It’s Time for IoT Security’s Next Big Step
By Lily Hay Newman
Connected devices are more secure than ever. That’s still not nearly enough. THEInternet of Things security crisis has persisted for decades, producing a seemingly endless stream of under-secured consumer gadgets, corporate phones, printers, networking equipment, medical devices, and critical infrastructure sensors and controllers.
By now, every industry has an IoT albatross around its neck. And though new devices are increasingly equipped with basic security protections, those minimum standards are just the beginning. At the DerbyCon security conference in Louisville, Kentucky, last weekend, researchers stressed the need for connected devices to step up security beyond the basics. That means more visibility and logging features, along with better techniques for manufacturers, companies, and consumers alike to spot malicious activity. Protecting a device better doesn’t mean much if you can’t see what’s happening when something does go wrong.
“IoT devices have a pervasive impact on our lives, yet very little thought has been given to how to respond if those devices are misused,” says Lesley Carhart, principal threat hunter at the industrial-control security firm Dragos. “Who will investigate devices that have been tampered with, and will they be able to investigate?” These questions are not theoretical. IoT devices have been conscripted into massive botnets, compromised for nation-state reconnaissance, hacked to mine cryptocurrency, and manipulated in assaults on power grids. But frequently it’s far too challenging to detect these incidents as they happen or even investigate them after.
Manufacturers have increasingly taken the admonitions to heart.
Hardware hackers work to understand devices better and hunt for flaws by buying different IoT devices, physically connecting to them with different sensors and tools, and assessing how those systems fit together. This low-level approach works because, unlike PCs that broadly only run Windows, Linux, or macOS, IoT devices are built on a virtually infinite hodgepodge of proprietary operating systems and implementations. As a result, it’s difficult to simply develop a single antivirus program or catch-all scanner that can run on large populations of IoT devices. Some researchers have developed so-called operating-system-agnostic sentinels to patrol all different types of embedded devices, no matter what’s on them, but those tools aren’t yet widely available.
Deral Heiland, IoT research lead at the security operations firm Rapid7, is applying the hardware-level analysis approach to develop new IoT assessment tools and techniques. Heiland mapped the circuit layouts of two different smart locks to examine “inter-chip” communications on the device motherboards. That means he looked at how data flowed between components like the main device processor, the Wi-Fi processing chip, and the Bluetooth Low Energy chip.
Heiland didn’t disclose any specific vulnerabilities at DerbyCon, but he found a number of weaknesses in how those smart locks handled communication between chips, as well as with the “bridge” components that connect IoT devices to a larger network like the internet. For example, by capturing inter-chip communications, Heiland could determine sensitive information about the authentication keys used to secure the device, like whether they were short enough to potentially be brute-forced, whether the system always required authentication or applied it inconsistently, and whether keys change or are always the same. Heiland hopes to eventually release inter-chip communication analysis tools to help researchers and manufacturers spot bugs early.
At DerbyCon, Heiland sought input from the security community about the specific analysis capabilities he should develop over the coming year. “This is just phase one,” he says. “The ultimate goal of research like this—if I can look at your inter-chip communication—is to help manufacturers do security right.”
Those manufacturers have increasingly taken the admonitions to heart. After more than a decade of hectoring from the security community, for example, medical device manufacturers have recently started making long-overdue improvements to implantable devices like pacemakers and insulin pumps. “With the devices from 10 years ago, it took me under a minute to get into them—there was no authentication, you could simply discover the interfaces, jump on, and start doing stuff,” independent security researcher Adrian Sanabria told WIRED in August ahead of the Defcon security conference in Las Vegas. “Now in new devices there are no default credentials, and they’re not even sending broadcast traffic. It was a huge leap between each one.”
Those improvements have played out in the broader IoT industry as well, where every small security upgrade significantly cuts down on low-hanging fruit.
“The whole industry is taking a much better attitude toward IoT disclosure.”
Take the now patched vulnerabilities in widely popular Arlo webcams and corresponding base stations, presented at DerbyCon by Jimi Sebree, a senior researcher at the cybersecurity firm Tenable. Sebree found flaws like hardc-oded authentication credentials and network misconfigurations that could let an attacker take over the cameras. But he emphasizes that the disclosure and patch release process went smoothly, and that he was impressed by the security of the cameras overall.
“In terms of actual attack surface of the device, it’s pretty well-handled and minimized as much as possible,” Sebree says. “In our experience here, it’s been very rare that vendors actually push back. The whole industry is taking a much better attitude toward IoT disclosure.” The challenge now, Sebree says, is the next phase of IoT security evolution to gain more insight about what’s actually happening on devices and detect compromises. For example, Sebree’s Tenable colleague Jacob Baines presented at Defcon about exploitation of MikroTik routers over the past few years and the difficulty of assessing the scope of the exploitation.
With billions of insecure, old-generation IoT devices already enmeshed in digital infrastructure, it will be decades before the risks from IoT 1.0 are really contained. And as Rapid7’s Heiland points out, many manufacturers still don’t feel pressure to improve their practices, because they make generic components or whole devices for other brand names rather than selling the products themselves. “White labels are always going to be behind the curve, because they don’t have a brand name to protect,” he says. In general, it seems that the hallmark of IoT security is this type of halting two-steps-forward, one-step-back progression. And the industry finally seems poised at the precipice of a next phase. But, unfortunately, it will likely be just as daunting to move through as the last one was.
“When these devices get broken into, who’s going to be able to tell?” Dragos’ Carhart says. “That scares me.”