Hey, guess what; IoT security still sucks, finds Gemalto and Trend Micro

This horse has been beaten past death so much that it’s well on its way to ending up in a dodgy lasagne microwave dinner, but it is still disappointing to see that IoT security capabilities shows no real sign of improvement in the short-term. Two studies, from Gemalto and Trend Micro, illustrate the scale of the problem, and both come after CES highlighted just how many potentially vulnerable IoT gizmos are on their way to market.

Gemalto’s State of IoT Security report found that companies do, thankfully, have an increased focus on IoT security. The headline figures are that spending on this has increased from 11% of the IoT budget in 2017 to 13% in 2018, with 90% of interviewed firms saying IoT security is a big consideration for their customers – some 95% of customers apparently expect IoT devices to be governed by IoT security regulations. Most notably, perhaps, is that 14% of firms say IoT security is now an ethical responsibility, compared to just 4% believing so in 2017.

Citing Ericsson’s prediction of 20bn connected devices by 2023, Gemalto argues that businesses need to act quickly to implement adequate breach detection – because it found that only 48% of firms could actually detect if any of their IoT devices had suffered a breach. If the industry carries on as it is, then Gemalto’s findings suggest that there will be just shy of 10bn devices that will be exploitable by attackers, in just four years’ time.

So there we are – we’re all doomed, it seems. Gemalto found that 79% of firms are asking governments for more robust IoT security guidelines, with 59% asking for clarification on who exactly is responsible. Around 95% of firms believe that there should be uniform IoT security regulations in place, and we wish them well on achieving such legislative unity across the globe.

For what it’s worth, Gemalto is calling on governments to do something about the regulatory gulf, with CTO Data Protection Jason Hart saying “given the increase in the number of IoT-enabled devices, it’s extremely worrying to see that businesses still can’t detect if they’ve been breached. With no consistent regulation guiding the industry, it’s no surprise the threats – and, in turn, vulnerability of businesses – are increasing. This will only continue unless governments step in now to help industry avoid losing control.”

The other elements found in the survey are worth whipping through. Apparently, only 59% of IoT users are encrypting all their data, and the greatest fears of consumers are a lack of privacy caused by connected devices (54%) and that unauthorized parties will have access their devices (51%) or personal data (50%).

As for solutions, Gemalto says that blockchain has emerged as a potential solution to the security problem. Apparently, blockchain adoption has grown from 9% to 19% in the past year, and that 23% believe that blockchain is an ideal solution to the issue of device security, and that 91% of organizations that don’t currently use blockchain said they are likely to consider it for future use. However, blockchain has suffered a pretty hard PR-image hit in the past year, and so enthusiasm and corporate buy-in has waned. It remains to be seen how many organizations actually on-board such technologies, but we don’t think it’s going to be anywhere near a majority of that 91%.

The second report, from Trend Micro, found a number of concerning attack vectors in remotely controllers, powering industrial equipment. The report declares that current such controllers are less secure than garage door openers, which is sadly not all that surprising, given what we know of this industry.

The report stresses that because so many of these controllers are built on proprietary RF protocols that are often decades old, and which are focused on safety at the expense of security, they are very vulnerable to a number of attacks. Essentially, these systems are built on the assumption that whoever is issuing commands is doing so in good faith, and therefore the focus on ensuring that the commands make it through the ether, rather than on authenticating the command and its sender.

Replay attacks were cited as being particularly concerning, whereby an attacker in proximity simply records a command being sent over the air and can then later replay that command when it is most opportune. While such a vector probably requires an attacker to have some form of physical access, that’s not a burdensome task for an attacker with a budget – it will keep the script-kiddies out, but not someone being paid to get in.

Similar to replay attacks are command injection, wherein a bit of analysis might allow the attacker to calculate the other commands they could use, after recording a couple and working out what RF protocol is in play. Once these have been sussed out, the attacker can send any message they like, and as these protocols are often quite old, it means there’s a lot of documentation out there to help.

Emergency-stop abuse is pretty similar to command injection, and is essentially a denial of service (DoS) attack that stems from broadcasting the emergency stop command to the machinery. Packet sniffing can also let an attacker make clones of a remote controller too, which is the fourth vector that Trend Micro warns about.

The most dangerous attack involves reprogramming the firmware on machinery, which would give an attacker persistent and full remote control over the device. All of these attacks require only temporary local presence, meaning that a malicious gateway with a cellular radio to backhaul commands might be all that is needed for an attacker to compromise these installations. Trend Micro adds that even drones could be used.

As for the price tags for these attacks, replay and emergency-stop abuse start at a few hundred dollars, while the more complex ones might cost a few thousand dollars – with both requiring some level of expertise. In its studies, Trend Micro found that it could pick up signals using a software-defined radio (SDR) and a cheap antenna from around 300-meters away, and that the complexity needed to pull off replay attacks in this set up were minimal. What’s worse is that a couple of signal amplifiers and a professional antenna would let you do this from a few kilometers away.

Also concerning was the desire by many users of these devices to remove security features from them, with one interviewed vendor saying that it was asked by multiple customers if it could remove the need to physically push buttons on the remote control, in order to automate that function using a computer connected to the control – thereby removing humans from the loop, and leaving it open to remote hijacking.

As for advice, Trend Micro says that timely patching and ‘virtual fencing’ to disable the devices if the controllers are out of range, are good first steps. Because of the long lifetime of these controllers, vulnerabilities will persist, and the company says that “ultimately, the long-term solution of abandoning proprietary RF protocols in favor of open, standard ones should be adopted.”