IoT Security Hysteria & Some Development Tips to Avoid Being Called Out at Defcon
Being in the fairly uncommon position of founding both security and mobile app development companies, I get to play poacher and gamekeeper on a daily basis. For my American friends, that’s offense and defense! I wanted to add a little value from this viewpoint and give some security pointers to anybody working on IoT projects.
I was at Defcon a few weeks ago. For those not in the security loop, it’s the largest conference for security researchers, hackers and most likely undercover government agents in the world. We watched as the latest batch of super bright security nerds tore apart company’s products and exposed their security flaws. This event is accompanied in the media with carefully worded articles to create as much shock factor as possible “Hackers are taking control of your home!” etc. These articles generally do not really dig into the technical facts of the hack too much and ignore the details like the researcher spent 2 months taking apart the toaster to physically replace the software on it so they could remotely burn your toast.
The following week, I was leading a bunch of developers building mobile apps for IoT manufacturers who are racing to get their products to market before the competition on limited budgets. In fact, as I type this I have 2 IoT prototypes sitting on my desk with their LED’s blinking at me reminding me I should probably be working instead of writing this.
I understand both mindsets. The security researcher, “I’m going to pull apart this IoT system as I love breaking stuff, making the world a more secure place, and possibly get my company / self some free publicity in the process”.
As well as the the IoT project team, “Let’s worry about security later as my competition is about to launch its new (equally insecure) IoT flower vase and I need to beat them to market and anyway we’ve spent all the budget on marketing”.
If a security researcher or real world hacker really wants to pull apart your new IoT product, and is willing to spend 6 months doing it, they probably will. But like a lot of security, just covering the basics will stop the vast majority of security weaknesses. I will cover some of those basics below.
Firstly, lets cover the basic types of IoT devices we see come into the development office, as everyone knows what an app is but probably doesn’t know what’s at the heart of an IoT device.
The IoT device
The devices that come through our door generally fall into two camps. I’m probably going to get beaten up for my terminology here, but let’s define the two types: embedded and Linux devices
With embedded devices the code is compiled by the developer into a firmware package that interacts directly with the chipsets on the device. The firmware is bundled up and pushed to the device. The well-known Arduino board is an example of this. The code is written on a computer, then compiled and sent to the device to run. Chipsets will be bundled together on a printed circuit board to create a shiny IoT device.
The IoT manufacturer might create a design where they need a processor to execute the code, and then another chipset for Bluetooth connectivity and another that gives us WiFi. This set-up is preferred for small devices, which may need to be powered by a battery for months as they do not have the overhead of a full operating system.
Linux IoT devices usually come to us in prototype form running on a Raspberry Pi or similar mini-computer with a few sensors connected. These devices are based on top full operating systems so they have the benefit of easily being able to just build on top of programming languages like Python and well established Linux libraries. The disadvantage of these is they usually draw more power and are bulkier.
Some Security Tips
So what are some of the ways we can protect our new IoT devices from hackers and sneaky security researchers?
Encryption (Use It)
Not a single Bluetooth device we’ve been sent to build an app for has had encryption enabled out the box. And that’s fine for development, but what happens when you come to enable it a week before the device is sent to manufacturing and realize it has an issue with the encryption stack?
Get into this early, as you might find the chipset or firmware doesn’t play ball and you end up sending your device to market with clear-text transmissions. That’s when your device ends up on a Defcon stage with someone sniffing your BT connection and performing replay attacks to rounds of applause.
Popular IoT protocols such as MQTT have mechanisms for using TLS for network encryption and certificate based authentication. I know from personal experience it’s a pain in the posterior to get setup, but once done it offers a really tight solution for stopping man-in-the-middle attacks with your devices.
Does your device support storage encryption? If so encrypt the storage media and operating system and build this into your manufacturing process. That way if one of these pesky security researchers pulls out the SD card from your Raspberry Pi, they can’t just start pulling apart your entire build and figuring out how it works.
When choosing your hardware, quiz the manufacturer/hardware designer on the security of the devices being used. Do they support the latest security mechanisms? I often found this is one of the last things considered after power consumption, speed of comms etc.
Embedded Signed Code
Some device hacking involves the attacker being able to code their own firmware and replace the manufacturer’s code on the device. This can be countered by using a digital signing mechanism where only the manufacturers signed code is allowed to be loaded onto the device. This could really slow down or stop a hacker trying use your device for their purposes.
Disable Uneeded Network Services
Many IoT devices are targeted over normal WiFi network connections, mainly as this is easy. Just download a port scanning tool like NMAP, scan the device. Whoop! The lazy developers have left telnet open for easy access and suddenly I’m a hacking God! Not. So make sure that the devices have unneeded, insecure services removed or firewalled. No one should be using unencrypted protocols like telnet in 2016 anyway.
Disable Physical Ports
I’ve seen numerous hacking demonstrations where the researchers have taken a device apart to find a USB or network port, and connect in a way that the manufacturers didn’t account for. Physically remove or disable these ports on your device if it doesn’t need them. If they are needed for maintenance or updates, then disable them at a software level when not in use.
Lock Down The OS
There is a lot of information on how to lock down the Linux operating system. If your device has an out the box install of Linux, someone in the know should spend a day locking the build down and making sure all the easy hacking wins are removed, disabled or patched.
Is there a way to update the device? New vulnerabilities come out daily and you might find you need to get your devices patched in a hurry. Do you have a mechanism to do this?
All self-respecting IoT devices have a mobile app to control them. Ask your developers whether some basic security measures like SSL pinning have taken place. Envision SSL pinning as a tighter verified connection between the app and back-end APIs, making life difficult for security researchers and hackers who will usually abuse the absence of pinning to see how your app interacts with the back-end services.
Jailbroken Device Detection
It is possible both from IOS and Android apps to check to see whether the device they are installed on looks to be jailbroken/rooted. This means the bad guys could try and analyze your app from a device where they are admin. The checks in code can be subverted but it’s another barrier to slow down a would-be attacker.
Hire Security Professionals
Many of the IoT teams we work with have good budgets, and could definitely spend money on getting a security consultant in-house for a week or two to test a prototype and make recommendations. The making of the new shiny cool app and the rush to market often overshadow this need. Build this into your quarterly budget, and take their advice.
Ask Your Developers About Security
I’m sure the topic of security does come up in most IoT development teams but how deeply this conversation goes varies massively from my experience. I’d encourage anyone involved in this process to ask some probing questions about how deeply this has been thought out, and get the aforementioned security professionals in the conversations during the design phase.
This is a toe deep look at IoT security, if you’d like to chat some more about any of this, mail Rob Pope on linked-in or reach out via our contact form. Rob is a co-founder of Tiro Security, with experience on the technical side of cybersecurity.