In 2017, an unnamed casino found that its data servers had been compromised and called on the aid of a security firm to help them find the culprit. Shortly afterwards, the surprising results of this investigation were reported far and wide: like the plot of an ill-conceived James Bond story, hackers had entered the casino’s network through an Internet-connected thermostat in a decorative aquarium. Today’s organizations have a lot more to worry about than the old fish tank trick: this year, experts estimate that the number of devices connected to the Internet will reach 30.1 billion, setting a world record that will continue to climb for years to come. In our time, connected refrigerators, printers, TVs, and smart meters will provide points-of-entry for hackers with increasing frequency. In the past, we’ve written about the security problems plaguing the current generation of IoT devices: just two years ago, researchers at the Black Hat and DEFCON security conferences showed just how bad the problem is by hacking dozens of devices in unique and novel ways. This begs the question: how did we get here? Why is IoT so difficult to secure, and what can organizations do about it?
Why IoT is A Supply-Side Problem
To explain the IoT security problem, we have told ourselves a plausible story sometimes repeated on our website: IoT is an inherent security risk, because increasing the number of Internet-connected devices in an organization also expands the attack surface available to malicious actors. But – while there is truth to this story – it does not explain the sheer number of easily prevented security issues in business grade IoT. According to the Ponemon Institute, 51% of organizations acquire IoT products through a third party; meanwhile, 48% of organizations have been subject to at least one IoT attack, and that number is rising. As we will see, these two facts are not unrelated.
Manufacturing in the 21st Century
The way that technical products are developed today – especially technology based products – has evolved from a pure engineering perspective to a model based more on component-integration. Rather than manufacture a new TCP/IP network card for your new product, for instance, it’s quicker and less expensive to integrate one already produced by a third-party vendor. On the positive side, this means that your product can reach the marketplace quicker, or in manufacturing speak, “reduced time to market”. On the negative side, the same components may end up in hundreds of products from a variety of manufacturers, and – if one such component has a security flaw – it may end up in all those products at the same time. This phenomenon is well-attested by the current state of IoT.
What This Means for Security
With a lack of industry regulations that encourage high security standards for IoT products, the incentive for vendors to make a quick profit by cutting corners can drive sloppy development, a lack of vulnerability testing and quality control issues galore. The IoT market is in its “wild west” phase, as the PC market was three decades ago, and organizations must be wary who they work with. The following tactics are some of the most common ways we find IoT vendors punting the responsibility for secure design from themselves to their customers:
- Quick Turnaround
The term “Internet of Things” has been around since the 1990s, and the basic premise has never changed: it promises to automate basic tasks, from turning on the lights in your home to adjusting the window shades in a conference room based on the level of ambient sunlight to measuring the temperature gradient over a pipeline in a refinery. At its most basic, IoT is simply the implementation of connected technology to solve a problem. But in order to drive IoT adoption, products must have a reasonable price-point. Consumers won’t pay excessive amounts of money to automate tasks they can easily do by themselves. Manufacturing costs have to be kept low enough that the final products will sell, and this is why manufacturers generally choose to integrate cheap and readily available components.
- No Vulnerability Testing
Vendors are not immune to the lack of security awareness which impacts their customers. While it may be in their best, long-term interest to offer products with a high bar for security, it’s all-too-easy for vendors to skip a comprehensive vulnerability testing phase, opting instead to run down a checklist of features, if even that. Many companies lack the capabilities to test their products for security issues in the first place, and without regulations forcing them to do so, they simply won’t bother.
- Convenience at the Cost of Risk
When it comes to ease-of-access, what benefits IoT customers also benefits hackers. For the sake of convenience, vendors make design choices that exacerbate the vulnerability of their products: web interfaces, for instance, are the biggest target of IoT attacks – even those behind a network address translation (NAT) firewall can be compromised. Likewise, the omission of two-factor authentication (2FA) and forced credential updates is a decision driven by form over function, when both features could thwart a huge number of IoT attacks. Rather than go to the trouble of building a dedicated customer support channel, vendors have even been known to add easily exploitable backdoors into a device’s firmware.
- Poor Firmware
Speaking of backdoors in IoT firmware, the design of firmware is a major contributing factor to IoT security issues: few vendors will dedicate the time it takes to work out all the kinks before release; debugging systems used in the staging system of a device are often left in, allowing hackers to dump a huge amount of useful information. Lack of testing may leave firmware vulnerable to buffer overflow, and the use of open-source platforms leaves a completely unprotected attack surface exposed to attackers. The best vendors update their firmware on a regular basis to patch for newly discovered vulnerabilities, but this is a rarity.
- API Flaws and External Threats
From the outside, IoT integration with third-party apps through an application programming interface (API) seems like a great idea, but API flaws left by vendors open the doorway to attacks from malicious code hidden within seemingly innocuous applications. Researchers have also proven the possibility of DNS-rebinding attacks on IoT through a website, infected link, advertisement or malicious redirect. In the future, organizations may have to worry that their network will be infected every time their employees browse the Internet.
How to Avoid Bad Vendors
The IoT security gap remains one of the greatest threats to security across federal agencies. In response, legislators have discussed the idea of enforcing IoT regulations for some time, and NIST has produced IR 8259, a draft of recommendations for IoT manufacturers. But until that happens, irresponsible IoT vendors will persist, and organizations must practice due diligence to protect themselves. Here’s how to do that:
- Take inventory of the IoT products throughout your organization, alongside any devices connected to the Internet (organizations should be keeping inventory of all their IT assets as part of a comprehensive security strategy).
- Conduct a vulnerability assessment to discover the devices that constitute a real threat to your organization, and remediate the issue. This will also give you an idea which vendors to avoid moving forward.
- Be careful who you do business with: vet your vendors during the product acquisition phase (industry reputation, quality control, customer testimonials and quality of business). Show an equal amount of caution when expanding the capabilities of IoT devices through third-party software vendors.
Prepare for the Future
While they have never been more serious than they are today, the risks of IoT and principles of supply chain security have been understood for over a decade. But sadly, it’s difficult to apply them, especially when the component integration strategy of many product developers depends on technology sourced from countries that are hostile to the U.S. The Department of Defense (DoD) believes that foreign espionage through IoT products purchased by government agencies in America will be a major issue in the near future, and soon it will require all DoD-partners to follow the policy and procedural controls in NIST 800-178 and to comply with the Cybersecurity Maturity Model Certification (CMMC). Until that happens, government contractors would do well to proactively adopt compliant security strategies, fortify their networks, and analyze their own IoT assets for vulnerabilities. The right time to beat hackers is before they strike.
Securicon Can Help
Securicon offers comprehensive IoT security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2020, there’s no room to be lax about security – contact us today!