At a time when artificial intelligence (AI) and machine learning (ML) demand is peaking by the day, it is only natural that collecting data from every possible source gains importance too. And one such source that everyone is betting big on is the Internet of Things (IoT) – a clutch of devices with sensors and software that process data after connecting and exchanging it.
Today, the global threat landscape is witnessing a high rate of geo-politically motivated cyber attacks where espionage by state-sponsored actors seek to steal intellectual property and intelligence to possibly set up a potential sabotage. The names of China, North Korea, Russia and Iran have sprung up time and again on this matter.
Listed below are some answers to modern-day cyber challenges and threat perceptions that get raised regularly in articles or via global events.These answers come from Miri Ofir, R&D Director at Check Point Software and Gili Yankovitch of Check Point Software, who formerly founded Cimplify (acquired by Check Point).
Threat landscape and predictions for 2024
Cyber espionage by state-sponsored actors aims to steal intellectual property, gather intelligence, or even lay the groundwork for potential sabotage. Countries like Russia, China, North Korea, and Iran have advanced state-sponsored cyber attack skills, and we can track complicated campaigns affiliated with those countries.
An example of such a type of campaign is a supply chain attack. As the name implies, this involves targeting less-secure elements in an organization’s supply chain. The SolarWinds hack from 2020 is a notable example, in which attackers compromised a software update mechanism of a business to infiltrate numerous government and private sector systems across the U.S.
The Internet of Things (IoT) market is highly targeted and prone to supply chain attacks. The rapid proliferation of these devices, often in absence of robust security measures, means a vast expansion of potential vulnerabilities. Malicious actors can exploit IoT weak points to gain unauthorized access, steal data, or launch attacks.
Biggest challenges faced by IoT device manufacturers
IoT manufacturers are facing evolving regulation in regards to cyber security obligations. The supply chain concerns and the increasing attacks (41% increase in IoT attacks during Q1 `23 compared to Q1 `22) have led governments to change policies and to better regulate device security. We see two types of programmes being rolled out:
Mandatory regulations to help manage Software and Hardware Bill of Materials (SBOM) and to verify that products will go to the market with some basic cyber security coverage. SBOMs will help manufacturers get a better understanding of the components inside of their products and maintain them through patches and other mitigations. This will add overhead for manufacturers.
Excellent initiatives like the U.S. cyber trust mark and labeling program, which aims to dispel the myth of clarity about privacy and security in the product and to allow educated users to select safer products, among other considerations, like energy efficiency.
While this is an obligation and a burden, it is also a business opportunity for manufacturers. The market is changing in many respects. For example, the U.S. sanctions over China are not only financially motivated; the Americans see China as a national security concern and the new sanctions push major competitors out from the market.
In this vacuum, there is room for new players. Manufacturers can leverage the changing landscape to gain higher market share by highlighting cyber security in their products as a key differentiator.
Some popular techniques used to compromise IoT devices
Although manufacturers take credentials much more seriously these days than previously (because of knowledge, experience or on account of regulation), weak/leaked credentials still plague the IoT world. This is due to a lot of older devices that are already deployed in the field or due to still easily-cracked passwords. One such example is the famous Mirai botnet that continues to plague the internet in search of devices with known credentials.
Because IoT devices are usually implemented with a lower-level language (due to performance constraints), developers sometimes take “shortcuts” implementing the devices’ software. These shortcuts are usually commands that interact with system resources such as files, services and utilities that run in parallel to the main application running on the IoT device. An unaware developer can take these shortcuts to provide functionality much faster to the device, while leaving a large security hole that allows attackers to gain complete control. These actions can be completed in a “safer” way, but will take longer to implement and change. Command weaknesses can be used as entry points for attackers to exploit vulnerabilities on the device.
Devices aren’t built from scratch by the same vendor. They usually consist of a number of 3rd party libraries, usually open-sourced, that are an integral part of the devices’ software. These software components are actively maintained and researched, therefore new vulnerabilities in them are discovered all the time. However, the rate in which vulnerabilities are discovered is much higher than that of an IoT device software update cycle. This causes devices to remain unpatched for a very long time, even for years; resulting in vulnerable devices with vulnerable components.
The need for prevention assumes importance
Unlike endpoints and servers, IoT devices are physical devices that can be spread across a large geographical landscape. These are usually fire-and-forget solutions that are monitored live at best or sampled once-a-period, at worst. When attention to these software components is low, the device needs to protect itself on its own, rather than wait for human interaction.
Moreover, attacks on these devices are fairly technical, in contrast to ransomware on endpoints. Usually, detection security controls only allow for the operator to reboot the device. Instead, prevention takes care of the threat entirely from the system, thus mitigating immediate risks and being appropriate and reactive, in accordance with each threat and attack it faces.
The importance of doing firmware analysis
The most common security mistakes we find in firmware are usually things that “technically work, so don’t touch them” and so they’ve been left alone for a while. For example, outdated libraries/packages and servers; they all start “growing” CVEs over time. They technically still function, so no one bothers to update them, but many times they’re exposed over the network to a potential attacker, and when the day comes, an outdated server can and will be the point of entry allowing for takeover of the machine.
A second common thing we see is private keys, exposed in firmware, that are available for download online. Private keys that are supposed to hold some cryptographically strong value – for example, proof that the entity communicating belongs to a certain company. However, they are available for anyone who anonymously downloads the firmware for free. This means they no longer hold a cryptographically strong value.
Finally, some best practices for auto firmware analysis
Best practices for automated assessment – in my opinion, the analysis process is broken into 3 clear steps: Extraction, analysis, report. The first is a huge unsolved problem or the elephant in the room. When it comes to extracting firmware, it is not a flawless process. It is important to verify the results, extract any missed items, create custom plugins for unsupported file types, remove duplicates, and to detect failed extractions.
When it comes to analysis, proper software design is key. A security expert is often required to assess the risk, impact and likeliness of exploit for a discovered vulnerability. The security posture depends on the setup and working of the IoT device itself. As for reporting, once the analysis completes, you end up with a lot of actionable data. It’s critical to improve the security posture of the device based on action items in the report.