Are IoT Devices Secure?

Are IoT Devices Secure?
Photo by Jorge Ramirez / Unsplash

Short answer: no.

Table of Contents

Executive Summary
Introduction
Emerging IoT Threats and Vulnerabilities
The Culture of IoT Development, Security, and Operations (DevSecOps)
IoT Security
Conclusion
References


Executive Summary

If you ever have or choose to obtain a license in skydiving you will attend a course called Accelerated Free Fall (AFF). The course is comprised of a lengthy academic course followed by a handful of instructor accompanied skydives. In the course students spend many hours learning about all of the things that can go wrong when skydiving, and at this point in the course they may be tempted to throw their hands in the air and walk away, out of fear. However, the remainder of the course they learn instead how to mitigate and remedy most if not all of these events, building their confidence to make that first jump at approximately 15K ft in the air. This report is much like this course where I begin with describing many threats and vulnerabilities against devices which are part of the Internet of Things (IoT), followed by challenges the industry faces when creating a security-focused culture in development and operations. Following these sections the report comes to a conclusion by discussing a number of successful, and on-going solutions to many of the issues previously presented.

The section on emerging threats highlights several categories of attacks from the perspec- tive of end-result. This includes attacks which lead to compromise of sensitive data, devices being used in subsequent attacks either on the internal network or other organizations en- tirely, and finally denial of service. General examples include vulnerabilities which are also listed on the Open Web Application Security Project (OWASP) Internet of Things Top 10 list such as weak or hard coded passwords, and insecure data transfer and storage [1].

Next I discuss contributing factors which lead to a culture in the development industry that does not sufficiently prioritize security. This stems from a lack of revenue generated from prioritizing security, as well as consumers who are not often concerned about or even aware of vulnerabilities in devices which they are purchasing. The consequences that organizations face when vulnerabilities are discovered in their products are regularly limited to legal actions such as fines and sanctions placed by state and federal entities. This means that product sales continue more or less maintain pace following public release of vulnerabilities.

Finally, now that readers are sufficiently concerned for the industry, and even themselves, I detail several solutions to many of these challenges. These solutions include relatively new branches of cryptography and detection mechanisms designed for IoT devices. This is followed by solutions which restructure how to manage security from a bigger picture standpoint by changing the perimeter which we are attempting to protect. Finally, I make several recommendations for improving the culture surrounding developing securely which is a process which must start at the highest echelons of an organization, but must also be acknowledged and built into processes at every level. This is accomplished in part by acknowledging not only the legal but the moral consequences of not prioritizing security sufficiently.


Introduction

For everyday computing we have desktop and laptop computers, for operating on the go we have powerful hand-held devices, and for everything else we have the Internet of Things (IoT). The IoT category was born as a catch-all to capture the vast sea of devices that are connected to the internet, each of which is built for their own niche purpose. These devices are now and will continue to be a part of modern life and businesses alike. Statista estimates that worldwide spending in the IoT market will be $1.1 Trillion in 2023 [2]. Due to the massive variety in function of IoT devices, understanding vulnerabilities in order to characterize and mitigate against them is a complex task. This paper addresses some of those vulnerabilities from the perspective of the end result and presents various controls which can remove or mitigate risk for each category. This process starts with a discussion on several real vulnerabilities affecting IoT devices today, then addresses the culture surrounding development, security, and operations (DevSecOps), and concludes with mitigation methods for both users and developers of these devices. Additionally, it is important to consider how specific variables affect the overall security concerns and capabilities such as hardware, access to sensitive information, connection methods, and deployment location.


Emerging IoT Threats and Vulnerabilities

There are many ways to categorize the types of threats to IoT devices. One of the most useful is designed by the Open Web Application Security Project (OWASP). The organization created the OWASP Internet of Things Project in order to identify and inform on the top 10 IoT vulnerabilities, as well as a methodology for validating and testing security on devices [1]. Any developer, security researcher, or user of IoT devices should know and become familiar with this project. While this framework is a great standard, I’ll instead breakdown threats by the end results of the attack. This is sometimes referred to as Actions on Objective, which comes from the Lockheed Martin Cyber Kill Chain [3]. Please note this list is not exhaustive, but representative of several of the greatest threats to the industry. The three basic categories are exposure of sensitive information, usage of devices in subsequent attacks, and denial of service.

Beginning with exposure of sensitive information we will look at vulnerabilities which lead to unauthorized access to, or alteration of user data, device passwords, and other information. Data needs to be protected at three points in regard to IoT devices, that is on the device itself, while it is in motion, and on the server which hosts back-end services for the device. Protection of data on the device and in motion is a point of difficulty in IoT devices due to

limited resources such as hardware and power. The encryption algorithms that we rely on to protect our data to and from reasonably powerful devices such as phones and computers rely on the increasing hardware capabilities such as short- and long-term storage, and processing power. Many IoT devices, however, are designed to be as small as physically possibly to fit for example on a wrist. This leads to a scenario where developers may be inclined to implement solutions which skip over these protections entirely. A team of security researchers conducted analysis on several smart devices produced by a company called Withings including a Smart Baby Monitor, and a Smart Body Analyzer [4]. In both cases the team discovered data transmitted by the devices was in plain text which included sensitive personal information of the user. While the baby monitor required a one-time access token, they were relatively easily able to conduct an attack which led to unauthorized access to the camera feed.

In the next category of Actions on Objective we have attacks where the targeted device is used in a subsequent attack. This category is further broken down into two subcategories which are incidents where the attack is used to pivot further into an internal network, and other incidents where devices are used to launch or propagate attack against an entirely unrelated organization. In the first subcategory, a team of security researchers conducted a series of tests on a smart home device called Haier SmartCare [4]. After conducting tests on the device itself they were ultimately able to gain a root shell in the Linux operating system that the device was running. From there they took the root account password hash and cracked it in approximately five hours. Finally, equipped with this information they attempted a remote attack against another of the same device and discovered the password from the first device was hard coded on all of them, which is also the number one IoT vulnerability listed on the OWASP IoT Top 10 [1]. Despite the limited hardware capability of such a device, having a root shell on a remote Linux device, attackers could use this to pivot from the device and gain access to more protected systems within the internal network. Along the second subcategory, compromised IoT devices can also be used in large- scale distributed denial-of-service (DDoS) attacks against other organizations. For the sake of clarity, this category is not the same as a denial-of-service of the device itself, although that may happen, the intent is to use the device as a tool to deny or degrade service of another target. A large pool of compromised devices used for such a purpose are often referred to as a botnet. The largest known botnet comprised of compromised IoT devices is the Mirai botnet [5]. In 2016 the Mirai botnet controlled at least 100,000 devices and launched a DDoS against a DNS infrastructure company with a strength of 1.2Tbps, which at the time was the largest known DDoS attack.

Finally we have denial of service attacks against IoT devices. In this category of end- results it’s important to know what the purpose of the device is that is being affected. On one end of the spectrum a smart thermostat controlling a home HVAC system which is denied service may lead to inability for the system to continue heating or cooling, which is most cases would be a nuisance. On the other end we have cases such as one in 2017 when the FDA confirmed a vulnerability in a cardiac medical implant that could cause the device battery to be drained, or to incorrectly apply heart pace making [6]. In the latter example, the effects of such at attack are potentially fatal. Another attack on ZigBee enabled devices is dubbed the ghost attack. This attack does not require any previous compromise, or knowledge of the device but is instead designed to drain the device power [7]. There are similar attacks designed to work specifically against ZLL networked devices. Security researchers have discovered ways to scan for, factory reset, and deny service to ZLL devices [7].


The Culture of IoT Development, Security, and Operations (DevSecOps)

For the vast majority of companies cybersecurity is a necessary part of the process, but not something that generates any revenue. Especially for those working in developing and managing devices which are part of the Internet of Things (IoT). This means that there is no strong natural incentive for companies to prioritize secure development of the hardware and software for these devices. This is exasperated to a certain extent by a level of obliviousness from consumers. Consumers buy and own IoT devices and don’t often consider the existing or possible vulnerabilities of the device. They also likely don’t conduct such an evaluation regularly while owning these devices. People often just buy things and assume they will work as advertised. In July of 2015 security researchers demonstrated a vulnerability in the control systems of a Jeep Cherokee which allowed them ultimately to shut down the vehicle while it was being operated [8], another example of a denial-of-service attack on the device. This event subsequently led to a recall of the vehicle, and despite all of this, Jeep sales in the United States rose from 73K units in July of 2015, to 81K in August of 2015 [9].

While consequences from significant vulnerabilities being discovered can lead to decrease in sales, revenue, or stock prices, more often the impact to the company comes in the form of fines, sanctions, lawsuits, or other legal repercussions from those affected, or state and federal government. The consequences of ignoring security can be significant and will only continue to grow as IoT devices become more and more engrained into our everyday lives. In another case, a company called Owlet Baby Care developed a baby heart monitor which had security flaws so egregious at attacker could create any one of the end-results discussed previously, including exposure, usage, and denial, and more [10]. Despite this occurrence in late 2016, the company turned around and launched their initial public offering (IPO) on the stock market with a valuation of $1B [11].
These and many more examples and contributing factors are what leads the industry
towards a culture which prioritizes a short time-to-market over effective security. Many companies such as these rely instead on after-the-fact security frameworks such as penetrate and patch, and defect identification and mitigation. In both of these methodologies the concept is essentially to look at the end product and identify vulnerabilities, deficiencies, and inefficiencies to then turn around and adjust the software or manufacturing process to improve [12]. While these are useful tools, they should not be relied upon to ensure effective security mechanisms. In the software development world this process has proved to deliver poor security at a cost of many more working hours when compared to building in the security through initial development.


IoT Security

At this point I’ve discussed a number of threats and vulnerabilities that exist in the IoT device market, as well as some of the causes of those, including a lack of a security focused development culture. Now, I’ll discuss a variety of proposed or implemented solutions.

From a technical standpoint, security in IoT devices is largely constrained by the hard- ware limitations, as previously discussed. As a result, several new fields of study have opened and been explored which are focused on delivering similar capabilities on limited hardware. One such example is research into the field of lightweight cryptography, which seeks to replace the symmetric and asymmetric algorithms that we use in more capable devices [7]. Many IoT devices do not have sufficient memory capacity to manage these encryption mechanisms which leads to developers failing to implement protection of data in motion. Recently the Na- tional Institute of Standards and Technology (NIST) collected 67 submissions for lightweight cryptography algorithms which the organization will review and consider for standardization. After several rounds of review 10 finalists were chosen to undergo a final round, the results of which is expected to be announced in May 2022 [13]. In addition to these advancements in cryptography, research is being conducted in anti-virus and traffic analysis software which are designed specifically for IoT devices. Where some devices can have a significant change in behavior and volume of traffic day-to-day, many IoT devices are relatively consistent. This can be used to develop simplistic detection software which looks for anomalies in that behavior such as CPU and memory consumption or network throughput. These anomalies can be indicative of an ongoing attack and possibly even match signatures of known attacks [7].

Another possible solution to these limitations is outsourcing some of these intensive tasks entirely to a trusted third-party device [7]. For example, a smart watch may initially set up a secure communication channel with the user’s smart phone, following which the smart phone is responsible for managing as much of the security as possible, saving the watch itself from tasks which may drain its battery. Finally, a similar solution to outsourcing security mechanisms on a per-device basis is scoping out and implementing security as a whole at the network layer, which reduces the necessity for security on each device, especially as the heterogeneity of these devices continues to grow exponentially [14]. The proposal by security researchers here is to encourage a whole new sect of the industry they refer to as Security Management Providers (SMP) who would be responsible for developing solutions for organizations and individuals to manage security at the network level. They make several quality arguments to support this proposal including the fact that organizations could specialize in these security solutions and deliver a more effective answer than organizations who are more focused on reducing time-to-market (TTM) as much as possible. This type of security could also be updated and improved on a continuous basis to provide a similar, high level of protection to a large number and range of devices being used.

From a less technical perspective, creating a company culture that prioritizes security is something that has to start with C-Level executives and persist through many levels of management. The first step in encouraging such a culture is for those people to understand the consequences of not prioritizing security and ultimately creating an opportunity for threat actors to exploit the device or platform. In some cases, the company may be faced with fines and lawsuits which damage company reputation and cost financially. In other cases, vulnerabilities can lead to loss of life such as with medical devices or national critical infrastructure like power and water management. Regardless of the type of device developers are working, security experts should be integrated into the process to ensure the development is secure in order to meet legal and moral expectations.


Conclusion

As the market for IoT devices continues to grow, security becomes a greater concern. I’ve detailed many threats and vulnerabilities, as well as limitations of the devices which frequently create those issues. This was followed by a discussion on the factors which created and propagated an environment for these vulnerabilities to be created. Finally, several technical and non-technical solutions were proposed to mitigate these vulnerabilities by removing, transferring, or reducing the risk associated with employment of various IoT devices.


References

[1] D. Miessler, A. Guzman, V. Rudresh, and C. Smith, “Owasp internet of things.” https://owasp.org/www-project-internet-of-things/.

[2] Statista, “Prognosis of worldwide spending on the internet of things (iot) from 2018 to 2023.” https://www.statista.com/statistics/668996/worldwide-expenditures-for-the-internet-of-things/, 2022.

[3] Lockheed Martin, “The cyber kill chain.” https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html.

[4] J. Wurm, K. Hoang, O. Arias, A.-R. Sadeghi, and Y. Jin, “Security analysis on consumer and industrial iot devices.” IEEE, January 2016.

[5] N. Woolf, “Ddos attack that disrupted internet was largest of its kind in history, experts say.” https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet, October 2016.

[6] S. Larson, “Fda confirms that st. jude’s cardiac devices can be hacked.” https://money.cnn.com/2017/01/09/technology/fda-st-jude-cardiac-hack/, January 2017.

[7] F. Meneghello, M. Calore, D. Zucchetto, M. Polese, and A. Zanella, “Iot: Internet of threats? a survey of practical security vulnerabilities in real iot devices,” IEEE Internet of Things Journal, vol. 6, pp. 8182–8201, August 2019.

[8] BBC, “Fiat chrysler recalls 1.4 million cars after jeep hack.” https://www.bbc.com/news/technology-33650491, July 2015.

[9] T. Cain, “Jeep sales figures – us market.” https://www.goodcarbadcar.net/jeep-us-sales-figures/.

[10] I. Thomson, “Wi-fi baby heart monitor may have the worst iot secu- rity of 2016.” https://www.theregister.com/2016/10/13/possibly_worst_iot_security_failure_yet/?mt=1476453928163, October 2016.

[11] “Owlet baby care launches ipo via spac for $1 billion valuation.” https://cheddar.com/media/owlet-baby-care-launches-ipo-via-spac-for-1-billion-valuation, July 2021.

[12] M. Borish, B. Post, A. Roschli, P. Chessner, L. Love, and K. Gaul, “Defect identification and mitigation via visual inspection in large-scale additive manufacturing.” https://link.springer.com/article/10.1007/s11837-018-3220-6, November 2018.

[13] “Lightweight cryptography.” https://csrc.nist.gov/Projects/lightweight-cryptography, April 2022.

[14] V. Sivaraman, H. H. Gharakheili, A. Vishwanath, R. Boreli, and O. Mehani, “Network-level security and privacy control for smart-home iot devices.” IEEE, October 2015.