Miri Ofir is the Research and Development Director at Check Point Software.
Gili Yankovitch is a technology leader at Check Point Software, and a former founder and VP of Research and Development at Cimplify (acquired by Check Point).
With billions of connected devices that lack adequate security around them, the Internet of Things (IoT) market represents an extremely promising target in the eyes of cyber criminals. IoT manufacturers are grappling with emerging cyber security regulations and change is happening. However, concerns still abound.
In this dynamic interview, Check Point experts Miri Ofir and Gili Yankovitch discuss what you need to know as we move into 2024. Get insights into IoT exploit techniques, prevention approaches and best practices. Address IoT security issues effectively – starting now.
What does the global threat landscape look like and could you share perspectives around 2024 predictions?
The global threat landscape has been affected by the increasing number of geopolitically motivated cyber attacks. We're referring to state-sponsored attacks.
Cyber espionage by state-sponsored actors aims to steal intellectual property, gather intelligence, or even lay the groundwork for potential sabotage. Countries like Russia, China, North Korea, and Iran have advanced state-sponsored cyber attack skills, and we can track complicated campaigns affiliated with those countries.
An example of such type of campaign is a supply chain attack. As the name implies, this involves targeting less-secure elements in an organization's supply chain. The SolarWinds hack from 2020 is a notable example, in which attackers compromised a software update mechanism of a business to infiltrate numerous government and private sector systems across the U.S.
The Internet of Things (IoT) market is highly targeted and prone to supply chain attacks. The rapid proliferation of these devices, often in absence of robust security measures, means a vast expansion of potential vulnerabilities. Malicious actors can exploit IoT weak points to gain unauthorized access, steal data, or launch attacks.
What are IoT device manufacturers’ biggest challenges at the moment?
IoT manufacturers are facing evolving regulation in regards to cyber security obligations. The supply chain concerns and the increasing attacks (41% increase in IoT attacks during Q1 `23 compared to Q1 `22) have led governments to change policies and to better regulate device security. We see two types of programs being rolled out:
1. Mandatory regulations to help manage Software and Hardware Bill of Materials (SBOM) and to verify that products will go to the market with some basic cyber security coverage. SBOMs will help manufacturers get a better understanding of the components inside of their products and maintain them through patches and other mitigations. This will add overhead for manufacturers.
2. Excellent initiatives like the U.S. cyber trust mark and labeling program, which aims to dispel the myth of clarity about privacy and security in the product and to allow educated users to select safer products, among other considerations, like energy efficiency.
While this is an obligation and a burden, it is also a business opportunity for manufacturers. The market is changing in many respects. For example, the U.S. sanctions over China are not only financially motivated; the Americans see China as a national security concern and the new sanctions push major competitors out from the market.
In this vacuum, there is a room for new players. Manufacturers can leverage the changing landscape to gain higher market share by highlighting cyber security in their products as a key differentiator.
What are the most used exploit techniques on IoT devices?
There are several main attack vectors for IoT devices:
1. Weak credentials: Although manufacturers take credentials much more seriously these days than previously (because of knowledge, experience or on account of regulation), weak/leaked credentials still plague the IoT world. This is due to a lot of older devices that are already deployed in the field or due to still easily-cracked passwords. One such example is the famous Mirai botnet that continues to plague the internet in search of devices with known credentials.
2. Command injection: Because IoT devices are usually implemented with a lower-level language (due to performance constraints), developers sometimes take “shortcuts” implementing the devices’ software. These shortcuts are usually commands that interact with system resources such as files, services and utilities that run in parallel to the main application running on the IoT device. An unaware developer can take these shortcuts to provide functionality much faster to the device, while leaving a large security hole that allows attackers to gain complete control. These developer actions can be completed in a “safer” way, but will take longer to implement and change. Command weaknesses can be used as entry points for attackers to exploit vulnerabilities on the device.
3. Vulnerabilities in 3rd party components: Devices aren’t built from scratch by the same vendor. They usually consists of a number of 3rd party libraries, usually open-sourced, that are an integral part of the devices’ software. These software components are actively maintained and researched, therefore new vulnerabilities in them are discovered all the time. However, the rate in which vulnerabilities are discovered is much higher than that of an IoT device software update cycle. This causes devices to remain unpatched for a very long time, even for years; resulting in vulnerable devices with vulnerable components.
Why do IoT devices require prevention and not only detection security controls?
Unlike endpoints and servers, IoT devices are physical devices that can be spread across a large geographical landscape. These are usually fire-and-forget solutions that are monitored live at best or sampled once-a-period, at worst. When attention to these software components is that low, the device needs to be able to protect itself on its own, rather than wait for human interaction. Moreover, attacks on these devices are fairly technical, in contrast to things such as the ransomware that we see on endpoints. Usually, detection security controls will only allow for the operator to reboot the device at best. Instead, prevention takes care of the threat entirely from the system. This way, not only is mitigation immediate, it is also appropriate and reactive, in accordance with each threat and attack it faces.
Why is it important to check the firmware? What are the most common mistakes when it comes to firmware analysis?
The most common security mistakes we find in firmware are usually things that “technically work, so don’t touch them” and so they’ve been left alone for a while. For example, outdated libraries/packages and servers; they all start “gposting” CVEs over time. They technically still function, so no one bothers to update them, but many times they’re exposed over the network to a potential attacker, and when the day comes, an outdated server can and will be the point of entry allowing for takeover the machine. A second common thing we see is private keys, exposed in firmware, that are available for download online. Private keys that are supposed to hold some cryptographically strong value – for example, proof that the entity communicating belongs to a certain company. However, they are available for anyone who anonymously downloads the firmware for free. This means they no longer hold a cryptographically strong value.
What are some best practices for automatic firmware analysis?
Best practices for automated assessment – in my opinion, the analysis process is broken into 3 clear steps: Extraction, analysis, report.
A) Extraction: Is a huge, unsolved problem, the elephant in the room. When it comes to extracting firmware, it is not a flawless process. It is important to verify the results, extract any missed items, create custom plugins for unsupported file types, remove duplicates, and to detect failed extractions.
B) Analysis: Proper software design is key. A security expert is often required to assess the risk, impact and likeliness of exploit for a discovered vulnerability. The security posture depends on the setup and working of the IoT device itself.
C) Report: After the analysis completes, you end up with a lot of actionable data. It's critical to improve the security posture of the device based on action items in the report.
For more insights like this, please sign up for the cybertalk.org newsletter.