Finally, this is Part 3 of a 3-part series on IoT Wireless Security Vulnerabilities & Solutions. See a video overview here. A significant portion of this series originates from a white paper published earlier this year with technical contributions from security researcher colleague RJ Brownlow. The white paper was expanded upon and customized for a technical paper and presentation for the 2016 SCTE/ISBE conference and is highlighted in the video link above.
- Part 1 – Introduction, IoT Impacts, and Technology Briefs
- Part 2 – Attack Vectors and Scenarios
- Part 3 – Tools and Combating Security Vulnerabilities (below)
For an introduction and attack scenarios be sure to view the links to Part 1 and Par 2 above. The following post will dive right in to the final review of tools, solutions, and conclusions.
Tools For IoT Security
Most Information Security Professionals are not typically trained to mitigate against hardware-based attacks. With that said, Information Security Professionals with experience in wireless security mitigation tactics often have building blocks to quickly get up to speed on the various attacks and defenses used with wireless radios.
The first thing that an Information Security Professional needs is a collection of hardware and software tools that will help assess the environment and give them the ability to develop an effective defense in depth.
One of the biggest challenges for researchers looking into wireless security is the high cost and complexity of obtaining software and application program interface (API) code from major semiconductor providers. Without the software that allows interaction with commercial radios, a researcher has limited ability to develop tools or other equipment that will run on multiple manufacturers’ equipment. The purpose of this section is to offer several tool options for professionals to get up and running quickly, rather than providing an exhaustive comparison.
For spectrum analysis there are many expensive analyzers used by professionals for years. Fortunately, there are several newer options for portable or handheld analyzers scanning various ranges of spectrum. One example is the RF Explorer in the $100 – $500 range depending on the functionality required.
For packet sniffing, decryption, playback, there are almost too many choices in tools. However, many of these tools are often specific to a single device or protocol. Tools that cover multiple radios and protocols often run in the thousands of dollars, making them cost prohibitive for the average professional. The time and energy expended to wade through all the options can be enormous. The challenge is finding the best/broadest combination of radios and software at a reasonable cost & effort for a security professional. Fortunately, open source projects and even commercial solutions are moving in the right direction.
Let’s begin with low cost solutions. One very effective toolset for key analysis is the KillerBee framework, which was created by Joshua Wright, a noted wireless security expert, and has been made freely available to everyone. KillerBee is really a suite of hardware and software tools that allow sophisticated interception, analysis, and even transmission of 802.15.4 packets. The software included in KillerBee is a collection of Python scripts that are easily modified and can be built upon to create even more capabilities and interaction with ZigBee radios. For Joshua’s experiment, the recommended device of choice is the RZRaven AVR, a $40 USB stick with monitoring and packet injection capabilities.
For maker kit developers I assembled a RaspberryPi with multiple radio antennae running the Kali Linux implementation for penetration testing. The tool includes a 7” flat touchscreen display along with optional keyboard and mouse. Kali Linux is a Debian-derived Linux distribution utilized by researchers for penetration testing and forensics. The collection includes a wide variety of programs and utilities for application scanning, port scanning, packet analysis, penetration, password cracking, and attack management. The distribution can run on several other kits from BeagleBone, ARM, and other mobile devices. The mobility and powerful capability of this implementation is very appealing as it enables greater flexibility to get up close and personal to solve problems.
Another very effective open source project is the Metasploit Framework originally developed by H.D. Moore. It is known widely as a portable tool for exploit development and vulnerability detection. The framework runs on both Unix and Windows based platforms.
Texas Instruments (TI) offers several useful, low-cost wireless radios and software solutions. Each wireless radio can be purchased in a USB dongle form factor for around $50. The TI Sniffer and other software can be downloaded at no cost from the TI website. TI also has a nice LaunchPad kit for prototyping and connecting with various sensors and data platforms. For further analysis, the results can be imported into Wireshark, another common low budget solution.
A relatively affordable option originating from its Wi-Fi specialization is Wi-Spy inSSIDer software with the Mini adapter for under $250. This entry-level solution enables spectrum and channel analysis in the 2.4 GHZ range for multiple protocols. For a greater range of spectrum and analysis & reporting capabilities there are options in the $1k to $2k range.
For companies and professionals willing to spend a few thousand dollars, the SciLabs debugger device with the Ember Insight desktop software is a formidable combination used by communications companies to capture and debug packets in the lab and in the field. The cost is in the $3k-$5k range for the combination.
A robust commercial tool that provides extraordinary simplicity and out-of-the-box support for multiple dongles is software from Perytons. The software runs around $3k for the basic package with packet sniffing and decryption. The basic package includes real-time network mapping, performance stats, and complete interpretation of packet components and payloads. Researchers can upgrade with add-on modules for multi-channel, transaction play-back scripting, traffic generation, remote control, and advanced software development kit (SDK) capabilities depending upon the level of sophistication desired.
Security professionals have a plethora of tools from which to choose. Although, it is even more imperative in wireless security to ensure professionals have the right tools for their unique jobs.
Combating Security Vulnerabilities
1. Security Strategy & Testing
This paper has highlighted the complexity of IoT solutions and the relative simplicity of exploiting security flaws in some devices and networks. How can organizations solve these security issues to protect their customers and constituents? Coordination between companies, standards bodies, device manufacturers, network operators, and software companies is essential to solving the end-to-end security challenge that currently does not exist in most platforms. We’ll explore methods for these stakeholders to focus on solving security vulnerabilities together.
Companies offering or working with IoT solutions need to develop a comprehensive security strategy. The process begins with establishing a program if it doesn’t already exist. The program may include collaboration with, and adoption of industry standards for IoT security. There are several industry standards bodies and groups that have published security standards, some including IoT specific models. Examples of standards organizations leading the way include GSMA, NIST, SANS, OWASP, ISO, and IEEE in addition to a few others.
For companies who are heavy users, or resellers of IoT can mitigate risk by conducting vulnerability assessments and active penetration testing to expose attack surfaces and points of failure. The assessment and testing requires initial planning and mapping to prioritize highest risk areas and to plan for damage control from test results. Active testing often generates surprise results and sometimes potential system outages that must be anticipated. Finally, the risks should be re-prioritized based on impact and ability to mitigate real problems.
2. Case Study on End-to-End Security
An example of how industries can implement end-to-end security solutions in IoT can be illustrated by an automotive scenario. Hacking into cars has been demonstrated for several years at DefCon and by independent researchers on many different vehicles. The following case study brief highlights how GSMA IoT guidelines can be implemented for comprehensive security safeguards in automotive and other industries.
The connected vehicle ecosystem is comprised of telematics systems that aggregate data, provide entertainment, and visualize diagnostics. A central computing system guides real-time decision making. Embedded sensors guide drivers toward safe negotiation of road conditions. Wireless communication systems interact with nearby peers to relay safety critical metrics and alerts.
Common strategies used to attack automotive IoT technologies include exploiting weaknesses in telematics peer authentication, cryptographic tampering, compromising endpoint integrity in MCUs, blurred lines between and flaws in applications, and weaknesses in business logic. Savvy hackers confidently exploit network communications and physical endpoint device vulnerabilities embedded in the vehicle.
Solving these exploits is achievable with a thoughtful approach. GSMA’s guidelines provide a good approach for protecting automotive IoT vulnerabilities. First, manufacturers should use a Trusted Computing Base with a collection of policies, procedures, and technologies that enforce the use and security of cryptographic and application-based tokens. Having a strong TCB is essential to a trust-worthy security solution. Next, network communications must be secured so that devices can authenticate and communicate with complete integrity. Networks must ensure that communications cannot be intercepted, altered, or impersonated. Many IoT solutions can reduce risk by establishing a VPN (virtual private network) for a more secure network connection. Application security is the next level of security required for trusted environments. The correct way to secure applications is by isolating them in jails, VMs, containers, or other abstraction that limits functionality and access to system devices and resources such as the CANbus. Finally, implementing device tamper resistance is an important strategy, even if to deter physical intrusion or render the attack non cost-effective. An example is to include a light-sensitive fuses or circuits that purge critical memory components when a device is opened improperly.
These guidelines are just a few developed by GSMA that can be applied to automotive and many other applications. IoT security issues can be solved but it requires building in security beginning with the architecture and early design while working aggressively with other solution partners. The ecosystem is still somewhat fragmented; although, standards bodies and solution providers are collaborating to deliver more secure and interoperable solutions.
The Internet of Things is, at the same time, providing extraordinary value while significantly increasing security vulnerabilities. There are many factors contributing to the risk, beyond the simple explosion in volume of usage. The IoT ecosystem is very complex, especially when platforms interoperate across different technologies at every layer of the stack (chips, devices, OS, network protocols, transport, applications, standards, and more). These complexities coupled with the cost of prevention are often cited as primary reasons for increasing security risks. While these factors have merit, a fundamental difference is that IoT is increasingly controlling devices that can cause great harm if exploited (vehicles, health devices, machinery, etc.). The potential negative impact can be tragic. Fortunately, security professionals do have weapons at their disposal and the economics are moving in their favor.
Component costs traditionally have been high but are becoming more economical. The IEEE 802.15.4 standard was created for use in residential and industrial markets. The more rapid proliferation of IoT in the industrial market has driven production costs down for necessary components (radio chipsets, microcontrollers, etc.). While this allows the residential segment to take advantage of the added cost benefits of proven technology, this also adds pressure to partners within the ecosystem to stay competitive. Unfortunately, the area that has suffered from cost cutting is device and end-to-end platform security. Encryption needs computational power, which requires hardware, which in turn adds cost. Partners will need to work together to spread costs across multiple organizations to develop a true ecosystem, where all are invested in security of the customer (and success of their products).
The industry needs more highly trained security professionals to deal with the rising risk. Experts and government officials echo a call for more qualified experts. As illustrated, tools and methodologies exist to aid professionals in IoT security prevention. One key to success will be to increase the number of security professionals trained on these tools and develop robust end-to-end security solutions to solve complex issues presented by disparate IoT ecosystems. Every industry goes through a maturation and optimization process. The IoT space will do the same over time. The challenge will be to get ahead of the curve before serious issues occur.