an ncc group publication security impact of iot on the ...€¦ · 3.2 possible tampering with iot...

An NCC Group Publication

Security Impact of IoT on the Enterprise

Prepared by:Lance Garcia

An NCC Group Publication | Security Impact of IoT on the Enterprise 2

19

Contents

1. Summary business context and target audience 3

2. The benefits of enterprise to IoT? 4

2.1 Enterprise IoT example applications 5

2.2 Example domestic IoT creeping into the workplace 6

3. How will IoT impact on enterprises? 8

3.1 Bring your own IoT device 8

3.2 Possible tampering with IoT hardware and software 9

3.3 Unmanaged third party applications 9

3.4 Unpatched and outdated services 9

3.5 Botnet DDoS attacks 10

3.6 Data protection 10

4. Real world IoT security impact examples 11

5. What are the security concerns? 12

6. Possible solutions 14

6.1 Securely configure the IoT device 14

6.2 Managing IoT devices 15

6.3 Ensuring your network is up to date and segregated 15

6.4 Managing and maintaining IoT devices 16

7. Recommendations on IT and procurement 17

8. Future considerations 19

9. Conclusion 20

10. References 21


We are moving to a time where many ‘things’ that we know and use have the capability to be connected to a network either wired or wirelessly. The way we use technology is becoming more integrated in all aspects of our daily lives and is steadily integrating within the enterprise environment. A core concern for businesses is therefore the risk of introducing Internet of Things (IoT) devices to the enterprise.

This paper has been written due to emergent focus on IoT device security and how in many cases, the ease with which they can be attacked by outsiders and used to gain a foothold onto associated networks. Research has demonstrated how IoT devices can be a security threat to a user’s home from tampering with “smart” lightbulbs to opening an Internet-connected lock on a door1. To date, a lot of focus has been on IoT security in the domestic space, but how soon before the researchers, and hostile threat actors, divert their attention to businesses introducing IoT within their buildings, offices and IT infrastructures? What mitigations have been, or need to be put in place to prevent an IoT-based attack?

At the end of 2018, Gartner 2 reported that “CIOs should ensure they have the necessary skills and partners to support key emerging IoT trends and technologies, as, by 2023, the average CIO will be responsible for more than three times as many endpoints as this year [2018].”

This paper is aimed at identifying what risks businesses face when using IoT devices, what organisations need to be aware of and security baselines which organisations should be aiming towards when installing and maintaining enterprise IoT devices. This information should be helpful to C-level executives and IT administrators wanting to know the risks they face and what mitigation options exist.

1. Summary business context and target audience


2. The benefits of enterprise IoT?

A wide range of enterprise IoT devices exist on the market and their functions can range from pretty much anything used in the business world that might benefit from data analysis and/or general Internet connectivity. It is unfortunately the case that many IoT devices, even aimed at the enterprise market, are merely stuff of novelty, and in the grand scheme of business priorities may provide limited to no real business benefit. So many devices now come network-enabled out-of-the-box that enterprises may not even be aware of a multitude of devices on their networks that conceivably have inbound and outbound Internet connectivity. For example, a business may install hundreds of new hand-dryers in their staff toilets across multiple sites, yet unbeknownst to them, the vendor’s dryers have built-in wireless network capabilities and perhaps seek to automatically connect to local wireless access points in order to transfer usage data to a remote server.

Such usage data might be useful to the vendor in order to understand performance statistics and possible improvements to future device design, while for the enterprise, such data may help in environmental impact analysis within their buildings etc. While there may appear to be boundless benefits to generating and harnessing this data, from a security perspective, the devices could be inadvertently opening up access to internal corporate networks, or providing avenues for exfiltrating data out of an organisation. Despite the potential risks, IoT in the enterprise, if deployed correctly and securely, could help businesses transform the way they operate, bringing efficiencies and cost savings as a result of the rich telemetry generated by IoT devices and the processing of that data to understand improvements to business operations. The following sections explain a few basic reasons why enterprises and Building Management Systems (BMS) might want integration of IoT devices.


Devices enabling reordering of stock – examples include printers running out of toner and paper automatically re-ordering more supplies for themselves or at a click of a button. NCC Group’s recent in-depth research on the security of enterprise printers identified a number of systemic vulnerabilities across six different printer manufacturers - the findings from this research demonstrate the types of security issue we can expect to uncover in other enterprise IoT device types 3.

Visibility and control across all assets – everything connected means everything can be remotely managed and controlled. Maritime and trucking industries can benefit greatly with fleet management. This can aid with making important decisions such as operational efficiency to real-time tracking of assets and the status of cargo. For the trucking industry, updating other drivers with information on any obstructions or accidents on a specific route would help a navigational system to reroute drivers away from that area. The Eddie Stobart 4 company has an example of fitting IoT devices to their trucks to monitor the status of the driver and their trucks and now are moving to a connected environment.

Increased productivity and optimised working environment – computers and coffee machines can be turned on before employees arrive at the office, saving boot-up time and thus increasing productivity. Integrating IoT with HVAC systems can help improve work conditions through nuanced temperature control, while the telemetry generated on energy usage can be used to inform annual reports on an office’s environmental impact – in addition, Smart plugs can be used to remotely turn off printers, fax machines and other non-critical devices when not in use.

Physical building access and monitoring – solutions exist such as the product Kisi 5 which is a cloud access control system integrated with Slack, which allows office managers to unlock doors from the service. CCTV and building security integrated into single dashboards monitoring and controlling multiple connected surveillance and security sensors.

These are just a few examples of where IoT in the enterprise might find itself and for what reason. Once an enterprise has committed to procurement of such solutions, the question of who installs and manages these devices becomes pertinent. Who manages these devices across buildings? Building owners, system integrators, the organisation itself (staff)? For example, if an organisation wanted to save costs and install Wi-Fi-capable hand dryers or other devices that will collect and send data to cloud services for production of usage reports on where it could save money, who manages the system that audits this information? Is a hand-dryer in a staff toilet really a corporate IT asset?

2.1 Enterprise IoT example applications


We are already seeing examples of domestic IoT devices being deployed within the office space, bringing with them the same, if not more potential security risks and issues by virtue of interacting with and/or monitoring a myriad of individuals within an organization, and interconnecting to potentially sensitive corporate networks. Some examples include:

IP connected CCTV

Companies that utilise IP-based CCTV cameras can benefit from remote access and control and centralized storage of recordings on a remote server. Remote receipt of live feeds is also a real benefit. For example, for any security incidents within the workplace, previous recorded material can be useful in investigating incidents and determine how the footage could be helpful for any hard evidence for internal processes. In very recent times we have also seen an explosion of facial recognition applications to such workplace CCTV, where solutions exist that can determine whether certain individuals should or shouldn’t be within certain parts of a building, simply from face recognition via real-time IP-based CCTV camera monitoring. When such devices are connected to new or existing IP-based networks, organisations need to review how they will handle secure configuration and installation, and how and where the data gets stored. Questions to consider when these devices are installed include:

• Will the devices be installed on the company’s internal network?

• How will the data recordings be stored?

• Assurances need to be in place to ensure the video files are not sent over clear channels and/or on a remote server owned by the manufacturer.

• Who installs these devices?

• How is the data transferred and management controls accessed?

Organisations will also need to review the impact these CCTV cameras will have on employees. There may be privacy aspects to address in line with the Data Protection Act and GDPR, suitable consent notices may be required - any CCTV cameras in use in the office should be clearly signed and present the purpose of the surveillance with contact details for any enquiries 6.

The following issues with IP connected CCTVs on the internal network could surface if appropriate research is not conducted during procurement:

• Default (hard coded) credentials• Exposed unnecessary services• Default weak configuration• Disparate and undocumented data storage locations

Smart Assistants – e.g. Amazon Alexa, Google Home, Apple HomePod

Smart assistant devices were initially introduced into homes; as a result of human familiarisation and understanding of how such devices can help in life optimisation, they are starting to appear in the workplace whether officially, or unofficially. E.g. asking a smart assistant to read out one’s schedule and add or remove appointments, or to send travel details to one’s phone is quite useful. In the context of the workplace, potential security and privacy concerns here might surround the nature of the data spoken into such devices, whether it is corporately sensitive, and who may have access to any recordings or data transfers via the smart assistants?

2.2 Example domestic IoT creeping into the workplace

6


Companies will need to consider the following implications: • Where and how the recordings of requests are stored?

• Security features?

• Are they configurable?• Have the devices been tested from a security perspective?• Is there any baseline security information?• What networks are the devices connected to?• Do the devices connect to and integrate with staff mobile phones, or BYOD devices?

Smart TVs & casting devices

Similar to smart assistants, smart TVs and casting devices such as Google Chrome and Amazon FireStick are another useful solution for boardrooms and reception waiting areas. One use would be to use the TV as a business dashboard, presenting useful information with internal advertisements or real time business metrics. Most TVs will have integrated wireless capabilities, microphones and cameras for conferences and video calls and casting devices for businesses to use them to stream or cast (over-the-air) presentations. Would these devices be connected to the main network or would they be segregated on their own network without Internet communication? One example of an attack in this domain was exploitation of a smart TV turning it into a listening device and extracting Wi-Fi passwords 7. Another case was the company Vizio collecting and selling data about its consumer locations for targeted advertisement 8.



3. How will IoT impact on enterprises?

3.1 Bring your own IoT deivce

IoT devices will eventually be part of our everyday lives and the places we work. Enterprises will have to ensure they remain focussed on the potential security risks that will be introduced by their rollout. Enterprise IT administrators will have to develop solutions that will protect end-to-end communication, to harden the configuration of the devices and to be able to remotely manage devices. Malicious attacks will be varied depending on the business and the nature of IoT devices that business adopt.

IoT may be the next prime target for infiltrating corporate networks. The more devices added to an infrastructure, the larger the attack surface will be. Again, we showed the feasibility of this type of infiltration with our printer research, whereby we were able to install backdoor persistent Trojans within printers, allowing us to gain unauthorised access to corporate networks in ways that were largely undetected by conventional IT security controls 9. The following section is a brief overview of the type of negative impacts businesses should expect with increased use of IoT devices in the enterprise.

Allowing a large amount of (unknown and unmanaged) devices to be connected to an enterprise network will make it unmanageable for administrators to oversee every endpoint that gets connected. They will have to create rules that restrict users connecting and to ensure only authorised devices access the network. IT administrators will need to find ways to ensure they have appropriate visibility and have a very robust BYOIoTD (Bring Your Own Internet of Things Device). As some of these devices are not managed by the enterprise, they could present a multitude of vulnerabilities and security holes such as backdoors. The devices could be misconfigured and could be the entry point for an attacker to gain a foothold onto the network. If the device is connected to a key network, it may also attempt to communicate with potentially sensitive corporate devices and network resources. Concepts of Zero Trust networks and BeyondCorp10 become ever more pertinent in this domain and may require IT network administrators to completely rethink their existing network security models.


3.2 Possible tampering with IoT hardware and software

The physical hardware, such as USB ports, web camera etc. of devices could be compromised. Manufacturers may build these devices isolated and tamper-proof, but if a device is left unattended this could allow a skilled hardware hacker to obtain sensitive data from devices, or to add backdoors or malicious behaviour to devices.

If software/firmware updates are not digitally signed, malicious attackers could upload malicious code to the device. Without any tamper proof checks this could leave devices vulnerable to a number of issues. One other impact could be ‘bricking’ the device - without appropriate testing, this could leave the device unable to function, rendering it inoperable. Depending on the nature of the IoT device or system, this could have a potential effect on personal safety, such as the example where customers were locked out of hotel rooms due to issues with the firmware upgrade of room locks 11.

Applications that are required to interact with IoT devices can potentially install and run with overly permissive privileges. Such applications may be installed on corporate mobile or laptop devices and could leave them vulnerable to an attack where an attacker can leverage the overly-permissive settings to obtain sensitive information or use it as an entry point onto a network.

A third-party application or web application accessible via the Internet to access data might be insecure by design. APIs might be exposed to consume data from different deployments of IoT device – if the APIs or web services/applications are insecure, then they may be presenting opportunities for attackers to gain command and control over entire IoT deployments. In addition, attacks against remote endpoints may result in breach of customer separation, allowing attackers to identify IoT deployments at different customer sites.

IoT devices out of the box will be factory built and may not have the latest installation of firmware. Default configured IoT devices may not be secure out of the box and will need to go through a stringent ssureprocess of hardening to render them compliant with enterprise device security policies. Unpatched and vulnerable IoT devices connected to the network could be used to pivot to other devices and end-user computers as these devices will be trusted by the network. Another serious impact that enterprise should expect are that updates may cause usability issues. A company-wide critical update which is not tested properly could have a worse outcome than not having the update applied 12. In addition to possible out of date firmware, out of the box IoT devices may utilise default, easily-guessable passwords on the network services that they expose. From NCC Group’s experience, these passwords are seldom changed from default, possibly just overlooked, and so attackers on the enterprise network may be able to guess or trivially brute-force authenticated services on IoT devices that are configured with default or weak passwords.

3.3 Unmanaged third party applications

3.4 Unpatched and outdated devices


3.5 Botnet DDoS attacksIf not securely configured, IoT devices can be used to attack other hosts by becoming part of a botnet. This would allow a third party to gain control of a device and use it to perform malicious acts from a remote location. A server can be bombarded with requests by the bots, attempting to connect to the server therefore overloading it. A solution to this is for manufacturers to have security as part of the development process and to ensure rigorous testing not only on the device’s functionality but also its security.

IoT manufacturers may only think about the functionality and use of a device but what happens when a device becomes obsolete or inoperable? The data on these devices could be a goldmine to attackers if not disposed of properly. These devices could expose private data, or reveal internal network information such as domain credentials and IP addresses – this was certainly NCC Group’s experience with recent research on a connected medical pump bought from eBay, whereby we were able to forensically recover the Wi-Fi password of the hospital from which it came, and other sensitive encryption and IP address information 13. There are many anecdotes of companies having resold older and obsolete devices but with residual data pertaining to the company left on the devices. This could be a major impact to the enterprise, thus demanding a plan to securely decommission IoT devices. IoT devices do have a short life span and newer versions will always be introduced. Enterprises may want to keep up to date with the latest technology and will need to ensure decommissioning these devices as part of the supply chain. A few manufacturers do offer an option to recycle and properly dispose of devices. Consider due diligence for any services that may involve sensitive data 14. As can be seen, there are a number of problems/scenarios with IoT devices that can pose risks to an enterprise, and the examples above are by no means exhaustive.

3.6 Data protection



Below are just a few real-world case studies showing how IoT insecurity has impacted businesses and users of IoT devices within those businesses. While the issues relate mostly to compromise of domestic IoT, to be used as a conduit to attack organisations, the same risks will be present for enterprise IoT devices if not securely configured and deployed.

Consider the Distributed Denial of Service 15 (DDoS) attack using compromised IoT devices (mainly IoT cameras) which caused a major disruption to services to a DNS service provider, Dyn services and the Krebs On Security 16

website. This is one situation where the manufacturer acquired the blame but for newer devices with the updated firmware, should the blame not be at least partially shifted to the users themselves? Are users responsible for not updating the firmware or changing default passwords on their devices? What would be the implication of any such IoT devices that were part of an enterprise, might that enterprise be deemed (at least) partially responsible in such a scenario?

A famous example where IoT devices were infected with malware was “Mirai” 17. This was malware that attacked remote controlled Linux devices that could be used in a large scale botnet attack. It mainly targeted IoT devices such as IP cameras and digital video recorders that were exposed on the Internet and checked for default and common passwords, proceeded by logging in to the affected devices. At this point, the attacker/malware could download malware code of different architectures until one managed to compile and execute on the device. This would turn the devices into “bots” that could be controlled by a central server to launch DDoS attacks which could take down web sites. Remediation measures to prevent these attacks were to restart the device and to change the default password otherwise the device would simply become re-infected. Other methods included restricting access to the administrative ports which prevented the malware trying to access the device remotely, and finally updating the firmware.

Many products were affected by the malware attack but one major company recalled 18 4.3 million devices. The product vendor Xiongmai 19 issued a statement regarding passwords to be changed and recalled many devices with older firmware where the passwords were hardcoded. Additionally, a patch was released in April 2015 that would close the administrative port and request users to change the default passwords when the product was used for the first time. At this time, older versions of the firmware were still vulnerable.

4. Real world IoT security impact examples


So is the manufacturer/developer to blame or the user/administrator for not updating the firmware? Users were unaware of this default password of the application and it was not possible for them to change it as it was built-in and required a firmware upgrade to change it. In this case, the manufacturer admitted fault but should the users be blamed as well for not following basic security practises and not changing the default password or update their firmware? In reality, should it be expected that the layperson will fully understand the reason for updating firmware or changing passwords? Should the IoT devices not be secure by default, out of the box?

In another case study, the LockState Smart-lock IoT device was seriously affected by an over-the-air firmware update which greatly affected its business and its users business 20. The LockState Company had provided these devices to AirBnB renters to make it easier for them to give access to guests renting their properties. These devices were configured to provide custom access codes without the need of the physical key for every guest. LockState had pushed a firmware update upon the wrong iteration of locks and caused these devices to become “bricked” or inoperable. One of the main problems here was the remediation service provided by LockState. They had emailed their customers informing them of the issue and two options to remediate the issue. For some users this was not good news, since they would have to wait at least 5-7 days for the device to be replaced with the correct firmware.

These are just a few examples of the negative impact insecure IoT can present to enterprise networks.



5. What are the security concerns?

There are a number of security requirements to consider as IoT devices are rolled out onto corporate or business networks. Devices out of the box will be in a default and possibly weak configuration state. IT administrators will need to understand that some IoT devices will have limitations in security control and features. Concerns to consider include:

• No current security baseline standards - developers/ creators will want functionality and usability over security and due to the slow development of standards and security methodologies consumers or manufacturers won’t think about best security practises or having similar baselines to company current networks. There is however emerging advice and guidance in the UK by way of a Code of Practice 21, albeit for consumer IoT.

• No in-built anti-virus or firewall installed - no protections against publically available exploits/ code or network based attacks. If devices are not segregated from other IT assets, then these can be used to move laterally across the network.

• Device could be dependent on mobile applications/ hardware which could have inherent flaws - devices may use the cloud as backup for information or checking for updates. Insecure methods or accidently exposed signals could leak sensitive information.

• Insecure development of application - a push to get a product functioning could restrict time on developing security controls and privacy concerns. IoT manufacturers may be limited in what security features they can employ due to the technical limitations in things like memory and processing power for example, with regards to low- cost, low-capability components.

• Hardcoded and default passwords - a number of devices will have hardcoded passcodes which cannot be changed or disabled by system administrators without manually modifying or patching the software 22.

• Unnecessary external web services - most IoT devices can be accessible remotely to be managed over the Internet. If these services are not properly secured, they could leak sensitive information or allow for exploitation for any inherent web application vulnerabilities such as SQL injection.

• Depending on the nature and capabilities of IoT devices, their presence may pose the risk of side- channel and/or TEMPEST 23 -based attacks against organisations.

What network attacks companies should expect from IoT devices?

IoT devices like normal computer laptops, desktops or servers will also become victim to network-based attacks. Companies need to acknowledge the types of attack to expect, and to consider the severity of the risks they will need to manage once connected to their networks. The following attack examples might be expected upon introduction of IoT devices to networks: addition of backdoors, either through supply chain attacks or tampering from malicious insiders.

• Increased attack surface - if these devices are not segregated from the main network and are left unpatched, they could render the whole estate at risk from an external attack.

• Distributed denial of service (DDoS) - flood a single service or send multiple connections to devices which might terminate the service or crash the device.

10


• Publically known exploits - exploiting a vulnerable device to access the underlying system or to gain administrative control 24

• Man-in-the-middle attacks - the IoT device could be implemented using weak and insecure communications and a suitably placed attacker could eavesdrop on network traffic to steal sensitive information. • Another similar attack would be to highjack the updating process of the software and if the IoT device does not verify the source or authenticity of the updates. An attacker could push their own malicious updates, potentially rendering the device either Trojaned or unusable.

• Brute force attacks - as explained above, most IoT devices will have weak embedded passwords configured allowing access to the device management area.

• Physical tampering - devices can be tampered with as they are not monitored at their locations and difficult to manage for a business that will have many users accessing devices, possibly across multiple disparate geographic sites.

• Attackers might obtain the devices and make hardware modifications for compromise such as addition of backdoors, either through supply chain attacks or tampering from malicious insiders.

• Unintended exposure of services - devices could accidently expose ports that could allow an attacker to gather information, perform network reconnaissance or hijack active sessions.



There are a number of solutions to these problems that can be implemented to help not only an enterprise but also IoT device manufacturers in strengthening their device security. The following key areas are presented:

• Securely configure the IoT device - this section will discuss the actions that should be performed during installation, device maintenance and software testing.

• Securely manage IoT devices – this section will discuss ways in securely managing devices and applying updates.

• Ensure networks are up to date and segregated - this section will discuss how the network should be prepared for these devices and what restrictions can be made at the network level to prevent an attack.

• Additional security controls - this section will talk about what further security actions a company can perform after the hardening process, and what actions should be taken after IoT integration. Note that this is not an exhaustive list and that there will be other factors to consider depending on the IoT device(s) being deployed, the nature of business performed by the enterprise and the organisation’s risk appetite.

IoT devices should not be deployed onto networks in its default configurations. Easily guessable usernames and passwords could be used to obtain access to such devices. For example, the ‘Mirai’ attack mentioned in section 4 is a good example as to why default credentials are bad practice. Attackers could log in and upload exploits that could obtain any sensitive data and asset information from the device. Each device should have a unique username and password to prevent a brute force attack. Best practice is to use public key cryptography and use secure forms of communication such as SSH for remote device management. Additionally, boot passwords should be used to prevent being able to place devices into debug mode or overwriting firmware.

The next challenge is to incorporate an enterprise’ current patching policies where possible, or to create new policies specific to the different types of IoT device to be used. IoT devices are essentially an endpoint device like any other in the business and so it is imperative that devices are fully up to date. Failure to maintain up to date device software can lead to compromise of both the device and any associated device on that domain. Applying patches and firmware on a regular basis will protect the device from known vulnerabilities. As with any network, patches and firmware should be reviewed and thoroughly tested before applying them to the IoT devices. Section 4 highlights the importance of testing firmware before applying it 25.

6. Possible Solutions

6.1 Securely configure the IoT device


Detailed white-box analysis of software source code and hardware reviews can uncover a wide range of vulnerabilities. Detailed manual review of the source code can help identify implementation-level bugs as well as design-level issues.

One possible method to ensure software updates are received from an authenticated source is to use signed certificates. Unauthorised software should be prevented from being uploaded and the device should be able to detect unsigned updates. Some devices may have hardware support that can be used to verify firmware code is authenticated. This ensures that malicious code cannot be introduced into the system and that the firmware or patches have not been altered. Confirm that the method to update the patches and updates is achievable on the current network and that all updates are signed by a digital signature. Manufacturers will avoid being held accountable for maintenance of their devices once they are sold/despatched – this will require organisations to ensure there is a strategy for preventing unpatched devices on the network.

Concerns should be raised when updating IoT devices due to the functions of the device. In an extreme example, IT administrators would not want to update the firmware of an actively flying drone over civilians as this may cause threat to life as the update would require the drone to restart. Events like these should be documented to determine the potential dangers. ISO (26262) 26 is a specific standard that details functional safety for automotive equipment throughout the development lifecycle of all automotive electronic and electrical safety-related systems and provides requirements to ensure sufficient and acceptable levels of safety and security is achieved. Following these standards can help make enterprises conduct IoT maintenance in a secure and safe manner.

IoT device hardening will be a very important part of the deliverable of a product as it will prevent attackers from gaining a foothold onto a network and taking control of the device which could possibly lead to lateral movement across a network.

A Mobile Device Management (MDM) 27 can be used to control IoT devices by configuring a passcode to keep sensitive data from unauthorised users and being able to remotely wipe the device. Other features might include enrolling new devices with enforcing policies, tracking and reporting. Otherwise, a written and enforced BYOD policy that will require users to use strong passwords for IoT devices will facilitate assurance in this area.

Another solution to third party applications would be to use a Mobile Application Management solution which gives enterprises more control at the application level where administrators can securely manage and secure IoT-generated data. To circumvent the issue with unsigned firmware updates, tamper resistant mechanisms should be included in the designs of these devices. If tampering were possible and doing this does not disable the device, then the underlying firmware should have strong boot passwords. Also, tamper proof packaging should be used to ensure the device has not been opened before arrival. Another solution to testing unpatched and outdated devices is to test the devices in multiple scenarios and create a contingency plan as to when these updates have failed. Updates should mirror how IT administrators update existing enterprise systems using a similar patching process. These patches should be tested on a select few devices in order to investigate if any issues arise; if so, a contingency plan should be put in place.

6.2 Managing IoT devices

6.3 Ensure your network is up to date and segregated


A separate network (or VLANs) dedicated to IoT devices can help identify devices on the network and segregate them from the main network. This will remove the potential success of an attacker from gaining control of an IoT device and being able to easily gain unauthorised access to neighbouring systems. IoT-specific firewalls and auditing mechanisms can be put in place on these segregated networks, while another benefit would be that the main enterprise network’s bandwidth will not be affected by the IoT devices communicating information across the network. Related to this, being able to dynamically throttle a specific IoT-based network segment could prove invaluable in the event of a discovered botnet-style attack being initiated from the same network. Only encrypted communications to and from the device such as SSH, TLS, should be used. Organisations should understand the cryptographic protocols used by the devices and determine whether they are commensurate with existing network security confidentiality and integrity requirements. One thing to take from the Mirai attack case study is that for manufacturers and IT managers, data traffic from any device should be restricted to the minimum amount that is required for the device to function. IoT devices will have network capabilities that will have unrestricted functions that could produce large amounts of data packets. Manufacturers should limit the amount of data IoT devices should generate. Depending on the device, self-monitoring features would enable the device to reboot and restore itself if any malicious behaviour or exploits were detected. These restrictions could prevent an attacker from owning the device and using an IoT device as a bot for a DDoS attack 28. Restricting what devices can be connected to the network could allow IT managers to have a broad overview as to what should be on their systems by having complete visibility of the traffic entering or exiting their networks. These could prevent attacks such as man-in-the-middle, data and identity theft and denial of service. Processes should be developed to assess every single device that is added to the network. These devices should not be ignored from penetration testing as they too will be actively communicating on the network which may be unwanted by the company.

After a device has been securely hardened and that methods have been put in place for a secure IoT network environment, new security concepts should be discussed to ensure the future integrity of the network and the company’s assets. As IoT technology advances, so should the underlying security. IoT data traffic on the network should be actively monitored. This will help network administrators identify any suspicious traffic, or perhaps even detect unauthorised or unexpected outbound traffic through DLP solutions deployed on the IoT networks. Devices should also be managed from beginning to end of the installation and documented. Accurate asset lists should be maintained of the devices and both their physical and logical network locations; upon end of life, the data on these devices should be securely deleted and the devise securely decommissioned. Ensure that installation of third party applications required to be in use with these devices are managed and controlled from within the network and tested for any known vulnerabilities. The application and its code will need to be reviewed and to ensure they follow best security practices.

Manufacturers should engineer their devices to only collect what is required from users or the environment in which the devices operate. Data will need to be protected throughout the supply chain. This includes any data relating to the identity of users, configuration files and audit/log files.

Some IoT devices may perform security event auditing, and may expose this information through protocols such as SNMP traps, syslogs or authenticated web servers on the devices. Organisations should understand what (if any) security event auditing is available on IoT devices, and where it exists, should seek to consume that data into a centralised monitoring process or SOC, in order to understand any patterns of abuse or emerging attack against the underlying IoT devices.

6.4 Managing and maintaining IoT devices


7. Reccomendations on IoT procurement

In this section we touch on what could be done when procuring IoT devices and what organisations will need to do to provide assurance that security isn’t comprised within the supply chain. During procurement of an IoT device (again we use the example of an Internet-connected hand dryer), the following steps need consideration to ensure maximum assurance: • Research the manufacturer and review the firmware:

• Ensure there are sufficient security features that can be enabled

• Understand the security credibility and reputation of the vendor – are they known to be security-aware and do they release secure updates? If they are not well-known, are they at risk of administration and thus either other vendors should be considered, or moves towards use of software escrow services

• Perform dynamic and rigorous testing:

• Security focused software review

• Security focused hardware review

• Perform security testing with focus on identifying all exposed interfaces (wired and wireless), potential backdoors, developer/test functions, unnecessary code blocks etc.

• Review the findings and determine if the issues or underlying vulnerabilities will impact the business. • Type of delivery/transit for device orders

• Use a trusted and secure delivery provider

• Ensure appropriated anti-tamper techniques are used such as void stickers.

• Receiving delivery

• Review the device packages before accepting the delivery.

• Ensure the recipient obtains appropriate documentation upon receipt of the device(s).

• Identify any tampering that could have been made during transit.

• Report any tampering and possible defects of the delivery.

• Ensure received goods are securely stored until required.

• Ownership of installation

• Use trusted contractors to install the devices.

• Consider sending internal administrators/ managers to supervise the installation process from the manufacturer.

• If a 3rd party contractor is required, review their process and have an internal team supervise the installation. • Maintaining the device

• Contingency plans should ensure the device can be isolated from the network to prevent further disruptions to the network (e.g. the ability to remotely shutdown) should it become known to be compromised.

• Ensure devices are kept up to date with the latest firmware and patches have been applied. Patches should be applied in a similar way to how hosts on the internal network are updated:


• Where possible, validate checksums and cryptographic hashes of downloaded firmware.

• Ensure that if firmware is updated, it is first tested on a subset of devices and appropriate pre-release testing is conducted.

• Review security configurations after updating or patching which could return the device into a default state.

• Communication with the manufacturer for any complications that may occur and consider the access they require to fix the issues. • Decommission of old devices

• During procurement, future plans should also include when IoT devices reach their End-of-Life date and upgraded.

• Wipe the device and its data related to the company. Ensure the following information has been removed:

• Logs and audit information • Configuration files • IP addresses • User accounts • Passwords

• Restore to the device to factory settings.

• If sensitive information cannot be removed:

• Securely destroy the device for further use either internally or using a trusted third party data/device destruction provider.



8. Future Considerations

In future, it is predicted that at least 26 29 billion IoT devices will be connected to the Internet and with the introduction of IPv6, each device may have a unique IP address.

Some examples of future activities concerning IoT security include:

• Creating security hardening practises to protect IoT systems and data.

• Creating secure design patterns or secure reference models for different types of IoT device and device profile.

• Improved security standards and best practices.

• Banning IoT devices 30 from entering the “work” place.

• Manufacturers engaging in bug bounty programmes against devices to encourage wider scrutiny of potential flaws to be ultimately remedied through system update


9. Conclusion

Introducing IoT into the enterprise may bring many benefits, however there are many IoT security issues to tackle for management, procurement, and network administrators. Developing an effective guideline for the whole supply chain, from research to delivery and hardening to deployment will help maximise assurance of IoT use in the enterprise.

It is important to recognise that that some IoT devices are simply insecure by default, and so the implications of introducing such devices to corporate networks should be fully understood. User awareness and training for end-users and system administrators should not be underestimated in this domain. Manufacturers must adhere to best practises for the creation of devices and follow a security by design process. Implementing protection into the devices such as detecting tampering or overuse of its embedded features such as unauthorised network traffic, will give a better layer of security.

Clear guidance and frameworks on security and privacy of data should be featured and followed early when manufacturing their IoT device to prevent from any future failings and be confident that they will have made good implementation choices for a secure and affordable product. Additionally, contingency plans or mechanisms should be in place that could help put a stop if a company-wide attack was to ever occur due to a vulnerable IoT device or set of devices.

It is hoped this paper has helped the reader to understand that there are many things to consider when acquiring and deploying IoT devices in the enterprise – while many vendor claims will point at the devices being ‘plug-and-play’, this is not the same as ‘plug-and-be-secure’.

Not only must best practices be applied to harden devices but also to ensure assurance in the supply chain. The list of actions and activities in this document is not meant to be exhaustive, but rather to provide the reader with an understanding of what next steps to take to maximise security assurance of IoT devices within the enterprise.


10. References

1. http://www.bbc.co.uk/news/av/technology-38966285/how-hackers-could-use-doll-to-open-your-front-door

2. https://www.gartner.com/en/newsroom/press-releases/2018-11-07-gartner-identifies-top-10-strategic-iot-technologies-and-trends

3. https://www.nccgroup.trust/us/about-us/newsroom-and-events/press-releases/2019/ncc-group-uncovers-dozens-of-vulnerabilities-in-six-leading-enterprise-printers/

4. https://www.cio.co.uk/cio-interviews/eddie-stobart-cio-john-court-explains-how-iot-is-changing-transport-3673998/

5. https://www.getkisi.com/blog/kisi-for-slack

6. http://www.acas.org.uk/index.aspx?articleid=5721

7. https://www.zdnet.com/article/how-cia-mi5-hacked-your-smart-tv-to-spy-on-you/

8. https://www.latimes.com/business/technology/la-fi-tn-vizio-ftc-20170206-story.html

9. https://www.nccgroup.trust/uk/about-us/newsroom-and-events/events/2019/september/44con-2019-mundane-office-equipment-the-front-door-to-persistence-on-enterprise-networks/

10. https://cloud.google.com/beyondcorp/

11. https://www.theregister.co.uk/2017/08/11/lockstate_bricks_smart_locks_with_dumb_firmware_upgrade/

12. http://www.techrepublic.com/article/hundreds-of-smart-locks-bricked-by-bad-update-leaving-customers-stranded/

13. https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/september/compromising-a-hospital-network/

14. http://www.informationsecuritybuzz.com/articles/lingering-data-after-used-electronics-are-resold-online/

15. https://www.enisa.europa.eu/publications/info-notes/major-ddos-attacks-involving-iot-devices

16. https://krebsonsecurity.com/2017/02/how-google-took-on-mirai-krebsonsecurity/

17. https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/


18. https://www.theguardian.com/technology/2016/oct/24/chinese-webcam-maker-recalls-devices-cyberattack-ddos-internet-of-things-xiongmai

19. https://uk.reuters.com/article/us-cyber-attacks-china/chinas-xiongmai-to-recall-up-to-10000-webcams-after-hack-idUKKCN12P1TT

20. http://thehackernews.com/2017/08/firmware-smart-locks.html

21. https://www.gov.uk/government/publications/code-of-practice-for-consumer-iot-security

22. https://cwe.mitre.org/data/definitions/259.html

23. https://en.wikipedia.org/wiki/Tempest_(codename)

24. https://www.techradar.com/uk/news/dangerous-backdoor-exploit-found-on-popular-iot-devices

25. https://www.theregister.co.uk/2017/08/11/lockstate_bricks_smart_locks_with_dumb_firmware_upgrade/

26. https://en.wikipedia.org/wiki/ISO_26262

27. http://searchmobilecomputing.techtarget.com/feature/Mobile-device-management-vs-mobile-application-management

28. https://www.globalsign.com/en/blog/five-common-cyber-attacks-in-the-iot/

29. http://www.gartner.com/newsroom/id/2636073

30. http://www.bbc.co.uk/news/technology-41169907

About NCC Group

NCC Group exists to make the world safer and more secure. As global experts in cyber security and risk mitigation, NCC Group is trusted by over 15,000 clients worldwide to protect their most critical assets from the ever-changing threat landscape. With the company’s knowledge, experience and global footprint, it is best placed to help businesses identify, assess, mitigate and respond to the evolving cyber risks they face. To support its mission, NCC Group continually invests in research and innovation, and is passionate about developing the next generation of cyber scientists. With over 1,800 colleagues in 12 countries, NCC Group has a significant market presence in North America, continental Europe and the UK, and a rapidly growing footprint in Asia Pacific with offices in Australia and Singapore.

www.nccgroup.trust

+44 (0) 161 209 5200 [email protected] www.nccgroup.trust

For more information from NCC Group, please contact:

an ncc group publication security impact of iot on the ...€¦ · 3.2 possible tampering with iot...

Documents