Endpoint
8/11/2015
01:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

IoT Working Group Crafts Framework For Security, Privacy

Microsoft, Symantec, Target, home security system vendor ADT and others team up and issue security recommendations for some consumer Internet of Things things -- but embedded firmware remains a wildcard.

An industry working group that includes members from Microsoft, Symantec, Target, and home security system vendor ADT today issued draft recommendations for locking down the privacy and security of home automation and consumer health and fitness wearable devices with security practices such as unique passwords, end-to-end encryption of sensitive and personal information, and a coordinated patching and update mechanism, as well as other measures.

The Online Trust Alliance (OTA) Internet of Things Working Group hopes that IoT manufacturers, developers, and retailers will adopt the proposed guidelines, and is asking for industry input.

But the catch is that the embedded firmware in many IoT devices is not necessarily patchable, nor does the consumer device manufacturer necessarily have control or say over the security of the firmware it embeds in its products.

And as demonstrated in the recent hacking of the Jeep Cherokee where researchers were able to control the vehicle's steering, braking, and other features, the supply chain can be the weakest link. In the Fiat Chrysler case, it was a vulnerable communications port that was left wide open in the Harman uConnect infotainment system installed in the vehicles: cellular provider Sprint subsequently shut down the 6667 port, which the researchers used to access the Jeep's controls.

"It is a supply chain issue. If you look at the device, you are getting off-the-shelf firmware. How can you update it? Can you?" says Craig Spiezle, executive director and president of  OTA, says of home automation and consumer wearable devices. "Embedded firmware is a concern--we highlighted this [in the framework]. We're aren't quite sure how best to do this: if that firmware can't be upgraded without a service technician coming out [to do it, for example] … How is that handled over time?"

The framework calls for IoT makers to have the ability to fix bugs quickly and reliably via remote updates or other notifications to consumers -- or even device replacement, if needed. And that item comes with this caveat: "It is recognized that some embedded devices' current design may not have this capability and it is recommended such update/upgradability capabilities be clarified to the consumer in advance of purchase."

Time is another factor with IoT devices. Networked thermostats, garage-door openers, and other in-home devices change hands when the house does, but the former residents could still have access. And what happens after a warranty expires on smart device and there's a breach, Spiezle says.

"We talk about not just security, privacy, and disclosure of the data that's collected, but also the lifecycle issues. How do they support [these devices] over time and beyond the warranty," he says.

The working group plans to finalize a formal IoT framework -- which includes some 22 minimum requirements plus a dozen optional additional measures -- and program around mid-November, after gathering input from Congress, the White House, Federal Trade Commission, and other entities.

Brian Knopf, an IoT security expert, says when he worked at Belkin, dealing with vulnerabilities in OEM'ed chipsets and firmware for its products was a big challenge. "We were not able to get access to their [the OEM's] code" if there was a bug discovery in the Belkin device, he says. "We were under NDA" due to their supplier relationship, he says.

That was problematic because an SDK from the chipset manufacturer often gets shipped with manufacturer backdoors and command-line interfaces, for instance, left there purposely, according to Knopf, a speaker last week at the first-ever IoT Village at DEF CON 23, and the former principal security advisor and researcher at Wink Inc.

But IoT vendors can avoid these issues at the get-go, says Nicholas Percoco, vice president of global services at Rapid7. "One approach they can take is get a bunch of OEM components, slap them together and sell it," he says.

A better approach would be to spell out the vulnerability issue with a firmware supplier in advance, Percoco says. "How do we get updates, what SLA [service level agreements] are for getting updates."

But the reality is that consumer IoT devices such as baby monitors come with very old versions of the Linux kernel and Open SSL, for example, Percoco says. "Is that poor systems development or being negligent? How hard is it to get the latest version of OpenSSL?"

Building Security Into IoT

IoT security isn't all about patching, however. The IoT software and firmware suppliers can take a page from the book of other applications, namely Windows-based ones, for example, and incorporate attack mitigation techniques such as Address Space Layout Randomization (ASLR), says Jacob Holcomb, senior security analyst with Independent Security Evaluators and one of the organizers of the DEF CON IoT Village.

Holcomb suggests adding ASLR or other protections such as inserting so-called canary values, which would protect the firmware form overflow attacks. "The overflow would terminate before it was exploited," he says. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Moderator
8/12/2015 | 9:06:13 AM
Security and Privacy
I'm concerned about the "security, privacy, and disclosure of the data that's collected." We know that a large volume of very sensitive IoT data that is already collected and stored in Big Data environments, or shared with cloud-based services. Some good guidance can be found in recent reports from Gartner.

I recently read the Gartner Report "Big Data Needs a Data-Centric Security Focus" concluding "In order to avoid security chaos, Chief Information Security Officers (CISOs) need to approach big data through a data-centric approach. The report suggests that new data-centric audit and protection solutions and management approaches are required.

Gartner also released the report "Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data" in June 2015 that highlighted key challenges as "cloud increases the risks of noncompliance through unapproved access and data breach." The report recommended CIOs and CISOs to address data residency and compliance issues by "applying encryption or tokenization," and to also "understand when data appears in clear text, where keys are made available and stored, and who has access to the keys."

Ulf Mattsson, CTO Protegrity
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, you were supposed to display UNICODE characters!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.