Embedding Security by Design in The Product Development Process: What we see in our IoT Security Evaluation Labs
December 03, 2019
As billions of IoT devices make their way into our offices, factories and households, one of the primary security concerns for IoT actors is confronting low-cost attacks against poorly secured device.
As billions of IoT devices make their way into our offices, factories and households, one of the primary security concerns for IoT actors is confronting low-cost attacks against poorly secured devices. Successful attacks could result in device tampering, unauthorized access, leaking of confidential user or system data (including intellectual property assets), or intercepting traffic and injecting commands. A weak, untested design can create considerable risks for the manufacturer or the user of the device (business disruption, safety issues and liability, loss of reputation, regulatory fines, etc.). Considering most organizations developing these devices have limited experience in coping with these risks, how are they adapting to cope with the constantly evolving threat landscape?
The awareness of industrial and consumer IoT device makers has started to evolve in recent years, and mapping the risks, attacker’s objectives, likelihood of a successful attack, cost of an attack, and business impact are increasingly common during the development phase. While many believe that most probable local and remote attack vectors are addressed, when we evaluate the security level of IoT devices, we still observe that key assets and primary threats to the system have not always been identified. Existing security features don’t always protect key assets, and some threats are not addressed at all. Due to time constraints or lack of expertise, product security is often insufficient. Security best practices are often missing, the built-in security features of key components are not implemented, or products only rely on classic IT network security. And security is rarely assessed by independent experts before products are launched. Major threats could be mitigated with minor effort.
To illustrate this, a medical device we recently evaluated proved to be sensitive to a man-in-the-middle attack. A software-defined radio (SDR) was used to create a fake cellular base station. An emulated cloud, HTTPS server and DNS server allowed the evaluator to capture and alter the patient data or interact with the device’s parameters, enabling any number of scenarios that would violate patient privacy or, worse yet, cause patient harm.
When basic security has been addressed by the IoT device maker, devices are usually well protected against remote attacks. Nevertheless, if the attacker has physical access to the device, many vulnerabilities are highlighted, allowing tampering, code dump or cryptographic attacks.
The attacker’s goal is often driven by money. The incentives to disrupt or commit fraud against high-value IoT services are only increasing across all industries. Microarchitectural attacks or middleware attacks which use properties of architecture to exploit a combination of software and hardware vulnerabilities will increase as seen with Spectrum, CLSKSCREW, Meltdown, Rohammer, remote side-channel attacks using internal AD converter of the microcontrollers to leak CPU activity or screaming channels, among others.
Depending on the vulnerabilities present, attackers can also scale attacks to reach larger objectives. Unsigned firmware could allow attacks via FOTA (firmware over the air) at large scale when devices load a modified, malicious firmware. Conversely a compromised device could be used as an entry point to the company’s infrastructure or cloud. Advanced attacks can also combine network attacks with cryptographic attacks or common vulnerabilities and exposures (CVE) exploitation targeting specific platforms and OSes.
Based on these observations, The Kudelski IoT Labs are constantly developing new, innovative attacks that demonstrate the potential of the exploitation of hardware properties, network and software flaws in order to help the industry anticipate and implement the right countermeasures to protect IoT products before going to production. Only when we embed a security mindset into the product development process will the industry collectively be able to achieve the full promise that IoT has to offer.