Since we issued our last set of security recommendations for IoT device makers, we went back into the lab and generated a few more we’d like to share with you. We understand that vendors are primarily focused on creating functional devices, but making a device more secure does not need to take that much effort, and the benefits can be dramatic. Every layer of security puts one more roadblock between an attacker and exploiting a device. These recommendations don’t consist of the most heavy duty defenses, but they are five ways to slow down attackers.
The Internet of Things Cybersecurity Improvement Act of 2017 was introduced in Congress this week. Like all “cyber” legislation of the past few decades it means well. Unlike many bills that have come before it, it actually has a number of good, practical ideas. Will it actually improve IoT security? We’ll get to that in a minute.
For the sake of brevity, we’re going to summarize key elements of the bill, which deals with government contracts that involve the procurement and use of “Internet-Connected Devices” (henceforth “IoT”):
Ransomware has become one of the most serious cyber threats plaguing organizations. Today, all of us - from home users to corporations and government organizations - are trying to protect ourselves from encryption viruses. But we are ignoring the beginning of the next wave of ransomware attacks - aimed at encrypting IoT devices. These attacks can be much more dangerous given the omnipresent and extremely diverse nature of the Internet of Things. (Information Management)
One of the rare cases where blending buzzwords makes for an actually more dangerous situation. In this case the danger is not in losing data, but in losing control of devices that are essential for critical infrastructure to operate safely. This is a problem that only gets worse as IoT becomes pervasive, particularly on a personal level (e.g. implantables). Not every individual victim of ransomware is willing to pony up bitcoin; basically everyone will demand power companies and water utilities pay up should they become victims. Installing protections in firmware that detect and prevent abnormal behavior is one way to reduce the likelihood of someone holding a utility for ransom. Ensuring that device operators know when to implement security and safety protocols (awareness and insight) is another.
The adoption of smart power meters in the UK faces a hurdle:
"Concerns over cybersecurity are undermining the nationwide introduction of smart meters, with more than one in five people saying they do not want one. Almost six million homes would reject the devices despite government promises that they would cut energy bills. More than half of those who oppose smart meters said that their principal concern was data protection."
A perfectly legitimate concern, given recent events and revelations about what metadata can reveal. Spikes in consumption on certain days or times could not only be used to help regulate supply, but suggest when you’re home, away, or have guests over. Over time this sort of information helps establish a pattern of life, which is useful to multiple entities in myriad ways. Knowing when people are away from home could be useful for the police in crime prevention efforts; or data could be sold to advertisers who would push you ads for home security systems if you’re away a lot, or sales at the grocery store if you host a lot of guests.
While it is refreshing to see the general populace expressing concerns about the security of such devices, it does beg the question: do these same people have any idea how prevalent such devices have been in their lives? In a domestic context they are smart devices, but in a factory they’re industrial control and in a power plant, SCADA. This Internet of Things has become a buzz-phrase, but the fact of the matter is that network enabled devices have been a part of our lives years before we started giving them clever names.
Medical device security has largely been concerned with attacks that might compromise device safety and effectiveness. An additionally important but under-appreciated issue is device integrity. In situations where devices are expected to provide objective testimony, the integrity of the device and the data it generates is paramount.
You probably don’t know Ross Compton, but last fall the 59-year-old claimed that when he noticed his house was on fire, he hurriedly packed some personal belongings, broke a window with his cane, and rushed out of the house. Police, suspicious of his claims, got a warrant for Compton’s pacemaker data. The data showed that he had not been in a state of activity he described at the time of the fire. That data, plus physical evidence collected by fire investigators, was more than enough to charge Compton with arson and insurance fraud.
Cases like this bring to light the importance of issues related to integrity verification. The value of device logs as an objective record of facts only exists if we can be assured that the ability to generate records, and the records themselves, have not been compromised.
Medical devices like pacemakers and drug infusion pumps keep detailed logs of all activity. Due to these logs value in monitoring patient care, device operation, and incident investigation, there is a risk of data modification attacks through physical or remote access.
Consider a generic infusion pump that primarily dispenses pain medication and writes logs to battery-backed RAM. These logs record the dose of drugs as requested and delivered, any program changes, and when infusion starts and stops. If a patient suffered a medical emergency that could be linked to the pump, or anything went awry, investigators would depend on the device logs to tell them the story. But what if those logs didn’t have the whole story, or an accurate one?
In this new world of "Internet of Things" and billions of networked embedded devices, it is crucial for device manufacturers to bake security into their new designs before they leave the factory. Here are five tips from a team of security researchers who make a living reverse engineering (hacking) into IoT devices on behalf of industry clients.
Senrio in the press!
IoT Hacking comic book!
Watch some our IoT security research
Live On Twitch.tv
Upcoming Trainings by our Team!
Practical Android Exploitation
Blackhat, Las Vegas 2017
Software Exploitation Via Hardware Exploitation
Blackhat Las, Vegas 2017
Practical ARM Exploitation