Security framework for IoT devices

By Alan Grau, Embedded, Dec. 01, 2015 – 

Security challenges continue to make headlines in the IoT - and no vertical market has been spared. Automotive security has been in the headlines recently, but lighting systems, white goods, home security devices, medical equipment, airplanes and industrial automation systems have all had their unfortunate turn in the cyber vulnerability spotlight.

With high profile cyber-attack headlines a weekly occurrence, companies are finally beginning to get serious about IoT security. Building a secure IoT device requires a solution crafted specifically for the types of threats these devices will be exposed to and, more importantly, designed to run on the specialized, low-cost hardware usually found powering IoT devices.IoT devices are by nature, highly connected and therefore provide broad attack surfaces for would-be hackers to exploit. To secure these devices, designers need a comprehensive security framework that provides enterprise-level security in these small devices.

Application layer attacks
In 2013, Security researcher Craig Heffner discovered a backdoor within the firmware found in a number of D-Link routers. The HTTP server in these routers included a backdoor that bypassed the standard authentication process. The web server examined the browser user agent, and if it matched "xmlset_roodkcableoj28840ybtide", authentication checks were skipped. The string, read backwards, "edited by 04882 joel backdoor" showed that this was an intentionally planted backdoor. The backdoor provided access to the device's configuration capabilities.

In Australia, beginning in January 2000, Vitek Boden waged a three-month war against the SCADA (Supervisory Control and Data Acquisition) system of Maroochy Water Services, which resulted in millions of gallons of sewage spilled into waterways, hotel grounds and canals around the Sunshine Coast suburb. It is an interesting case study because not only did the perpetrator cause pumps to not run when they should have been, he also was able to prevent alarms from being reported, further complicating the problem. This example also shows the danger of insider attacks, as Boden was a former contractor of Maroochy Water Services.

Other widely reported exploitations of application layer services include attacks on web-enabled IP cameras and nanny cams, which have notoriously weak security. A quick google search will reveal multiple reports of successful attacks against web-based security cameras, nanny cams and IP cameras. These vulnerabilities allow unauthorized users to view the video streaming from the camera, allowing them to spy on whatever the camera is set to watch. Even worse, in some cases, they can even instruct the "Camera On" light to not activate, leaving the victim with no indication that they are being spied upon.

System layer attacks
While application layer attacks are prominent in embedded devices, attacks against system layer services are also found. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory regarding Wind River VxWorks TCP Predictability Vulnerability for Industrial Control Systems. Researches also discovered a remote code execution (RCE) vulnerability in VxWorks. These are both network-based vulnerabilities.

The now well publicized Chrysler Jeep Hack is another system level attack against an embedded device - this one involving reprogramming the firmware on a vehicle ECU to enable control of the vehicle over the network.

The Heartbleed bug is a vulnerability in the OpenSSL cryptographic libraries that are widely used in embedded devices. Mark Schloesser, a researcher at security firm Rapid7, says it's not clear how widespread similar problems might be, but believes it's safe to assume that "quite a few embedded devices use vulnerable library versions". Given the typically long upgrade cycles for firmware in deployed embedded devices, it is likely that many vulnerable devices still exist in the field, even though a patch has been available since April of 2015.

Hackers will probe, and if possible exploit, any interface available on a device. Embedded devices are just as likely to be susceptible to common vulnerabilities resulting from buffer overflows and similar bugs as their enterprise counterparts. However, embedded devices differ from their enterprise brethren in that they are not typically located within the physically secure confines of a data center. As such, they are much more likely to be subject to physical attacks using USB ports, serial ports or even physically intrusive attacks where hackers attempt to read data directly from flash memory or even from communication buses during operation of the device.

Security features - a framework for device security
The first step towards IoT security is to ensure that security is built into the device itself. With the diverse nature and deployment of IoT devices, and the reality that security perimeters can and will be penetrated, it is no longer sufficient to rely on the device being deployed only within a secure network.

 Back