Why good security foundations are better than the best security mitigation
Since founding VDOO, we have been working to analyze a great many IoT devices, in the broadest way possible. The more we look into these devices and find their vulnerabilities, the further we validate a basic hypothesis: security for the IoT must start with the most basic security building blocks.
It is very challenging to add security to an operating device retrospectively, as it is to mitigate security concerns after-the-fact. Hence, security should be in the DNA of the device. There are just a few key steps which need to be taken in order to deal with most IoT attack vectors – from the simple ones that utilize default passwords, to the most complicated that exploit a newly-discovered. But, these few security essentials must be implemented correctly and accurately.
These ‘security building blocks’ differ from one device to the next, since they are heavily dependent on the device’s attributes. But how can these principles deal with the unknown? With zero-day vulnerabilities? Is it even possible? We have learned from the traditional IT world that a new and unique security agent had to be developed specifically to deal with such vulnerabilities. So how can a mere few security building blocks be all that is needed for IoT?
First, it has a lot to do with the goal of the attack, as well as the nature of IoT versus IT. For the most part, PCs have the ability to receive emails and browse the web, not to mention the endless ways in which the user can interact with the system. With many IoT devices, this is not and will not be the case. User interaction is designed to be very limited, so the malware delivery method would have to depend on things other than user interaction. In most cases, these would be inherent vulnerabilities, but as the reality stands today, it is primarily missing security essentials that are the cause.
And no, it is not entirely possible to deal with all known and unknown vulnerabilities with just a small set of security building blocks. However, it makes it significantly harder to exploit vulnerabilities if basic security is implemented.
Security fundamentals work
For many different reasons, most devices lack security. In many cases, these devices do not even have the most basic fundamentals of security, such as enforcing a default password change, protecting the boot process, checking firmware integrity, or encrypting communication with the app controller or web services.
For these devices, attackers do not necessarily even need to look for a vulnerability, as the flow of attack can be very straightforward. But, if basic security mechanisms are implemented, the attacker must look for vulnerabilities. These can be vulnerabilities in the security building blocks themselves or vulnerabilities in other software components of the product.
If the basic security mechanisms are implemented properly, it would be very had for the attacker to find vulnerabilities to bypass them; and it will be much harder for the attacker to exploit vulnerabilities which are not part of the security building blocks, as these basic mechanisms will prevent them from doing so successfully. The last point is worth dwelling on: even if an attacker does find a severe vulnerability, it will be very difficult to exploit if basic security is implemented.
A real world example
To better clarify this, I will use a recent example from our labs. As part of our research process, we discovered several new vulnerabilities in a commercial IP camera that also had previously known vulnerabilities. Almost all of the vulnerabilities enabled an attacker to execute code on the device, allowing them to download files to the device, run processes, install packages and use the device as a bot or for another purpose. In other words, if the attacker finds a way to log in to the device, then this vulnerability will allow him to do whatever he wants.
What needs to happen for malware to be able to exploit vulnerabilities like these? First, it needs to log in or bypass the authentication mechanism to gain access. In simpler terms – it needs the admin credentials to get in or it needs to break the login mechanism. Only then can it exploit the vulnerability to run code on the device.
Devices that do not force a change from the default password are the easiest targets and responsible for some of the largest attacks to date. And yet it depends on such a simple mechanism: requiring the default credentials to be changed. Through implementing just this one change, the vulnerability in question becomes much less valuable, and much harder to exploit for a mass remote attack.
Looking at other vulnerabilities in many types of devices (routers, cameras, doors, fire-alarms, smart TVs) we see exactly the same phenomena: ‘severe vulnerabilities’ which are considered to be very sophisticated, but whose successful exploitation by a remote source is highly dependent on a lack of basic security. If only the makers of these devices had taken care to properly implement the security building blocks in the first place, the chances that these severe vulnerabilities would be exploited could have been dramatically lower.
Basic security, if implemented correctly, can constitute a very efficient way to make it hard for attackers to gain access, even when they do manage to locate a new vulnerability on the victim’s IoT device.