Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/4/2014
06:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

4 Hurdles To Securing The Internet Of Things

Why locking down even the tiniest embedded device is a tall order.

Security is hard enough to master in the traditional enterprise network. Now add all types of devices on the Internet of Things, great (think cars) and small (think webcams and baby monitors), which were never built with cyber security in mind.

Internet-connected devices run the gamut from SCADA systems to consumer products, and security weaknesses in these products have been under the glare of the spotlight the past year as researchers have publicized major flaws. Some of the affected industries got their first taste of white-hat hacking as vulnerabilities were revealed in cars, pacemakers, road traffic systems, home automation systems, and airplanes. The big shift: Public safety is now part of the equation with some of these products.

Many come with purpose-built features that actually equate to security flaws: intentional backdoors, hardcoded credentials, unencrypted data traffic, and critical systems sitting on the same network as noncritical ones. Even after highly publicized presentations at Black Hat USA and DEF CON last month, many remain unfixed and vulnerable.

Just how enterprises can manage the onslaught of connected devices will also be a big topic next month at Interop New York. Kent Shuart, network security product manager for Dell SonicWall, will present a session titled "Next Line of Defense: Internet of Things."

[Public safety may finally force Internet of Things manufacturers to start taking security seriously. Read Internet Of Things Security Reaches Tipping Point.]

So why not just patch or update IoT devices or build them more securely? There are some big-time challenges in securing these consumer and other embedded systems:

1. There's often no consistent or official software update process or mechanism.
Malware on a Windows machine eventually gets discovered, but Marc Maiffret, CTO at BeyondTrust, says there is little or no visibility into IoT devices. "Nobody has visibility into these devices or what is the authenticity of the firmware" if there's an update to them.

Since many of these devices run on Linux-based platforms, he suggests that their software be managed by the open systems community, which can handle vulnerability and security updates. An IP camera or an SAN storage system, for instance, should have a regular Linux update mechanism. "They should be opened up so they are truly treated as Linux OS. Allow me to SSH into it securely" and manage it like any other Linux OS, he says.

Chris LaPoint, vice president of product management at SolarWinds, says he has three home IP cameras that aren't running up-to-date firmware. It's unclear if they contain vulnerabilities. "Even the setup instruction for a lot of these devices, and the configuration of security controls around them, and patching… How does that get managed?"

2. Many consumer product and other nontraditional IT vendors have little or no understanding of the cyberthreats embedded in their systems.
There's a major disconnect between many of these embedded device manufacturers and the security community. Take the satellite terminal vendor community. Ruben Santamarta, a principal security consultant at IOActive, has found hardcoded passwords, backdoors, and insecure protocols in these devices that could allow attackers to hijack and disrupt communications links to ships, airplanes, and military operations. His findings were reported by the CERT Coordination Center to the vendors in January.

Fast forward to Black Hat USA, where Santamarta provided more details of his findings and revealed that the affected vendors have no plans to patch or fix the flaws he found. Some of the vendors contend that the issues aren't flaws, but necessary features in their products.

Santamarta's colleague Cesar Cerrudo, CTO at IOActive, had a similar experience when he found security holes in vehicle traffic control equipment. The manufacturers of the smart sensors he studied removed encryption from the devices after their customers requested it. Cerrudo says that without encryption, firmware can be spoofed, and malware can be installed.

Security industry efforts such as I Am the Cavalry and BuildItSecure.ly aim to bridge the gap between embedded device makers and white-hat hackers with help and outreach for better locking down of products.

3. There's often a lack of accountability for device security.
For many consumer devices, "there isn't a clear ownership on who owns the security," LaPoint says. "Device manufacturers say, 'We don't know.' They've hardly thought about it."

Some just post firmware updates on their websites, and it's up to the consumers or users to download and update the products. "Some come with obscure instructions, and that you have to do so with a USB cable," for example, he says. "I don't think the manufacturers are taking ownership" of securing their devices.

4. Many devices have been improperly configured or have purpose-built features that equate to security flaws.
Many of these devices run on the same network as IT systems. "How do these devices ultimately bridge to other things on my network?" LaPoint says. "If someone sees me in my underwear" via my webcam, that's not ideal. "But if they are able to gather personal information about me or other systems on my network… What other things can you do?"

The key is segmenting these consumer IP devices from data-sensitive systems on the network, he says.

The IoT is a challenge for the enterprise, but at least in corporate networks there are ways to add security policies once the devices are identified. "The volume of magnitude of these devices will be unlike anything we've ever seen. Assessment and the ability to understand what traffic is traversing the network, where it's coming from, and the ability to track and shut it down" are key for enterprises, LaPoint says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/10/2014 | 6:14:15 PM
Re: Add # 5: IoT rarely reboot so miss boot checks
Good ones. Thanks for providing the examples. 
Some Guy
50%
50%
Some Guy,
User Rank: Moderator
9/6/2014 | 1:01:48 AM
Re: Add # 5: IoT rarely reboot so miss boot checks
e.g., when was the last time you rebooted your settop box? WiFi router? NEST? iPhone?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/5/2014 | 4:36:16 PM
Re: Add # 5: IoT rarely reboot so miss boot checks
I hadn't thought of that one, @SomeGuy. Thanks! Any particular devices you'd use as an example here that illustrate this? 
Some Guy
100%
0%
Some Guy,
User Rank: Moderator
9/5/2014 | 4:26:43 PM
Add # 5: IoT rarely reboot so miss boot checks
To your list I'd add a 5th one. Embedded real-time systems rarely reboot, so a lot of the fundamental underpinnings of cybersecurity that are checked at boot time (e.g., measured boot) don't happen often enough (if at all). If you solve 1-4 without solving this, you are building on quicksand. Maybe it should be # 0.
Sara Peters
100%
0%
Sara Peters,
User Rank: Author
9/5/2014 | 11:41:58 AM
Re: all as bad as the rest
@Kelly  Well I suppose they have to start with taking some responsibility before any of the other challenges are overcome. I wonder if the manufacturers of IoT products will start using more off-the-shelf software. Maybe that would start to make a dent in the patch management problem. 

Sigh. We're going to be talking abnout this for a long time.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/5/2014 | 11:05:03 AM
Re: all as bad as the rest
There are other issues, too, but these were the top of mind ones security experts flagged.

I think the overarching one is the taking responsibility/ownership.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
9/5/2014 | 11:00:22 AM
all as bad as the rest
Wow. I'm sitting here trying to decide which of these problems is the worst, and I can't decide because they're all dreadful. The next question I guess is which one is most likely to be overcome soonest... and I'm not sure about that either. Anyone else?
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-9501
PUBLISHED: 2019-10-22
The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root.
CVE-2019-16971
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
CVE-2019-16972
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16973
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2015-9496
PUBLISHED: 2019-10-22
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.