Forget Back Doors – The IoT Makes it Just as Easy to Come Through the Front
The alphabet soup of acronyms describing the coming connected world is a signaling that is time get brush up on your security lingo, because the world is changing. IoT, M2M and ICS devices introduces an incomprehensible expansion of exploitable attack surfaces. Historically, information security has been defined as a perimeter of security around your most valuable IT assets. This security included different layers of protection for various areas of vulnerability. And while there is still a very healthy and innovative market for traditional information security, the ecosystem is changing and an increasing number of new threat vectors are being established. There was a time when security only needed to consider exposed web services as an attack vector. With the IoT, the attack surface expands beyond the web into hardware, multiple operating systems, multiple protocols and the cloud. Where there was one, now there is five…or more.
There are security companies that have introduced solutions to fix some of these gaps in protection. For hardware security, the market is steadily embracing MDM technologies. These smart operating systems with very clever agents allow organizations to secure data on mobile devices, remotely wipe them, and give individual access control to company assets. This seemingly convenient way to allow employees to use their own preferred devices has proven helpful, however some Millennials in the workplace are beginning to object to the idea of “the man” having so much control over their personal devices. Just recently, a woman was fired for removing an app that tracked her whereabouts 24/7. The workforce management app seemed a little too “Big Brother”, which may well have corporations moving back to issuing company devices to employees. Of course, it doesn’t matter who owns the device – security at a device level still relies on an agent. As we move from a network of computer, tablets and smartphones, towards a network of billions of connected “things”, installed agents simply can’t scale. The end result will be a multitude of unprotected “things”
Protocols are also problematic…and profuse. There are more than 100 wireless protocols of the IoT that are invisible to the enterprise – even those companies using the most sophisticated security measures. The tools and technologies being used today protect environments from wired and WiFi threats, in a couple of years, these will be the least of your worries. An office building with 5,000 employees, each with 20-40Mb/s LTE of connection, essentially has a 10-20GB/s of Internet connection that is completely invisible - and this is just when considering personal cell phones. Of greater concern are the smaller, more fragile protocols that exist in the enterprise and operate quietly without causing much anxiety. An example of this would be ZigBee. I have seen an engineer brick a ZigBee light bulb within minutes of unpacking, simply by sending malformed packets. This would be the equivalent of a telnet connection to port 23 of a router, holding down CCCCCCCCCCCCCCCC, and the router being destroyed, with no chance of repair other than being sent to the factory. I’m certainly not picking on ZigBee, they are just one example protocols that exist in the enterprise that could be vulnerable to basic attacks.
In another example of IoT vulnerability, our R&D teams analyzed an IoT deadbolt lock. We were surprised to find many more doors into the product (no pun intended) than we expected. When we decompiled both the Android and iOS versions of the management software for the device, we discovered that these were clearly developed by several different teams and it appeared that the testing was done on individual pieces of the product, but a full code audit wasn’t done on the product as a whole. This meant we could use the app to access not just the hardware, but also the manufacturers' servers. As more companies outsource development of various product layers, the attack surface will continue to expand.
In the examples I’ve talked about, it’s clear that there is still work to be done with IoT hardware, applications and protocols. But, perhaps what will be most paramount to IoT success is the cloud. I have a startup, and we don’t own a single server, no need to in 2015. IoT devices don’t want a server, they will communicate through a gateway, or as in my prior reference through a mobile application. IoT devices will pair, provision and license through the cloud. When credentials or other key security parameters can be extracted, wirelessly, through packet sniffing, or even the unbelievably common practice of hard coding credentials into mobile apps, the provisioning of these devices can be compromised. Just ask any of the Snappening victims how much devastation can be done by neglecting basic security encryption.
What does this mean for you? We are all in a Brave New World when it comes to security and the IoT. We are surrounded by blind spots that have the potential to be seen by the bad guys before the rest of us. For Information Security professionals, it’s imperative that you prepare for intrusions to come from multiple angles.