Since we issued our last set of security recommendations for IoT device makers, we went back into the lab and generated a few more we’d like to share with you. We understand that vendors are primarily focused on creating functional devices, but making a device more secure does not need to take that much effort, and the benefits can be dramatic. Every layer of security puts one more roadblock between an attacker and exploiting a device. These recommendations don’t consist of the most heavy duty defenses, but they are five ways to slow down attackers.
1. Remove Remote Configuration Services
Whether it’s a custom protocol or hidden inside your webserver, if you allow remote configuration of your device, you’ve widened your surface area and exposed your device to attack. In the last few devices we’ve analyzed, we’ve found remote configuration services, easily detectable with port scanning, and straightforward to use or exploit. While some vendors try to use encryption or signatures to lock these down, that’s often not enough to keep a determined adversary out.
2. Use XN Appropriately
If your device runs Linux, you can easily make your program heaps non-executable, effectively tripling the time an attacker needs to spend developing their exploit. When developers allocate space for incoming data in an executable heap, any vulnerability immediately hands control over to the attacker. There are ways around XN, but if you make attackers jump that hurdle, it will cost them valuable time.
Whether it’s a custom protocol or hidden inside your webserver, if you allow remote configuration of your device, you’ve widened your surface area and exposed your device to attack. In the last few devices we’ve analyzed, we’ve found remote configuration services, easily detectable with port scanning, and straightforward to use or exploit. While some vendors try to use encryption or signatures to lock these down, that’s often not enough to keep a determined adversary out.
2. Use XN Appropriately
If your device runs Linux, you can easily make your program heaps non-executable, effectively tripling the time an attacker needs to spend developing their exploit. When developers allocate space for incoming data in an executable heap, any vulnerability immediately hands control over to the attacker. There are ways around XN, but if you make attackers jump that hurdle, it will cost them valuable time.
3. Strip Debug Strings and Symbols in Released Firmware
Eventually, machines will be smart enough that they discover and exploit all our vulnerabilities before humans can uncover them. Since we’re not there yet, why give reverse engineers a clue as to what your code is doing? Strip your binaries before you release and, not only will you save space, but you’ll definitely give someone a headache.
4. Prevent Easy Access to Firmware
Firmware updates are important and useful, when users install them. They’re also helpful for attackers who can anonymously download the latest version of your firmware and extract the file system and kernel with binwalk. Why hand malicious actors so much useful information? Obscure file formats and architectures are not effective against experienced reverse engineers. Look into alternative ways to provide updates, and double check that your update method is secure, rather than exposing another door for attackers to exploit.
Eventually, machines will be smart enough that they discover and exploit all our vulnerabilities before humans can uncover them. Since we’re not there yet, why give reverse engineers a clue as to what your code is doing? Strip your binaries before you release and, not only will you save space, but you’ll definitely give someone a headache.
4. Prevent Easy Access to Firmware
Firmware updates are important and useful, when users install them. They’re also helpful for attackers who can anonymously download the latest version of your firmware and extract the file system and kernel with binwalk. Why hand malicious actors so much useful information? Obscure file formats and architectures are not effective against experienced reverse engineers. Look into alternative ways to provide updates, and double check that your update method is secure, rather than exposing another door for attackers to exploit.
5. Disable Default Root Accounts
If you leave the UART interface exposed in hardware, or leave Telnet open to anonymous users, gaining root access in a shell on your device is trivial. If you don’t really need to have a shell interface, remove it. If you must have one, protect it with layers of security, and limit how much functionality you make available.
Hackers look for these features because they enable access to the device and speed up exploitation. Implement every one of these you can and hold attackers up with layers of security before they can begin to look for vulnerabilities in your code. Every one you implement sets you apart from the majority of device makers who take no meaningful effort to secure these devices which are pervasive in our lives.
Networked embedded device developers are welcome to talk to us about Senrio Trace and how it can help reduce the opportunities hackers have to discover exploitable vulnerabilities.
If you leave the UART interface exposed in hardware, or leave Telnet open to anonymous users, gaining root access in a shell on your device is trivial. If you don’t really need to have a shell interface, remove it. If you must have one, protect it with layers of security, and limit how much functionality you make available.
Hackers look for these features because they enable access to the device and speed up exploitation. Implement every one of these you can and hold attackers up with layers of security before they can begin to look for vulnerabilities in your code. Every one you implement sets you apart from the majority of device makers who take no meaningful effort to secure these devices which are pervasive in our lives.
Networked embedded device developers are welcome to talk to us about Senrio Trace and how it can help reduce the opportunities hackers have to discover exploitable vulnerabilities.
RSS Feed