Protect yourself from “Hacker in the box” Devices with the IoT Security Risk Assessment

By Dana Katz, Product Marketing Manager, published December 9th, 2019

According to IBM’s research,[1] there are more than 60 variants of the notorious IoT botnet Mirai that are increasingly targeting IP enterprise IoT devices. Read more to learn how you can reduce your risk exposure in advance before you even purchase or connect IoT devices to your network.

A recent industry study reveals: 67% of enterprises have experienced an IoT security incident[2]. From smart TV’s, IP cameras, and smart elevators, to hospital infusion pumps and industrial PLC controllers, IoT and OT (Operational Technology) devices are inherently vulnerable and easy to hack. Many of these devices come with out-of-the-box security flaws such as weak or hardcoded passwords, misconfigurations in the operating system, and known vulnerabilities (CVEs). Their inherent security weaknesses and the fact that they are poorly protected made IoT devices an attractive target for bad actors. Hackers are continually looking for ways to exploit device vulnerabilities so they can attack the devices themselves or better use them as an entry point to the corporate network.  IP cameras can be used to spy on users, medical devices can be shut down, and critical infrastructure (such as power grid controllers) can be taken over to generate colossal damage. The risk is high and enterprises across different industries are exposed.

Make sure your IoT Devices Running Secure Firmware from the Get-go

An effective way to reduce exposure to the IoT risk is to perform a security risk assessment to the IoT device firmware in advanced. Such assessments can help IoT manufacturers to release devices with better security posture, provide their customer with a security-peace-of-mind, and also comply with emerging IoT security regulation (e.g., CA SB 327, active from January 2020 in California). This risk assessment can also help IT organizations in making better security decisions before purchasing or connecting new IoT devices into their networks.

A new technology, recently added to the Check Point IoT security solution (with the acquisition of Cymplify), allows producing a detailed IoT Firmware Risk Assessment Report for every device. This report reflects a firmware-specific risk assessment based on up-to-date and comprehensive IoT-specific treat intelligence. Using a cloud-based service, both IoT developers and IT managers can quickly produce such a report within minutes, and without needing the firmware source code.

The IoT Firmware Risk Assessment Report presents ALL of the inherent security flaws associated with a specific firmware, even if those are related to 3rd party components that were embedded into the firmware during development (a very common practice in IoT development).

The report also offers practical mitigation steps to reduce the exposure that can be beneficial both to those who make the devices and to those who deploy them.

The screenshots below are taken from a Firmware Risk Assessment Report of a specific IP camera firmware that is widely deployed in enterprises and offices worldwide.

Figure 1: a summary of an example Firmware Risk Assessment Report (for a popular IP camera).

Expose weak, guessable, or hardcoded passwords

The report includes assessment of the firmware credentials strength to detect and alert about the use of easily brute forced, publicly available, or unchangeable credentials. During the assessment we compare the firmware credential configurations to publicly available password lists (such as the one that was used for the Mirai attack) and we run a brute force on the device to identify weak or guessable passwords.

In the bellow example, the first and second credentials were found in such a known credential lists, and the report highlight them in red as critical.

Figure 2: Credentials Strength analysis

Known vulnerabilities

The report provides a list of all CVE’s associated with the specific firmware. After extracting the device firmware, it automatically runs a CVE search in the MITRE website and classifies every vulnerability base on its severity and attack vector (Network/physical attack).

Figure 3: CVEs (known vulnerability) associated with the IoT device firmware

The Firmware Assessment Report includes additional details on operation system misconfiguration, private keys security, and listed domains. 

Check Point recently acquired Cymplify Security to extend its IoT security offering with a unique on-device runtime protection technology. With the new technology it is now possible to take an IP camera, a Smart TV, an elevator controller or an infusion pump, and in a rapid manner, analyze and harden and protect it against known and zero-day attacks. To read more about the acquisition click here.

[1] IBM X–Force: Mirai is increasingly targeting enterprise IoT devices

[2]  State of Enterprise IoT Security in North America, Forrester and Armis