I attended my second consecutive RSA conference in this year and was again excited by the depth and breadth of cybersecurity topics discussed. As expected, information security remains an enormous hurdle for organizations, institutions, businesses, and government agencies alike. As with last year’s conference, Internet of Things (IoT) security remained a smaller part of the overall discussions surrounding cybersecurity. However, despite this position of limited coverage, IoT security continues to gain traction and visibility as a topic that demands greater recognition within the context of comprehensive security solutions.
International IoT security pressures
As the call for greater security amongst IoT implementations continues to evolve, countries are beginning to develop their own answers to address these issues. Mihoka Matsubara, the Chief Cybersecurity Strategist at Japan’s NTT Corporation, presented her findings on Wednesday morning regarding her country’s application of security solutions to IoT security gaps. Matsubara argued that a great source of the pressure to address IoT vulnerabilities has stemmed from the need to provide security for the upcoming 2020 summer Olympics in Tokyo. Such an enormously prominent meeting of the international community, combined with a huge surge in tourism and business development surrounding the event, demands security in many forms. However, while physical security is an absolute requirement, in the modern age, information security is equally important. Furthermore, this is also an opportunity for Japan to promote their technological capabilities on the global stage.
Another driving factor for Japan to address IoT security stems from the overall decline in the nation’s population. Moreover, much of country’s citizens are aging out of the workforce. This has created a scenario where there is greater demand for services than there is viable manpower able to fulfill these needs. As a result, Japan has begun adopting the use of robotics to automate many of these duties typically operated by a human. One example Matsubara provided was the opening of the first completely unmanned 7-11 store in December of 2018. Utilizing facial recognition technology for its self-checkout system, the store is able to continue to cater to the citizens of Tokyo, despite the growing labor shortage.
In response to these challenges, Japan has had to consistently evolve their cybersecurity strategies. The nation developed an IoT Security Guidelines framework in 2016, which evolved from collaboration amongst government, academia, and industry experts. To further promote these secure practices, the country developed a tax incentive plan for businesses and industry leaders that adhered to the framework. Japan has also recognized the demand for a fusion of security in both the physical and cyber domains. In 2017, this culminated in the government engaging in a large-scale effort to scan domestic IoT devices for vulnerabilities. Publishing their findings in 2018, the country discovered that nearly half of the 150 discovered vulnerable devices provided the identity of their respective users. Of those 77, roughly half were able to be contacted by government officials to address the vulnerabilities. This has been bolstered by the recent passage of several forms of government legislation designed to allowing for easier discovery and disclosure of data related to IoT security vulnerabilities through their Information and Communication Technology (ICT) Information Sharing & Analysis Center (ISAC).
Mobile security remains a hurdle
When it comes to the war from mobile device supremacy, there are two clear victors. According to IHS Markit’s Smartphone Intelligence Service, Apple’s iOS and Google’s Android OS easily control over 95% of the total global smartphone market share, with Android usage representing the lion’s share. Aaron Turner, CEO of secure messaging platform Hotshot, spoke to a gathering on Wednesday afternoon about how the vulnerabilities present in these IoT devices continue to be a plague on enterprise security. Turner showcased how the lack of updated devices can allow even vulnerabilities that have already been addressed to remain a threat to end users. For both of the dominant operating systems in the mobile market, various updates and patches have been released with relative regularity in an effort to not only introduce new features, but also address discovered security flaws. However, these patches can only fix the vulnerabilities if the users actually install them on their devices. What makes matters even worse is that many organizations are still using and relying on devices so out of date, they are incapable of even installing the most recent operating system patches.
Turner elaborated on this problem by showcasing the frequency with which iOS and Android devices have been updated in their respective environments. For manufacturing, logistics, hospitality, and retail markets, Android remains the leader. Nevertheless, more than 70% of these Android devices had gone longer than sixty days without receiving a patch. For information centered business, Apple devices dominate the landscape. However, Turner argued that more than half of these iOS devices also hadn’t been updated in over two months. This poor patch management strategy is one of the prime culprits behind mobile security compromises. One of the most dangerous of these exploits are referred to as commodity exploits, due to their value on the underground mobile exploit market. As these exploits are typically discovered within a month after an update is released, any devices not updated in that same window is now susceptible to the vulnerability. Such exploits may be able to grant the hacker kernel level access, as well as all credentials held within.
With kernel level access of a vulnerable device, even workplace device management solutions like Microsoft’s Intune can be rendered ineffectual. This is not to dismiss the importance of these solutions, just to showcase that such services can be moot when it comes to securing a device with an outdated and vulnerable operating system. Implementing comprehensive patch management strategies are the only effective tangible solutions going forward. In order to protect an organization’s resources, enforcement policies need to be put in place that only allow devices with the most current security updates to access the organization’s internal assets.
More connections, more problems
As the number of IoT devices grow each and every day, so too does the threat landscape itself. Each individual IoT device provides another node of connection for potential nefarious actors to compromise not only the device, but the connected networks as well. As a partner at the Pen Test Partners, Ken Munro addressed attendees on Thursday morning about the system flaws present in much of the IoT manufacturing ecosystem. He began his discussion by talking about a Wi-Fi enabled tea kettle available in the market, that comes with its own mobile app. This allows the end user the convenience to set the kettle to boil from their mobile device. However, Munro’s team was able to discover that the root password for the system was stored in the clear on the device. Even after the manufacturer was notified of the flaw, they dismissed the vulnerability because they believed such a compromise would require specialist knowledge. However, many of these devices are geographically trackable with services like Wigle.net or Shodan, which can increase the overall likelihood of compromise. Eventually, the iKettle manufacturers released a more secure version later on. Unfortunately, this is just one example of countless IoT devices developed through insecure practices that are accelerating.
Millions of smart watches utilizing the same Application Programming Interface (API) designed to allow parents to track their children, can also allow a hacker to spy on the child’s whereabouts silently due to the Insecure Direct Object References present in the device’s web interface. Children’s toys like the talking My Friend Cayla doll, have negligible security solutions to prevent someone from tampering with the “anti-swearing process” Even cars are modern data centers on wheels, inherent problems within vehicle telematic service platforms (TSPs) designed to share private keys are being discovered as well. Munro went on to highlight that it was these systemic flaws that allowed the 2016 Mirai “botnet” to infect hundreds of thousands of various devices to become the single largest destructive IoT attack in history. However, Munro showcased that upon further investigation, the Mirai v1 was primarily a botnet that focused on vulnerable DVR systems. All of the major DVR vendors have used firmware from the same provider, XiongMai. XiongMai’s makepack tool allowed vendors to customize the branding of their respective DVR devices. As a result of the insecure customization details offered through this package, default credentials could be discovered and used to compromise each device.
Some of the systemic flaws Munro mentioned arise from issues that are well within the control of the vendors. API’s used by IoT devices need proper authorization and verification, as well as ensuring any hard coded back door configurations are removed. Remote code execution needs to be disabled, as well as requiring that and credentials stored on the device by encrypted. Additionally, the end users of IoT solutions need to engage in a holistic approach when it comes to their IoT ecosystem. There needs to be a designated security structure in place to determine whose shoulders bear the responsibility for maintaining these devices. Lastly, there are several organizations dedicated to the adherence of specific information security standards. These standards can help provide a solid foundation from which to build a secure IoT implementation strategy.
Supply chain security remains a top priority
Due to the ease by which IoT devices can be distributed, and the sheer scale of their exponentially rising numbers, ensuring the security behind the device supply chain is a fundamental issue. Daniel Kroese, an Associate Director at the United States (US) Department of Homeland Security (DHS), told an audience on Friday morning about how Cybersecurity Supply Chain Risk Management (C-SCRM) has established itself as a primary security concern for protection of the nation’s critical infrastructure. The effort to address the risks regarding supply chain security is being orchestrated by the DHS, through the Cybersecurity and Infrastructure Security Agency (CISA). As a result of the increased visibility of this security concern, 2018 saw the enactment of the Federal Acquisition Supply Chain Security Act. This legislation (S. 3085) was designed to establish a Federal Acquisition Security Council in order to assist in the mitigation of the supply chain risks present in information technology (IT) procurement.
With nearly USD100 billion worth of IT equipment purchased each year by the US Federal Government, any vulnerabilities present in such systems can pose enormous threats to national security. In response, CISA has sponsored an Information and Communication Technology (ICT) Supply Chain Risk Management Task Force to develop comprehensive solutions to this epidemic. This task force is organized of roughly 40 of the largest vendors in the IT and communication sectors, as well as 20 supply chain leaders throughout all of the federal government. Kroese pointed out an additional value of such a task force in its ability to establish a highly visible “North Star” to serve as a guiding light for other organizations to use to structure their own practices around. For example, the Kaspersky Labs Binding Operations Directive (BOD) that was issued in 2017 was actually followed by several companies outside the scope of the BOD mandate.
While IoT vulnerabilities can stem from a vast array of substantial flaws, Kroese went on to further promote key thresholds within the acquisition lifecycle for IoT devices where security needs to be a primary consideration. Kroese endorsed the adoption and utilization of a smart IoT acquisition framework that would provide end users with a greater baseline for ensuring they were engaging in practices that were fundamentally more secure when it came to purchasing IoT equipment. The crux of the framework demands that potential IoT cybersecurity concerns be recognized throughout the entire acquisition lifecycle. Furthermore, he stressed that the entire Acquisitions Team needs to have access to and knowledge of the risk-informed, decision-making methods used when purchasing, deploying, and sustaining IoT. Lastly, a risk management lens needs to be applied throughout the analysis of the entire supply chain. With these steps in mind, any organization can greatly reduce their own threat landscape.
Compromises have tangible consequences
The IoT Village has been a consistent mainstay of the RSA Conference for several years. Organized by Independent Security Evaluators (ISE), the IoT Village is the primary section of the entire conference dedicated to all things IoT. One of the primary services ISE provides is hardware penetration testing. Through this practice, ISE seeks out to expose any security flaws and vulnerabilities present on various devices. An unknown security flaw cannot be addressed, so through this discovery process, the security measures onboard the device are made even stronger. As part of their exhibition, ISE presented several exploited devices that pose threats to the security of the IoT. Some of the exploits showcased physical hardware compromises, such as that of Network Attached Storage (NAS), and even a network router.
NAS systems are designed to provide simplified file sharing capabilities across a specific network. For this demonstration ISE used insecure NAS devices from both Drobo and Lenovo. ISE unveiled how an application vulnerability on the Drobo, and a server file misconfiguration on the Lenovo, could allow an attacker to not only read, but also modify files. ISE went on to further demonstrate how a vulnerable Asus router, which they had already compromised, could be used to redirect its connected users towards spoofed websites. As the users browse sites that are ultimately controlled by the attacker, they could be deceived into revealing sensitive information, such as filling out a form they believe is legitimate that requests their account credentials.
Although, of all of the vulnerabilities ISE displayed in their expo, their exploit of a specific medical device was the most chilling. Using an Edan IM8 patient monitor, ISE demonstrated their ability to control how a patient’s vital signs, were relayed to a connected makeshift “nursing station”. The presenters had me sit on an improvised hospital bed, and attached a heart rate monitor to my finger. I watched as the monitor accurately recorded my pulse, and relayed that information to the nurse’s computer. However, acting as an attacker with network access, ISE was able to intercept the transmitted signal, and alter it to make it appear as if I had flatlined. Obviously, the ramifications of such a compromise are horrific, which could result in a deeply sedated or even comatose patient being unnecessarily shocked with a defibrillator. Even worse, ISE demonstrated how to make a patient who actually had no pulse, appear alive and well on the nurse’s station. They were even able to alter the blood type displayed for a patient, which could have lethal consequences. Such compromises would be disastrous for any medical facility.
Despite relatively limited coverage at the conference, it’s more than apparent that IoT cybersecurity concerns are beginning to gain both visibility and traction. Unfortunately, we still live in a very complacent society when it comes to securing internet connected devices. The security landscape is often described as being similar to a game of “whack-a-mole”, with new flaws arriving behind the implementation of any security solution. Many individuals and organizations alike still engage in reactionary practices instead of instituting proactive policies. This unfortunate scenario is likely to remain a challenge for many years to come. Similar to what Kroese presented with regards to the federal government, it will likely require a consensual shift to take place in the hearts and minds of the general public. In the meantime, the regular education of the 1000s of security professionals that attend RSA each year indicates that these shifts are occurring with greater frequency.
Cybersecurity Technology, IoT