Sameer Dixit, Senior Director, Security Consulting Mike Jack, Senior Manager of Product Marketing The Internet of Things (IoT) plays a key role in the monitoring, supply chain, facility management, and manufacturing processes for many organizations and use is on the rise. Although many IoT deployments are mature, a large number have experienced security breaches that were more costly than breaches to other parts of the enterprise IT infrastructure. Because many IoT projects are implemented outside of IT-managed network or application deployments, there can be gaps in security between infrastructure devices, network connections, web applications, and collection and analysis tools. This paper discusses the current state of IoT security, identifies potential threat vectors, and describes best practices for vulnerability assessment, testing, and DevOps. The paper also describes how Spirent s Security Labs penetration testing expertise can help companies move forward with their IoT deployments and increase performance and security assurance. Enterprise IoT Deployments Today Dedicated networks for connected devices have been around for quite a while. However, the Internet of Things takes this concept to an entirely new level. The IoT connects all kinds of devices to each other, to the Internet, or to other networks, integrating automated systems to gather data, perform analysis, and accomplish an array of tasks that is limited only by the imagination. Enterprise IoT deployments are surprisingly mature. According to a recent IDC survey 1, enterprise IoT implementations have been in use for at least five years for multiple purposes (Table 1). Table 1. How Enterprises Use the IoT Use Used by (%) Identification and monitoring 72.5 Facility management, smart buildings, and environmental controls 62.5 Supply chain inventory tracking and automation 72.5 Fleet management, cargo tracking, traffic monitoring, and autonomous vehicles 47.7 As device costs drop and organizations automate more processes, IoT deployments will increase. The research firm Gartner predicts that by 2020, more than half of major new business processes and systems will incorporate some element, large or small, of the IoT. 2 1 IDC, IoT Security Concerns Within the Enterprise, June 2017. 2 Gartner, Expedite Your Identification of IoT Providers with Agile Sourcing Methods, November 10, 2016.
Here Come the Cyber Threats Enterprises are well aware of the damage associated with cyber breaches, which can compromise networks and data protected by layers of enterprise security. However, many IoT devices were not designed with security in mind. Connecting these devices creates a larger enterprise attack surface and increases the risk of compromise. In the IDC survey cited above, 46.6% of respondents indicated they had experienced a breach or other security incident associated with IoT security. Over 80% of security professionals at healthcare firms and 70% at financial services firms said the expenses associated with investigating the scope and root cause of the IoT breach were higher than the expenses associated with traditional breaches and security incidents. There are several reasons for the high incidence of IoT breaches. First, many enterprises do not realize what is required to secure an IoT deployment. Unlike a network switch or Web portal that uses standardized interfaces and protocols, IoT devices can run on completely different protocols that are not addressed by traditional enterprise security and management measures. In addition, as illustrated in Figure 1, IoT deployments include at least five layers that must be secured: network, application, device hardware, data storage and transport, and cloud or backend infrastructure IoT Security Attack Surface Network Services, Firewall IoT Security Applications Authentication, Authorization, Input Validation Device Hardware Physical Security Mobile Client Data Storage, Data Transport, API Cloud Backend Server, Authorization, Update Security Figure 1. Layers of IoT Infrastructure That Must be Secured The second reason for the large number of IoT breaches is that attackers can exploit known vulnerabilities. For example, when an IoT device is deployed using the manufacturer s default configuration, attackers can use that default configuration to opportunistically attack and quickly enslave large numbers of devices into a botnet. Devices rarely require authentication, and IoT data is typically not encrypted. Figure 2 shows the top 10 vulnerabilities of IoT systems, as identified by Spirent Security Labs. 2 spirent.com
IoT Top 10 Vulnerabilities Rank Title IoT Attack Surface 1 Insecure Web Interface Application 2 Insufficient Authentication/Authorization Application, Network, Mobile & Cloud 3 Insecure Network Services Network 4 Lack of Transport Encryption/Integrity Verification Application, Network, Mobile & Cloud 5 Privacy Concerns Application, Network, Mobile & Cloud 6 Insecure Cloud Interface Cloud 7 Insecure Mobile Interface Mobile 8 Insufficient Security Configurability Application, Mobile & Cloud 9 Insecure Software/Firmware Device & Cloud 10 Poor Physical Security Device Figure 2. Top 10 Vulnerabilities of IoT Systems A third contributing factor to the high number of IoT security breaches is that many of these deployments are implemented outside of normal enterprise IT departments and processes. The deployment might be in a remote location or accelerated because of an urgent requirement, or the project owners simply might not have been security-aware enough to involve IT. Finally, when an IoT deployment is up and running, it is human nature to leave it alone and not monitor it. However, that approach does not work in an environment where the adversary is continuously changing and diversifying its tactics. spirent.com 3
The IoT Attack Surface As shown in Figure 1, IoT deployments involve at least five layers that must be secured for the deployment to be adequately protected. Five layers represent an expansive and tempting attack surface. The more devices that are connected, the greater the number of potential entry points into the network. These vulnerabilities exist because in the past, devices or applications could be tested individually, according to a specific range of expected functions and benchmarks. For example, a router can be tested for data processing performance and reliability. It is usually not tested for the ability to identify malicious traffic coming from a compromised wireless LTE-connected device. Although the router successfully passes tests related to its specific functionality, it can t protect the deployment from a Web-connected device that has been compromised by an SQL injection attack. When devices, applications, networks, and backend infrastructure are connected in an IoT deployment, the number of potential combinations and conflicts increase exponentially. That is why testing all layers holistically is so important. Other inhibitors to securing IoT deployments adequately include: Lack of standards. Because no industry standards are specifically applicable to the unique characteristics of IoT deployments, IT teams lack best practices for securing an IoT deployment. Legacy or proprietary systems. Mature IoT deployments often include components that lack modern security features, processing power, or other capabilities to maintain end-to-end security when connected to the Internet. Customized applications. Many customized applications were not developed with security capabilities in mind, since they did not have to be customer facing. Today, any data that comes over any system can be vulnerable to external attacks or attacks from within the enterprise. Lack of cyber security focus. IoT deployments are often created to meet specialized process requirements, and decisionmakers are not likely to be IT or security-minded. In addition, many decision-makers do not include the company s IT team in IoT planning or deployment. 4 spirent.com https://cfengine.com/wp-content/uploads/2015/05/iot-systems-hardening.png
IoT Threat Vectors Used by Sophisticated Attackers Cyber criminals aggressively search the IoT for vulnerable devices, including Internet-connected cameras and digital video recorders. In October 2016, attackers used a new variant of a computer worm, known as Mirai, to target Dyn, an Internet performance management company. The resulting waves of Distributed Denial of Service (DDoS) attacks prevented many East Coast users from accessing Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, PayPal, and other sites. In a DDoS attack, attackers take over an Internet-connected device, possibly through an infected home computer or network. The malware (in this case Mirai) then spreads to everything connected to that network including DVRs, cable set-top boxes, routers, Internet-connected surveillance cameras, even Internet-connected baby monitors turning them into robots. Mirai is so aggressive in its search for victims that vulnerable devices are compromised within 5 10 minutes of being plugged into the Internet. Once enslaved, the devices are grouped into a huge network to send millions of messages that can take down hundreds of thousands of users. During the Mirai DDoS attack, Dyn received tens of millions of messages (more than 600 Gbps of traffic) from around the world sent by seemingly harmless Internetconnected devices. Attackers can profit from threats like Mirai. A botnet of enslaved devices can be rented out for any number of purposes. Devices such as surveillance cameras, microphones, Wi-Fi-connected applications, and similar components can easily be hacked to gather information about business operations, security measures, and potential vulnerabilities. Another type of attack on enterprises is an IoT Server Side Request Forgery (SSRF) attack. Attackers seek the path of least resistance, and many corporate-owned IoT devices are unknowingly deployed with security vulnerabilities. In his blog, security expert Dan Miessler warned that IoT will introduce billions of Internet-facing devices, and Server Side Request Forgery will allow Internet-based attackers to extract sensitive information from networks abstracted by IoT systems. The result is that an attacker can potentially extract sensitive data from an internal network or system that it otherwise wouldn t even be able to interact with. 3 Miessler describes an SSRF attack as follows. An SSRF attacker sends a crafted request to Target A, which has an SSRF vulnerability. Within that request is a second request, destined for Target B, which only Target A can access. Target A sends the request to Target B and Target B replies to the attacker. The attack is on. In November 2016, Mirai struck again. This time, attackers used Mirai to infect Internet routers on Deutsche Telekom s ISP network. Mirai entered the routers through a feature that enables the ISP to upgrade firmware remotely. Attackers then conducted a DDoS attack that took 900,000 customers offline. Even worse, once Mirai successfully breached the routers, it turned off the remote upgrade feature, which significantly hindered remediation. 3 Daniel Miessler Blog, September 25, 2016. spirent.com 5
Legitimate HTTP request with SSRF payload. Server processes the request. Based on the SSRF payload, triggers malicious request to internet/intranet resources. Attacker Firewall Victim s Vulnerable Server Third-Party Public Network Internal Network Figure 3. How an SSRF Forgery Attack Occurs 4 A Need for Specialized IoT Expertise The IDC survey cited earlier found that 93.2% of respondents sought outside assistance to deal with their IoT security breaches or incidents. They also placed a high degree of confidence in their IT and IoT security partners. Taking a holistic approach to security is especially crucial for IoT implementations, said Sean Pike, program vice president for IDC s Security Products group. Diverse device functions, custom software applications, newer network protocols and connection methods make securing IoT deployments extraordinarily complex. Organizations should look for a partner that can provide the widest range of expertise in these areas to help proactively address IoT security. 1. Conduct a secure architecture review to ensure that security is baked in from the ground up, rather than being bolted on later. 2. Conduct vulnerability assessments frequently on applications, networks, devices, and firmware. A vulnerability assessment identifies and logs vulnerabilities, ranks them, and recommends needed mitigation. 3. Conduct penetration testing. Penetration testing should test device firmware, binary code, related Web services, http(s) communications, and underlying Web applications. IoT deployments should be tested every 6 months and whenever hardware, firmware, or software is upgraded. A comprehensive IoT penetration test should cover cryptography, communications, authentication and authorization, platform security, and device physical security. 4. Identify service priorities. An outside expert can help enterprises objectively identify their service priorities for testing and protection. 5. Evaluate DevOps priorities. DevOps resources should be assessed to help ensure that the enterprise is focused on implementing security from the ground up for new products or deployments. 4 Daniel Miessler Blog, September 25, 2016. 6 spirent.com
How Spirent Helps Enterprise IT teams know that nothing is compromise-proof, and IoT deployments are at higher risk than traditional network and data center projects. Enterprises must adopt a cost-effective approach that ensures that security best practices and expertise cover all enterprise IoT solutions as well as traditional IT. This is where Spirent Communications can add value. Spirent provides innovative products and services that help the world communicate and collaborate faster, better, and more securely. Spirent has worked with enterprises since inception to help them assess vulnerabilities, define security strategies, establish testing processes, and validate designs. The Spirent IoT solutions team includes experts in security, computer electronics, engineering, components, and wireless communications, working together to help enterprises address IoT security priorities. Spirent SecurityLabs dedicated teams of experienced security professionals offer comprehensive scanning, penetration testing, and monitoring services for IoT deployments. They can assess device firmware, binary code, related web services and http(s) communication including wireless communication for exploitable vulnerabilities and security weaknesses. Spirent can help enterprises in several areas: Security program design. Spirent designs security programs from the ground up that are built on security and industry best practices. For enterprises that want to incorporate security into IoT deployment lifecycle planning, Spirent has everything needed to expedite the process. Securing system layers. To help mitigate risk, Spirent provides testing, vulnerability assessment, and security recommendations for specific IoT networks, applications, devices, mobility, and cloud components. Production IoT deployments. Spirent can assess the potential vulnerabilities in production IoT deployments and provide recommendations to help prevent exploitation of those vulnerabilities. As the industry moves forward, Spirent also supports development of IoT security best practices and industry standards. Best practices should be established for testing end-to-end security in connected devices and deployments. There is much work yet to do, and Spirent is committed to helping enterprises take the next major step forward to securing their IoT deployments in a connected world. Spirent CyberFlood is an important part of IoT testing. It is a powerful Layer 4-7 test solution that generates thousands of high-performance scenarios for testing the performance, scalability, and security of IoT deployments. CyberFlood emulates realistic application traffic including IoT device messaging while validating security coverage from enterprise to carrier-grade network capacity. Spirent TestCloud, a core component of CyberFlood, includes a library of tens of thousands of realistic applications and attack vectors and is regularly updated to ensure load and functional testing with unparalleled scalability. And unlike other testing providers, Spirent provides fully automated wireless scanning across multiple wireless device protocols. Spirent CyberFlood also can test IoT robustness through fuzz testing of IoT protocols, such as MQTT, to verify sound and stable deployments. spirent.com 7
About Spirent For more information, visit https://www.spirent.com At Spirent Communications we work behind the scenes to help the world communicate and collaborate faster, better, and more often. The world s leading communications companies rely on Spirent to help design, develop, and deliver worldclass network devices and services. Spirent s lab test solutions are used to evaluate performance of the latest technologies. As new communication services and applications are introduced in the market, Spirent provides tools for service management and field test to improve troubleshooting and quality. Spirent also enables enterprises, institutions, and government agencies to secure and manage their networks. To learn more how Spirent can help with your testing requirements, please visit: https://www.spirent.com/solutions/ Security-Applications spirent.com AMERICAS 1-800-SPIRENT +1-800-774-7368 sales@spirent.com US Government & Defense info@spirentfederal.com spirentfederal.com EUROPE AND THE MIDDLE EAST +44 (0) 1293 767979 emeainfo@spirent.com ASIA AND THE PACIFIC +86-10-8518-2539 salesasia@spirent.com 2017 Spirent. All Rights Reserved. All of the company names and/or brand names and/or product names referred to in this document, in particular, the name Spirent and its logo device, are either registered trademarks or trademarks of Spirent plc and its subsidiaries, pending registration in accordance with relevant national laws. All other registered trademarks or trademarks are the property of their respective owners. The information contained in this document is subject to change without notice and does not represent a commitment on the part of Spirent. The information in this document is believed to be accurate and reliable; however, Spirent assumes no responsibility or liability for any errors or inaccuracies that may appear in the document. Rev A. 06/17