Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/4/2014
06:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

4 Hurdles To Securing The Internet Of Things

Why locking down even the tiniest embedded device is a tall order.

Security is hard enough to master in the traditional enterprise network. Now add all types of devices on the Internet of Things, great (think cars) and small (think webcams and baby monitors), which were never built with cyber security in mind.

Internet-connected devices run the gamut from SCADA systems to consumer products, and security weaknesses in these products have been under the glare of the spotlight the past year as researchers have publicized major flaws. Some of the affected industries got their first taste of white-hat hacking as vulnerabilities were revealed in cars, pacemakers, road traffic systems, home automation systems, and airplanes. The big shift: Public safety is now part of the equation with some of these products.

Many come with purpose-built features that actually equate to security flaws: intentional backdoors, hardcoded credentials, unencrypted data traffic, and critical systems sitting on the same network as noncritical ones. Even after highly publicized presentations at Black Hat USA and DEF CON last month, many remain unfixed and vulnerable.

Just how enterprises can manage the onslaught of connected devices will also be a big topic next month at Interop New York. Kent Shuart, network security product manager for Dell SonicWall, will present a session titled "Next Line of Defense: Internet of Things."

[Public safety may finally force Internet of Things manufacturers to start taking security seriously. Read Internet Of Things Security Reaches Tipping Point.]

So why not just patch or update IoT devices or build them more securely? There are some big-time challenges in securing these consumer and other embedded systems:

1. There's often no consistent or official software update process or mechanism.
Malware on a Windows machine eventually gets discovered, but Marc Maiffret, CTO at BeyondTrust, says there is little or no visibility into IoT devices. "Nobody has visibility into these devices or what is the authenticity of the firmware" if there's an update to them.

Since many of these devices run on Linux-based platforms, he suggests that their software be managed by the open systems community, which can handle vulnerability and security updates. An IP camera or an SAN storage system, for instance, should have a regular Linux update mechanism. "They should be opened up so they are truly treated as Linux OS. Allow me to SSH into it securely" and manage it like any other Linux OS, he says.

Chris LaPoint, vice president of product management at SolarWinds, says he has three home IP cameras that aren't running up-to-date firmware. It's unclear if they contain vulnerabilities. "Even the setup instruction for a lot of these devices, and the configuration of security controls around them, and patching… How does that get managed?"

2. Many consumer product and other nontraditional IT vendors have little or no understanding of the cyberthreats embedded in their systems.
There's a major disconnect between many of these embedded device manufacturers and the security community. Take the satellite terminal vendor community. Ruben Santamarta, a principal security consultant at IOActive, has found hardcoded passwords, backdoors, and insecure protocols in these devices that could allow attackers to hijack and disrupt communications links to ships, airplanes, and military operations. His findings were reported by the CERT Coordination Center to the vendors in January.

Fast forward to Black Hat USA, where Santamarta provided more details of his findings and revealed that the affected vendors have no plans to patch or fix the flaws he found. Some of the vendors contend that the issues aren't flaws, but necessary features in their products.

Santamarta's colleague Cesar Cerrudo, CTO at IOActive, had a similar experience when he found security holes in vehicle traffic control equipment. The manufacturers of the smart sensors he studied removed encryption from the devices after their customers requested it. Cerrudo says that without encryption, firmware can be spoofed, and malware can be installed.

Security industry efforts such as I Am the Cavalry and BuildItSecure.ly aim to bridge the gap between embedded device makers and white-hat hackers with help and outreach for better locking down of products.

3. There's often a lack of accountability for device security.
For many consumer devices, "there isn't a clear ownership on who owns the security," LaPoint says. "Device manufacturers say, 'We don't know.' They've hardly thought about it."

Some just post firmware updates on their websites, and it's up to the consumers or users to download and update the products. "Some come with obscure instructions, and that you have to do so with a USB cable," for example, he says. "I don't think the manufacturers are taking ownership" of securing their devices.

4. Many devices have been improperly configured or have purpose-built features that equate to security flaws.
Many of these devices run on the same network as IT systems. "How do these devices ultimately bridge to other things on my network?" LaPoint says. "If someone sees me in my underwear" via my webcam, that's not ideal. "But if they are able to gather personal information about me or other systems on my network… What other things can you do?"

The key is segmenting these consumer IP devices from data-sensitive systems on the network, he says.

The IoT is a challenge for the enterprise, but at least in corporate networks there are ways to add security policies once the devices are identified. "The volume of magnitude of these devices will be unlike anything we've ever seen. Assessment and the ability to understand what traffic is traversing the network, where it's coming from, and the ability to track and shut it down" are key for enterprises, LaPoint says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/10/2014 | 6:14:15 PM
Re: Add # 5: IoT rarely reboot so miss boot checks
Good ones. Thanks for providing the examples. 
Some Guy
50%
50%
Some Guy,
User Rank: Moderator
9/6/2014 | 1:01:48 AM
Re: Add # 5: IoT rarely reboot so miss boot checks
e.g., when was the last time you rebooted your settop box? WiFi router? NEST? iPhone?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/5/2014 | 4:36:16 PM
Re: Add # 5: IoT rarely reboot so miss boot checks
I hadn't thought of that one, @SomeGuy. Thanks! Any particular devices you'd use as an example here that illustrate this? 
Some Guy
100%
0%
Some Guy,
User Rank: Moderator
9/5/2014 | 4:26:43 PM
Add # 5: IoT rarely reboot so miss boot checks
To your list I'd add a 5th one. Embedded real-time systems rarely reboot, so a lot of the fundamental underpinnings of cybersecurity that are checked at boot time (e.g., measured boot) don't happen often enough (if at all). If you solve 1-4 without solving this, you are building on quicksand. Maybe it should be # 0.
Sara Peters
100%
0%
Sara Peters,
User Rank: Author
9/5/2014 | 11:41:58 AM
Re: all as bad as the rest
@Kelly  Well I suppose they have to start with taking some responsibility before any of the other challenges are overcome. I wonder if the manufacturers of IoT products will start using more off-the-shelf software. Maybe that would start to make a dent in the patch management problem. 

Sigh. We're going to be talking abnout this for a long time.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/5/2014 | 11:05:03 AM
Re: all as bad as the rest
There are other issues, too, but these were the top of mind ones security experts flagged.

I think the overarching one is the taking responsibility/ownership.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
9/5/2014 | 11:00:22 AM
all as bad as the rest
Wow. I'm sitting here trying to decide which of these problems is the worst, and I can't decide because they're all dreadful. The next question I guess is which one is most likely to be overcome soonest... and I'm not sure about that either. Anyone else?
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18862
PUBLISHED: 2019-11-11
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.
CVE-2019-18853
PUBLISHED: 2019-11-11
ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2.
CVE-2019-18854
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring.
CVE-2019-18855
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to potentially unwanted elements or attributes.
CVE-2019-18856
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the SVG Sanitizer module through 8.x-1.0-alpha1 for Drupal because access to external resources with an SVG use element is mishandled.