Explosive growth of networked embedded devices and a shifting threat landscape require a new approach to IoT Security. Here is why.
Why is Everything Connected Now?
Not a day goes by without a story of a new “smart” device being launched. A perfect storm of new enabling technologies is driving the adoption of Internet-connected devices: The rise of inexpensive Systems-on-a-chip (SOCs) running full operating systems has effectively eradicated many industry use cases for expensive, custom application-specific integrated circuits (ASICs). Any product developer, hobbyist or high-schooler can use an off-the-shelf low-cost computing device like the Raspberry Pi and launch a functioning product in under three months of development. The commoditization of hardware, coupled with rapidly decreasing cost of bandwidth and processing has lead to an explosion of Internet-connected devices. Most of the buzz has been focused in the consumer space with smart toasters, kettles, and diapers?! The proliferation of useless novelty devices has led to a fatigue with the term “Internet of Things” causing Goldman Sachs to quip in 2014 “you cannot spell idiot without IoT”.
| By contrast, enterprise interest in IoT is driven by pragmatic business needs and financial rationale. Moving data to the cloud and connecting sensors, devices, and equipment to the Internet has boosted productivity and lowered costs in the healthcare, manufacturing, utility and retail industries. For instance, healthcare is an early adopter of IoT and has been able to leverage IoT technologies to provide greater patient care and save costs. The rise in healthcare IoT is driven by demand in advanced healthcare information, patient monitoring device and mHealth technology. The global market for Internet of Things (IoT) in healthcare was valued at over $24 million. The same drivers exist in energy, manufacturing and enterprise environments. | Enterprise interest in IoT is driven by pragmatic business needs and financial rationale. |
What is IoT?!
| What is the Internet of Things? You cannot find a lot of people who like the term Internet of Things or can even agree on what it actually means. At Senrio we therefore refer to this new breed of miniature computers as Networked Embedded Devices (NEDs): In contrast to a PC or server, the embedded device is a single-purpose operating system. Networked embedded devices have a means of communicating either with other devices on a closed network or to the cloud via a link to the Internet. |  |
In contrast to a PC or server, the embedded device
is a single-purpose operating system.
 | While consumer devices are flashy and get attention, they are just the tip of the iceberg. Enterprise IoT focuses on large-scale, high-value and/or critical networks of embedded devices used in healthcare, retail, corporate and critical infrastructure environments. Think of medical equipment, point-of-sales payment systems, inventory scanners, security cameras, industrial control systems, etc. It includes concepts (aka more buzzwords) such as Industry 4.0, healthcare IoT, mobility, connected vehicle, Industrial Internet, Smart City, Big Data and Machine-to-Machine communications. |
Billions of Unsecured Embedded Devices
There is a staggering number of networked embedded devices that perform life- and mission-critical tasks that our daily lives depend on. What all these devices have in common is that they are ubiquitous and adoption is growing at a staggering rate: Gartner predicts IoT devices will grow 32% reaching an installed base of 21 billion units by 2020.
Surveyed IT Administrators identified Internet of Things devices on their networks, but often didn’t consider them as such. While adoption has been rapid, security is lagging behind. We haven’t thought of these new types of devices as miniature computers that need the same care in deployment, management and protection as our servers, computers and mobile phones. The security industry has largely ignored the unique risk these connected, specialized and inherently vulnerable assets pose. For instance, printers and IP phones top the chart for high-risk device connected to the enterprise network.
Beyond the enterprise, we see many new control systems and industrial devices with Ethernet connectors (also known as RJ-45 connectors). These are embedded devices that we have relied upon for decades but now they are connected to the cloud as well as to other parts of the network. These are used for traffic control, retail payment systems, manufacturing floors and nuclear power plants.
THESE "THINGS":
 |  |  |
CONTROL THESE THINGS:
 |  |  |
Networked Embedded Devices Make Ideal Targets
The very nature of embedded devices makes them ideal targets for attackers: Embedded devices are inherently insecure making them the “low hanging” fruit in a network and they allow attackers to pivot to high-value targets:
Low Barriers To Entry
A vendor of common ARM SoCs shipped with a backdoor Devices are "unsecurable": Components are sourced cheaply and system device manufacturers (ODMs who sometimes don’t even get their logo on the device) have no incentive to update to the latest version of operating system. One study found that the “minimum age of the Linux operating system in common home routers was four years old.” At the chip-level, all AMD processors shipped in the past decade include a “super secret” developer-mode password that unlocks privileged debug functionality which can be used to compromise a device. As of 2015 ARM’s processor technology was used in 95% of smartphones, 80% of digital cameras and a majority of IoT devices. And the list goes on. The Senrio research team has discovered 0day vulnerabilities in WiFi cameras, set-top boxes, insulin pumps and industrial controllers. Comprising an embedded device is so trivial, our interns owned a (used!) ATM, a gaming console and a home controller.
Often "unpatchable": Once devices ship, it is more difficult to patch them. If a patch is possible, users have to manually download and install relevant patches. The update rate for consumer products is as low as 20%. In the case of enterprise IoT, it may even be harder to install updates. Medical devices are approved “as is” and a firmware update might trigger a new audit or compliance requirements.
And breaches undetectable: Embedded devices generally lack the "intimate" user interfaces that might "tip off" a user to strange behavior or compromise. So while you may notice redirects, pop-ups or a sluggishness in your computer, embedded device typically don’t have a screen or user interface that may tip someone off. Moreover, embedded devices are "small" so they generally don't keep the kind of verbose application logs that some security solutions require for visibility. Many embedded devices use "read-only" FLASH filesystems (if that). This means that if a device is compromised, forensics and incident response are virtually impossible. In fact, breaches typically go unnoticed for months as understaffed security teams ignore or dismiss alerts. Traditional systems may also not be able to pick up when a devices is misused or misconfigured.
Often "unpatchable": Once devices ship, it is more difficult to patch them. If a patch is possible, users have to manually download and install relevant patches. The update rate for consumer products is as low as 20%. In the case of enterprise IoT, it may even be harder to install updates. Medical devices are approved “as is” and a firmware update might trigger a new audit or compliance requirements.
And breaches undetectable: Embedded devices generally lack the "intimate" user interfaces that might "tip off" a user to strange behavior or compromise. So while you may notice redirects, pop-ups or a sluggishness in your computer, embedded device typically don’t have a screen or user interface that may tip someone off. Moreover, embedded devices are "small" so they generally don't keep the kind of verbose application logs that some security solutions require for visibility. Many embedded devices use "read-only" FLASH filesystems (if that). This means that if a device is compromised, forensics and incident response are virtually impossible. In fact, breaches typically go unnoticed for months as understaffed security teams ignore or dismiss alerts. Traditional systems may also not be able to pick up when a devices is misused or misconfigured.
Coupled With High Rewards
Sensitive locations in network architecture with publicly or widely accessible, access to critical assets, remote access High Value Context: Embedded devices typically perform specialized and dedicated tasks. As a device a Wi-Fi camera is not very valuable; however, when it is pointed over a cashier typing passwords or at the keypad of safe, the transmitted data can be monetized by an attacker. Think that is unlikely? In 2014 Shodan, the search engine cataloging Internet-connected devices, found security cameras installed by a third party contractor that granted an intimate over-the-shoulder look into Google’s headquarters.
Pivot to High Value Networks: If the device itself does not have access to valuable data, attackers might use it to pivot into more promising areas. In the 2013 Target Corporation compromise that resulted in one of the largest credit card thefts in history, the HVAC system installed by a subcontractor was the point of entry. Similarly, a printer was hacked and used to send previous print jobs to any place (without the user knowing) and as a pivot point to attack computers on the local network. Your network is only as secure as its weakest link.
DDoS For-Hire: Embedded devices have been used to form a botnet and launch Distributed Denial-of-Service (DDoS) attacks. So while you might think your unsecured home webcam is harmless (who wants to watch my cat patrolling the living room?), when used cumulatively they are a potent danger. DDoS attacks have increased by 125%, largely fueled by the abundance of networked devices such as home routers and webcams. In fact, more than 7 million devices worldwide could be exploited for such attacks. A healthy ecosystem has developed around “DDoS testing services” and attacks can be purchased at the same price as a Starbucks venti caramel macchiato.
Industrial Sabotage and Espionage: At a national security layer, networked embedded devices provide attackers a surface to sabotage critical infrastructure such as power generation. ICS/SCADA systems (the controllers running our lives) can also be exploited for economic gain through industrial espionage. For example, by compromising the operational network and then moving laterally into the IT network to steal engineering documents or reverse engineer industrial process. The real threat is not traditional “compromised” devices (code injection, etc) but instead maliciously (re)configured devices that cause product recalls or intentional failures. This threat landscape impacts safety, reliability and quality assurance in our robot-driven factories and power plants.
DDoS For-Hire: Embedded devices have been used to form a botnet and launch Distributed Denial-of-Service (DDoS) attacks. So while you might think your unsecured home webcam is harmless (who wants to watch my cat patrolling the living room?), when used cumulatively they are a potent danger. DDoS attacks have increased by 125%, largely fueled by the abundance of networked devices such as home routers and webcams. In fact, more than 7 million devices worldwide could be exploited for such attacks. A healthy ecosystem has developed around “DDoS testing services” and attacks can be purchased at the same price as a Starbucks venti caramel macchiato.
Industrial Sabotage and Espionage: At a national security layer, networked embedded devices provide attackers a surface to sabotage critical infrastructure such as power generation. ICS/SCADA systems (the controllers running our lives) can also be exploited for economic gain through industrial espionage. For example, by compromising the operational network and then moving laterally into the IT network to steal engineering documents or reverse engineer industrial process. The real threat is not traditional “compromised” devices (code injection, etc) but instead maliciously (re)configured devices that cause product recalls or intentional failures. This threat landscape impacts safety, reliability and quality assurance in our robot-driven factories and power plants.
IoT Security is a Hot Marketing Topic But Real Solutions Lag Behind
The security establishment is putting the IoT and embedded device sticker on their existing solutions. However, the unique needs of the space will not be addressed by rebranding traditional solutions:
- The Inside-Out Approach Will Not Secure the Embedded World: Antivirus worked great on workstations because they addressed a highly homogeneous ecosystem. Computers and servers run on a handful of operating systems. By contrast, embedded devices lack homogeneity and run on a wide variety of, sometimes proprietary, hardware, OS and software stacks. Moreover, the devices themselves are often SWAP-constrained, meaning they have limitations on size, weight and power; therefore, placing an agent on the device is impractical. This rules out anti-virus.
- Traditional Outside-In Will Not Secure the Embedded World: Traditional network defense is not designed to address embedded device characteristics. They are signature-based and thus only alert on known attack scenarios. A false-positive on a firewall will block traffic and cause down-time which is unacceptable in many enterprise and industrial applications. Intrusion Detection Systems (IDS) catch shellcode but we see that exploits of embedded devices misuse or reconfigure the device; thereby flying under the radar. An added challenge for control systems is that an active port scan can or an incomplete protocol handshake will cause the devices to malfunction.
Security through Obscurity - Not an Option Anymore
| Historically industrial control systems (as used in factories, power plants and other critical infrastructure networks) have relied on “security through obscurity.” This is an effective means of protecting assets as long as nobody knows the secret. For example, if you leave your key and alarm system password under the planter or doormat, the best home security system will not keep out burglars once they find out. Basically, the location of your home keys is plastered all over the internet and is accessible by anyone: |  Attacks on Industrial Internet on the rise. |
- STUXNET changed the game for Industrial Control: This worm technology infects Windows computers and gets propagated mostly through infected USB sticks. Its ultimate target is a specific brand of Programmable Logic Controllers (PLCs) which are used to control large-scale industrial facilities like power plants, dams, waste processing systems, etc. Stuxnet “reportedly ruined 20% of Iran’s nuclear centrifuges”.
- Increased research focus on Industrial Control Systems: With the public attention Stuxnet garnered, security researchers became more interested in this type of device (SCADA exploit modules within the Metasploit framework increased from 7 before Stuxnet to 57). Researchers started publishing vulnerabilities online. To make matters worse, a Russian security firm offered a software package for sale that contained 22 modules exploiting 11 zero-day vulnerabilities.
- Shodan puts ICS devices at your fingertips: Traditional search engines like Google index the web content intended for user consumption. By contrast, Shodan indexes headers which are intended for machine-to-machine communication. When searching for D-Link online, Google will serve you up with the company website and products. By contrast, Shodan will find all devices containing D-Link in their headder, reveal the IP address and provide location information. See here for an example of all D-Link devices found by Shodan, including live feeds from unsecured cameras. With that, finding targets for a publicly available exploits is akin to searching Google for the nearest Kinko’s.
Going Dark - Not Realistic Either
At this point you might throw your hands up in the air and just pull the plug: “Why don’t we disconnect all critical systems from the Internet?” This was precisely the reaction on Capitol Hill after reading a report produced by ICS-CERT which found that “a synchronized and coordinated cyberattack shut down a large section of the Ukrainian power grid in December 2015, a situation which, if replicated in the U.S., could cost anywhere between $242 billion and $1 trillion dollars.”
However, isolating or “air gapping” critical systems from the Internet is a fallacy in the 21st century. Firstly, even isolated networks can get infected either intentionally through worms like Stuxnet spreading through infected USB sticks or unintentionally by connecting an infected computer during service or maintenance of the system.
Apart from air gapping not providing the desired protection, the need for connectivity and greater insight is driving the smart grid effort to install smart meters and advanced electrical infrastructure capable of handling alternative sources of energy. Rather than trying to turn back time, we must embrace innovation and rethink cyber security with the new reality that networked embedded devices bring.
However, isolating or “air gapping” critical systems from the Internet is a fallacy in the 21st century. Firstly, even isolated networks can get infected either intentionally through worms like Stuxnet spreading through infected USB sticks or unintentionally by connecting an infected computer during service or maintenance of the system.
Apart from air gapping not providing the desired protection, the need for connectivity and greater insight is driving the smart grid effort to install smart meters and advanced electrical infrastructure capable of handling alternative sources of energy. Rather than trying to turn back time, we must embrace innovation and rethink cyber security with the new reality that networked embedded devices bring.
A Shifting Threat Landscape
IoT security finds itself at a pivotal point. The sheer number of devices currently deployed, the complete disregard for security during the product development process and the ease with which IoT devices can be compromised create opportunities for attackers. Those responsible for defining and managing the security posture of an organization need IoT-aware tools to provide visibility into what these devices are, what they are doing and whether they are under attack. This is a HUGE blind spot. IoT devices are the low-hanging fruit for potential attackers: They are fairly easy to compromise, are connected to high-value networks and detection of an ongoing attack is highly unlikely without a modernized toolkit.
Senrio aims to remedy this situation. Using innovative technology based on a decade of research into embedded devices and first-hand knowledge of the unique threat landscape that they create. We've been sounding the alarm bells for years - teaching, writing and heavily involved in research. Today we are unveiling solutions and tools to provide unprecedented visibility and intelligence into the IoT devices all around us.
RSS Feed