Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/4/2014
06:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

4 Hurdles To Securing The Internet Of Things

Why locking down even the tiniest embedded device is a tall order.

Security is hard enough to master in the traditional enterprise network. Now add all types of devices on the Internet of Things, great (think cars) and small (think webcams and baby monitors), which were never built with cyber security in mind.

Internet-connected devices run the gamut from SCADA systems to consumer products, and security weaknesses in these products have been under the glare of the spotlight the past year as researchers have publicized major flaws. Some of the affected industries got their first taste of white-hat hacking as vulnerabilities were revealed in cars, pacemakers, road traffic systems, home automation systems, and airplanes. The big shift: Public safety is now part of the equation with some of these products.

Many come with purpose-built features that actually equate to security flaws: intentional backdoors, hardcoded credentials, unencrypted data traffic, and critical systems sitting on the same network as noncritical ones. Even after highly publicized presentations at Black Hat USA and DEF CON last month, many remain unfixed and vulnerable.

Just how enterprises can manage the onslaught of connected devices will also be a big topic next month at Interop New York. Kent Shuart, network security product manager for Dell SonicWall, will present a session titled "Next Line of Defense: Internet of Things."

[Public safety may finally force Internet of Things manufacturers to start taking security seriously. Read Internet Of Things Security Reaches Tipping Point.]

So why not just patch or update IoT devices or build them more securely? There are some big-time challenges in securing these consumer and other embedded systems:

1. There's often no consistent or official software update process or mechanism.
Malware on a Windows machine eventually gets discovered, but Marc Maiffret, CTO at BeyondTrust, says there is little or no visibility into IoT devices. "Nobody has visibility into these devices or what is the authenticity of the firmware" if there's an update to them.

Since many of these devices run on Linux-based platforms, he suggests that their software be managed by the open systems community, which can handle vulnerability and security updates. An IP camera or an SAN storage system, for instance, should have a regular Linux update mechanism. "They should be opened up so they are truly treated as Linux OS. Allow me to SSH into it securely" and manage it like any other Linux OS, he says.

Chris LaPoint, vice president of product management at SolarWinds, says he has three home IP cameras that aren't running up-to-date firmware. It's unclear if they contain vulnerabilities. "Even the setup instruction for a lot of these devices, and the configuration of security controls around them, and patching… How does that get managed?"

2. Many consumer product and other nontraditional IT vendors have little or no understanding of the cyberthreats embedded in their systems.
There's a major disconnect between many of these embedded device manufacturers and the security community. Take the satellite terminal vendor community. Ruben Santamarta, a principal security consultant at IOActive, has found hardcoded passwords, backdoors, and insecure protocols in these devices that could allow attackers to hijack and disrupt communications links to ships, airplanes, and military operations. His findings were reported by the CERT Coordination Center to the vendors in January.

Fast forward to Black Hat USA, where Santamarta provided more details of his findings and revealed that the affected vendors have no plans to patch or fix the flaws he found. Some of the vendors contend that the issues aren't flaws, but necessary features in their products.

Santamarta's colleague Cesar Cerrudo, CTO at IOActive, had a similar experience when he found security holes in vehicle traffic control equipment. The manufacturers of the smart sensors he studied removed encryption from the devices after their customers requested it. Cerrudo says that without encryption, firmware can be spoofed, and malware can be installed.

Security industry efforts such as I Am the Cavalry and BuildItSecure.ly aim to bridge the gap between embedded device makers and white-hat hackers with help and outreach for better locking down of products.

3. There's often a lack of accountability for device security.
For many consumer devices, "there isn't a clear ownership on who owns the security," LaPoint says. "Device manufacturers say, 'We don't know.' They've hardly thought about it."

Some just post firmware updates on their websites, and it's up to the consumers or users to download and update the products. "Some come with obscure instructions, and that you have to do so with a USB cable," for example, he says. "I don't think the manufacturers are taking ownership" of securing their devices.

4. Many devices have been improperly configured or have purpose-built features that equate to security flaws.
Many of these devices run on the same network as IT systems. "How do these devices ultimately bridge to other things on my network?" LaPoint says. "If someone sees me in my underwear" via my webcam, that's not ideal. "But if they are able to gather personal information about me or other systems on my network… What other things can you do?"

The key is segmenting these consumer IP devices from data-sensitive systems on the network, he says.

The IoT is a challenge for the enterprise, but at least in corporate networks there are ways to add security policies once the devices are identified. "The volume of magnitude of these devices will be unlike anything we've ever seen. Assessment and the ability to understand what traffic is traversing the network, where it's coming from, and the ability to track and shut it down" are key for enterprises, LaPoint says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/10/2014 | 6:14:15 PM
Re: Add # 5: IoT rarely reboot so miss boot checks
Good ones. Thanks for providing the examples. 
Some Guy
50%
50%
Some Guy,
User Rank: Moderator
9/6/2014 | 1:01:48 AM
Re: Add # 5: IoT rarely reboot so miss boot checks
e.g., when was the last time you rebooted your settop box? WiFi router? NEST? iPhone?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/5/2014 | 4:36:16 PM
Re: Add # 5: IoT rarely reboot so miss boot checks
I hadn't thought of that one, @SomeGuy. Thanks! Any particular devices you'd use as an example here that illustrate this? 
Some Guy
100%
0%
Some Guy,
User Rank: Moderator
9/5/2014 | 4:26:43 PM
Add # 5: IoT rarely reboot so miss boot checks
To your list I'd add a 5th one. Embedded real-time systems rarely reboot, so a lot of the fundamental underpinnings of cybersecurity that are checked at boot time (e.g., measured boot) don't happen often enough (if at all). If you solve 1-4 without solving this, you are building on quicksand. Maybe it should be # 0.
Sara Peters
100%
0%
Sara Peters,
User Rank: Author
9/5/2014 | 11:41:58 AM
Re: all as bad as the rest
@Kelly  Well I suppose they have to start with taking some responsibility before any of the other challenges are overcome. I wonder if the manufacturers of IoT products will start using more off-the-shelf software. Maybe that would start to make a dent in the patch management problem. 

Sigh. We're going to be talking abnout this for a long time.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/5/2014 | 11:05:03 AM
Re: all as bad as the rest
There are other issues, too, but these were the top of mind ones security experts flagged.

I think the overarching one is the taking responsibility/ownership.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
9/5/2014 | 11:00:22 AM
all as bad as the rest
Wow. I'm sitting here trying to decide which of these problems is the worst, and I can't decide because they're all dreadful. The next question I guess is which one is most likely to be overcome soonest... and I'm not sure about that either. Anyone else?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.