Endpoint

8/11/2015
01:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

IoT Working Group Crafts Framework For Security, Privacy

Microsoft, Symantec, Target, home security system vendor ADT and others team up and issue security recommendations for some consumer Internet of Things things -- but embedded firmware remains a wildcard.

An industry working group that includes members from Microsoft, Symantec, Target, and home security system vendor ADT today issued draft recommendations for locking down the privacy and security of home automation and consumer health and fitness wearable devices with security practices such as unique passwords, end-to-end encryption of sensitive and personal information, and a coordinated patching and update mechanism, as well as other measures.

The Online Trust Alliance (OTA) Internet of Things Working Group hopes that IoT manufacturers, developers, and retailers will adopt the proposed guidelines, and is asking for industry input.

But the catch is that the embedded firmware in many IoT devices is not necessarily patchable, nor does the consumer device manufacturer necessarily have control or say over the security of the firmware it embeds in its products.

And as demonstrated in the recent hacking of the Jeep Cherokee where researchers were able to control the vehicle's steering, braking, and other features, the supply chain can be the weakest link. In the Fiat Chrysler case, it was a vulnerable communications port that was left wide open in the Harman uConnect infotainment system installed in the vehicles: cellular provider Sprint subsequently shut down the 6667 port, which the researchers used to access the Jeep's controls.

"It is a supply chain issue. If you look at the device, you are getting off-the-shelf firmware. How can you update it? Can you?" says Craig Spiezle, executive director and president of  OTA, says of home automation and consumer wearable devices. "Embedded firmware is a concern--we highlighted this [in the framework]. We're aren't quite sure how best to do this: if that firmware can't be upgraded without a service technician coming out [to do it, for example] … How is that handled over time?"

The framework calls for IoT makers to have the ability to fix bugs quickly and reliably via remote updates or other notifications to consumers -- or even device replacement, if needed. And that item comes with this caveat: "It is recognized that some embedded devices' current design may not have this capability and it is recommended such update/upgradability capabilities be clarified to the consumer in advance of purchase."

Time is another factor with IoT devices. Networked thermostats, garage-door openers, and other in-home devices change hands when the house does, but the former residents could still have access. And what happens after a warranty expires on smart device and there's a breach, Spiezle says.

"We talk about not just security, privacy, and disclosure of the data that's collected, but also the lifecycle issues. How do they support [these devices] over time and beyond the warranty," he says.

The working group plans to finalize a formal IoT framework -- which includes some 22 minimum requirements plus a dozen optional additional measures -- and program around mid-November, after gathering input from Congress, the White House, Federal Trade Commission, and other entities.

Brian Knopf, an IoT security expert, says when he worked at Belkin, dealing with vulnerabilities in OEM'ed chipsets and firmware for its products was a big challenge. "We were not able to get access to their [the OEM's] code" if there was a bug discovery in the Belkin device, he says. "We were under NDA" due to their supplier relationship, he says.

That was problematic because an SDK from the chipset manufacturer often gets shipped with manufacturer backdoors and command-line interfaces, for instance, left there purposely, according to Knopf, a speaker last week at the first-ever IoT Village at DEF CON 23, and the former principal security advisor and researcher at Wink Inc.

But IoT vendors can avoid these issues at the get-go, says Nicholas Percoco, vice president of global services at Rapid7. "One approach they can take is get a bunch of OEM components, slap them together and sell it," he says.

A better approach would be to spell out the vulnerability issue with a firmware supplier in advance, Percoco says. "How do we get updates, what SLA [service level agreements] are for getting updates."

But the reality is that consumer IoT devices such as baby monitors come with very old versions of the Linux kernel and Open SSL, for example, Percoco says. "Is that poor systems development or being negligent? How hard is it to get the latest version of OpenSSL?"

Building Security Into IoT

IoT security isn't all about patching, however. The IoT software and firmware suppliers can take a page from the book of other applications, namely Windows-based ones, for example, and incorporate attack mitigation techniques such as Address Space Layout Randomization (ASLR), says Jacob Holcomb, senior security analyst with Independent Security Evaluators and one of the organizers of the DEF CON IoT Village.

Holcomb suggests adding ASLR or other protections such as inserting so-called canary values, which would protect the firmware form overflow attacks. "The overflow would terminate before it was exploited," he says. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Moderator
8/12/2015 | 9:06:13 AM
Security and Privacy
I'm concerned about the "security, privacy, and disclosure of the data that's collected." We know that a large volume of very sensitive IoT data that is already collected and stored in Big Data environments, or shared with cloud-based services. Some good guidance can be found in recent reports from Gartner.

I recently read the Gartner Report "Big Data Needs a Data-Centric Security Focus" concluding "In order to avoid security chaos, Chief Information Security Officers (CISOs) need to approach big data through a data-centric approach. The report suggests that new data-centric audit and protection solutions and management approaches are required.

Gartner also released the report "Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data" in June 2015 that highlighted key challenges as "cloud increases the risks of noncompliance through unapproved access and data breach." The report recommended CIOs and CISOs to address data residency and compliance issues by "applying encryption or tokenization," and to also "understand when data appears in clear text, where keys are made available and stored, and who has access to the keys."

Ulf Mattsson, CTO Protegrity
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.