Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

On the Security of “Things”

The security ramifications of the "Internet of Things" (IoT) is a hot topic lately. That’s not to say the security community has not been aware of this problem; and dealing with it for some time (or ignoring it as the case may be). Back in 2007 I wrote a book about hacking Linksys home-based routers. It gave me a look inside an embedded system and provided me the foundation to begin to analyze security of such devices. What I have found since then, and other security researchers have highlighted, is a bit frightening. I sat down with Patrick Gray from the Risky Business podcast recently and had a chat about some of the major problems with the Internet of Things, and some potential solutions. You can listen to the audio from this interview here:

Risky Business – Episode #336

Below are some of the topics that Patrick and I discussed:

Why are consumer appliances often lacking security?

The battle for security of home-based appliances is largely based on economics. Companies who make routers, home automation, appliances (refrigerators, washers/dyers, and even toilets) compete heavily on price. Consumers want the lowest cost product, and price often trumps features. As such, the hardware and software are meeting bare minimum standards for functionality, let alone the added costs of security.

Hardware and software are meeting bare minimum standards for functionality

Why are they targeted?

Are these devices being targeted by evildoers? The short answer is yes. We’ve seen a rash of Linksys router worms this year alone, as well as some affecting DVR systems and storage devices. The question is why? Below are just a few reasons:

  1. First, take into consideration the definition of an embedded system: a special-purpose system in which the computer is completely encapsulated by the device it controls1. This means there is no monitor, mouse or keyboard, making it difficult (or near impossible) for the end user to determine if the device has been compromised.
  2. The computing power of embedded systems has increased dramatically in the past 10 years. Despite the fact that manufacturers are still using the cheapest parts, there are some storage devices that have more computing power than servers I administered at a university 10 years ago!
  3. Ubiquity is a factor. Small, special purpose devices are now everywhere. As older “things” break, they are replaced with newer “things” that have small computers in them, designed without security in mind (personally, I can’t wait for my toilet to die so I can get one with Wifi, heated seats, warm water jets and Twitter support).

Why are they vulnerable?

Mike Murray and I had a great conversation about why embedded systems, as a whole, are largely less secure than traditional desktops and such. I like to use the hammer analogy, as it’s likely manufactured with two design goals:

  1. The hammer functions to bang nails into wood and do other things you’d normally expect a hammer to do.
  2. Safety - the head doesn’t come flying off and crack someone in the head while you are using it.

What they are not designing a hammer for is to prevent a malicious actor from going on a rampage and whacking people in the kneecaps. This model works for a hammer; not so much for an Internet connected device. Manufacturers must now take into account the malicious actors, and think about what happens when you lose control of the system.

Embedded systems, as a whole, are largely less secure than traditional desktops

How does this impact the security of your organization?

On the corporate front, the technology adoption is growing; more companies have more embedded systems in the form of building automation, printers, physical security controls, voice and video bridges, DVRs and more. Just when you think this may be a problem just for the home user, take a look around your network and you will find lots of “things” that are connected, and in desperate need of security. Worse yet, many don’t fully understand what it takes, and how, to identify vulnerabilities in these systems.

What can we do about it?

Along the lines of making the world a better place, I believe a good place to start is with the manufacturers. We must help them understand the impact, and the security pitfalls of building a device using the current “forget about security” models. I’ve come up with my own list of 10 things manufacturers and developers can do better in order to produce much more security products:

  1. Do not put backdoors inside of firmware
  2. Never use default credentials
  3. Provide secure remote management software
  4. Use open-source software and drivers, NOT binary blobs
  5. Not use functions prone to overflow conditions (secure SDLC)
  6. Implement firmware and configuration encryption
  7. Provide easy-to-use & secure firmware updates (auto-updates)
  8. Implement secure web management interfaces
  9. Maintain a CIRT and provide a program for security researchers
  10. Implement protocol security / Implement secure protocols

Many don’t fully understand what it takes, and how, to identify vulnerabilities in these systems

There are other fantastic efforts going on in the space, such as http://builditsecure.ly/ and the cavalry movement, which are promoting similar concepts. I will be speaking more about this topic at some upcoming conferences, including Derbycon, SANS and the CCRI Security Day.

1 http://www.ece.ncsu.edu/research/cas/ecs

<

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training