Zombie Rodents In Your Network - IoT Security Blog Series

IoT

There are literally hundreds of blogs about the Internet of Things. If you are reading this then you want to know what you will gain from following the arc that we are presenting.

Mouse in front of a mousehole - SEC Consult

Providing useful information to stakeholders with varying degrees of experience and perhaps very different environments may seem a fool’s errand, but let’s start with these three assumptions:

  1. The Internet of Things is like a pocketknife: Useful, potentially harmful, and not going away.
  2. At least 25 Billion IoT devices are online in 2020, most with security and privacy risks
  3. You don’t have a lot of time to sift through many sources to gain the knowledge you require

This blog-set is the first part of a three-part series. It will take you on a journey of definitions and concepts regarding the Internet of Things (IoT), Communications Protocols, Edge Computing, and so on in order that the reader will clearly understand what is being discussed. Then, this blog will unpack a detailed set of factors showing why, exactly, IoT is inherently insecure. The next phase is to review current practices for IoT Discovery and Threat Assessment to include Reverse Engineering of firmware to identify risks by likelihood and severity. Finally, the challenge will be to serve varying environments to address IoT risks comprehensively and continuously.

What’s clear is that it is not a perfect world and never will be so orderly as to be connected in such a way as to be invulnerable. So, what kind of approach is adaptive enough, complete enough, and practical enough to stave off potential risks in a cost-effective manner?

Drawing of zombie rodents - SEC Consult

Rodent Zombies, Gremlins and Robots, oh my!

The definition of IoT is not uniform across the board with security practitioners according to many interviews that we have conducted.  So, we are going to start with an account of key attributes for three categories of IoT:

Internet of Things (IoT) (Rodent Zombies)

  • “digital twin” or “digital image” that links the physical and digital worlds
  • Autonomous devices with no keyboard, mouse, or other input
  • Always-on and built with an IP Stack
  • Machine-to-machine communicators
  • Mostly not managed or even monitored
  • Often lacking auto-provisioning or patch management
  • The majority of IoT devices are some derivative of Linux
Drawing of a Gremlin - SEC Consult

Smart Objects (Gremlins)

  • Includes edge computing (Fog)
  • This is where OT and IT converge, presenting unique attack surfaces
  • Cloud-connected
  • Interact with other digital images and twins 
  • Smart objects are sensors, and they have processing capabilities
  • They clean signals and filter data and images
  • Smart Objects have process algorithms baked in
  • Fragmented communication protocols (Zigbee, BLE, ZWave, Thread, 6LoWPAN, etc. )
  • By definition Smart, Objects have an interface: a UI or a management console or are even subscribed to a management platform
  • Based on real-time Operating Systems
  • Autonomous, but interconnected
  • Smart Objects may provide services on demand through virtualization
Drawing of a robot - SEC Consult

Industrial Internet of Things or I-IoT (Robots)

  • Automation in manufacturing environments, such as industrial robots
  • Often called Industry 4.0, I-IoT is the confluence of production, manufacturing facilities, and communications
  • Merges customer data with machine data to enhance business logic and intelligence
  • Network connected, but often with protocols not usually associated with IP
    • MQQT, a leading standard lightweight communication protocol for IoT
    • Fieldbus, a real-time protocol enabling sensors to communicate with output devices without having to be connected back to the controller
    • Modbus, an enhanced serial-connected fieldbus that is limited but very widely used
    • PLC or Programmable Logic Controller, are very reliable real-time industrial automation computers that are built to work in adverse manufacturing environments
    • Industrial Control Systems and SCADA, the operational technology that run industrial processes and the upstream management platforms

Cloud and Edge/Fog Computing

It is important to understand the concepts of Cloud and Edge/Fog architectures as they relate to IoT devices in order to ensure that implementation, administration, and resilience are guided by optimal security policies.

 

  • Cloud computing in the context of IoT is an enabling paradigm. However, IoT devices are mostly resource-constrained regarding just about every aspect of a compute environment: processor power, memory, and data storage notably, with continual incremental gains.
  • When coupled with Big Data, Blockchain and other enabling technologies, the prevailing tactic for ingestion, processing and storage of data emitted by IoT devices was to transmit the information to an application on a remotely-located server that could be in a private, public or hybrid data center. The indiscriminate forwarding of every bit of data that an IoT sensor can generate unnecessarily saps bandwidth and is subject to congestion during peak periods. IoT devices are not inherently capable of advanced networking to ensure Quality of Experience (QoE).
  • With limited processing power at the IoT device, encryption of the data is rarely possible.
  • Around 2014, developers, vendors and network architects began to seek alternatives to direct-to-cloud processing and transmission to meet the burgeoning demands.
  • Edge computing (Fog Computing in Cisco terms) for IoT leverages the distributed nature of the devices for robustness and efficiencies regarding bandwidth. The idea is to place compute power close to the source where data are generated by the IoT sensors and embedded devices. As less data travels over the network to centralized compute resources, security is somewhat incremented, and bandwidth is somewhat decremented.
  • Data may be processed before it is sent to the cloud so that only the actionable or most relevant data is traversing the network. The signal-to-noise ratio can be greatly reduced such as when a sensor generates information about a process that is working properly a thousand times per second. The ICS receives only anomalies or trends that are of importance for efficient control and exception handling.
  • The real-time decisions that are most important do not need to be sent across the network as the Edge compute capabilities allow for decisions to be made at the point of ingestion.

 

 

Drawing of IoT device - SEC Consult

 

Why are IoT devices considered potentially insecure right now?

The industry is beating a steady drumbeat of IoT security risks to raise awareness through vendor-sponsored research and investigative reporting.

  • In NetScouts’ Threat Intelligence Report for 1H 2020, they cite that the “Pandemic Effect triggered massive growth” in botnets targeting IoT (Mirai-variants such as Corona, Retard, Unstable, Gafgyt and Lucifer)
  • Armis commissioned Forrester to publish “The State of Enterprise IoT Security in North America: Unmanaged and Unsecured”. 
  • Palo Alto Networks published  the “2020 Unit 42 IoT Threat Report” stating that 98% of all IoT device traffic is unencrypted  and that 57% of IoT devices are vulnerable to medium- or high-severity attacks.

Through numerous books, articles, websites and interviews with IT professionals, we have assembled a list for your consideration.

  • Time-to-market pressures are responsible for expedient shortcuts in development, testing and maintenance of IoT devices that may pose the risk of security breaches.
  • Lack of authentication
  • Absence of encryption
  • Information assets across IoT architectures can be undervalued and therefore insufficiently protected and monitored. IoT sensors can be quite inexpensive, are always on, and often “out-of-sight-out-of-mind”.
  • Lack of codified provisioning; many IoT devices connect to networks without authorization
  • Rusting firmware: The fact is that IoT devices are often a “set and forget” proposition and are sometimes even completely forgotten. When checking for firmware updates is a manual process, it is more likely to be overlooked.
  • IoT devices are often placed for convenient usability as opposed to the most appropriate network segment with sufficient security measures
  • Insufficient security regulations and guidelines from Governments and Industry, respectively
  • Security training for developers is often incomplete or inconsistent
  • Insufficient code testing during development
  • Supply chain dynamics can assume unwarranted trust to upstream and downstream component providers
  • Various components of an IoT solution are tested discretely as opposed to the entire device architecture (which may lead to less robust security due to supply chain issues as well)
  • Introduction of insecure code into a secure product using packages and libraries that were not tested for interaction with other components.
  • Lack of threat modeling
  • IoT are susceptible to
    • Cyclical redundancy checking
    • Man-in-the-middle attacks
    • Denial of service
    • Radio signal jamming

 

Summary

Devices of all types may be in our networks. When they are provisioned and managed, the risks can be continually mitigated through policies, controls, processes, and procedures. This blog will deal mostly from here in the realm of unmanaged devices as IoT integrates into, and possibly infects, our networks.

In our next blog post, we will cover the discovery of IoT devices in your network and current practices for IoT Discovery and Threat Assessment to include Reverse Engineering of firmware to identify risks. The first step in solving problems is always to recognize them.

More On The Topic

About the author

Kelly Robertson
SEC Consult America, Inc.
CEO SEC Consult America

Mr. Robertson is an accomplished researcher, author and educator with a passion for the InfoSec tradecraft. He seeks in all endeavors to elevate risk awareness and to align InfoSec practitioners with the business objectives that organizations must meet. He is a CISSP and is also the Education Director for the Silicon Valley ISSA.