systems.

Conclusion


IoT systems have the capability to make great changes to our professional and personal lives. The IoT has the capability to reduce waste, improve efficiency, and create new markets through new opportunities and newly gathered data.

In other words, the IoT will enable our societies to grow, progress and improve. But we must feel confident in the security of these devices to fully realize their benefits. We know how IoT systems can be attacked and subverted. We know the consequences of such attacks, and we know how these attacks can be defended and mitigated against.

Society can protect IoT systems from harm, but only if that protection is insisted upon by those who are deploying, purchasing and delivering the systems. Buyers must demand better security, and manufacturers must understand the gravity of the situation. No longer can they simply strive to be first to market; they must also strive to be the safest to market. If we all start demanding better security, manufacturers will make safety a priority.

2 comments:

  1. The best translation I've heard of "IoT" is "Internet of Trash". And it's true. As companies try to get their products out the door faster and cheaper than they competitor, security is often overlooked and guidelines not followed. Disappointed when reading the referenced article regarding Trane's thermostats that they took so long to respond/patch their devices. It will be interesting to see what other horror stories and attacks we will see over the next few years as we climb up to that 20B device count.

    ReplyDelete
  2. Excellent write up. The TALOS Blog is very clear and concise. Others should follow.....

    ReplyDelete

Post a Comment