WHITE PAPER

Copyright ReFirm Labs, Inc. 2019 | www.refirmlabs.com

Connected IoT Device Security -Why Firmware Vulnerabilities Matter

We live in a world of connected embeddeddevices. The newer Internet of Things (IoT) devicescapture the spotlight with the promise oftransforming industries and changing the way we live. In the background are the legacy devices, whichcontrol the power grid, transportation infrastructure, medical procedures, and they touch almost everyaspect of daily life.

Our reliance on connected devices continues to rise - and making these devices secure is critical.

Security for connected devices is not simply an academic matter; real-world examples ofcyber attacks involving IoT devices are just a Google search away. In my case, theseattacks are frequent headlines in the security newsletters that constantly fill my inbox.

IoT security is finally receiving the attention it sorely needs. IoT security companies are being founded, incumbent suppliers are investing in new products and technologies for IoT security, and conferences are being devoted to this topic. Yet despite all the talk, we see a steady increase in the number of successful attacks on connected devices.

The question is, why are so many devices still being hacked?

No one sets out to build a product that is easy to hack. Obviously, product requirement documents are not filled with directives to include backdoors or easily bypassedauthentication. Yet many products contain these backdoors and other easily avoidable security vulnerabilities. In short, many devices can be easily hacked.

So why are companies releasing connected products laden with vulnerabilities? While there are many contributing factors, one critical problem is that engineers often just don’t know that security vulnerabilities are present in their devices. The fact is thatvulnerabilities are all too often the result of unintentional errors.

The Firmware Security Problem

WHITE PAPER

Copyright ReFirm Labs, Inc. 2019 | www.refirmlabs.com

Unintentional errorsSecurity vulnerabilities can be introduced as the result of not following secure codingpractices or by including a library that contains vulnerabilities. Also, new productfeatures may have security related side-effects that are not readily apparent. Forexample, a modification to existing software may have side-effects in other subsystems. Any of these unintentional mishaps can lead to security vulnerabilities.

Limited security countermeasuresIoT devices are, by their nature, resource constrained. Their processors and operatingsystems are less costly, less capable, and less sophisticated than those found inlaptops and servers. As a result, security countermeasures such as TPM hardware,address space layout randomization (ALSR), and other advanced capabilities are not available on these devices.

In short, engineers don’t have enough visibility into the hidden security vulnerabilities that exist in their devices and/or advanced tools to be able to defend against possible attacks.

Understanding security risks is critical to protecting the IoT.

WHITE PAPER

Copyright ReFirm Labs, Inc. 2019 | www.refirmlabs.com

Finding VulnerabilitiesEngineers can’t fix vulnerabilities they don’t know about. Finding vulnerabilities is crucial, as many of them can be easily addressed and fixed once they are known. Manual methods of finding security flaws are slow, tedious, and error-prone, and they require in-depth security knowledge. Worse still, unless all securityvulnerabilities are eliminated, the devices could still fall victim to a cyber-attack. In many cases, a hacker only needs to find a single vulnerability to successfully take over a device, so it iscritical that as many vulnerabilities as possible are eliminated.

Given these challenges, it is no surprise that so many devices ship with easy-to-exploit security vulnerabilities.

We know from the frequent headlines of successfulcyber-attacks against embedded devices that hackers excel at finding and exploiting vulnerabilities. Hackers frequentlyanalyze firmware, searching specifically for vulnerabilities. Gaining access to the firmware for a connected device is often a trivial effort. In many cases, the process can be downloaded from the website a vendor uses for distributing firmwareupdates. In some cases, a little more effort is required to read the firmware from flash memory on the device, or to obtain it from another source.

With firmware in hand, hackers unpack the firmware andbegin the process of looking for weaknesses to attack. Using acombination of open-source tools and manual analysis, they search for web servers, telnet servers, USB interfaces, andother methods they can find to communicate with the device. These services enable communication with and control of the device and are themselves common sources of vulnerabilities. Hackers pride themselves on being able to analyze thefirmware for these services. They are often able to findauthentication processes that can be defeated or bypassed, which allows them to control the device during a cyber-attack. They also search for opportunities to execute buffer-overflow attacks and other denial-of-service attacks against the device.

WHITE PAPER

Copyright ReFirm Labs, Inc. 2019 | www.refirmlabs.com

Finding Vulnerabilities

An automated tool that can identify and prioritize vulnerabilities enables development of secure devices.

To even an experienced engineer, manually searching for exploitable flaws seems like searching for the proverbial “needle in the haystack”. For a hacker with the right tools and skills, this is more akin to hiking in a national forest, equipped with a map and compass. If you have never hiked in the wilderness and don’t know how to read a map and compass, you will get lost. But the seasoned hiker is able to find his or her way, and likewise, ahacker with the right training, good tools, and strong motivation has a well-marked path to travel as he or she seeks ways to hack the device.

Analyzing firmware images often reveals the symbol table and text strings, which can be used to reverse engineer functionality and identify vulnerabilities. In some cases,password hashes and security keys are also found. Open-source libraries and services are frequently present. With open-source solutions, the source code is available along with known vulnerabilities (Common Vulnerabilities and Exploits, or CVEs).

WHITE PAPER

Copyright ReFirm Labs, Inc. 2019 | www.refirmlabs.com

Impact of Vulnerabilities in Embedded/IoT DevicesA vulnerability is simply a flaw in the design or implementation of a system that hackers exploit during a cyber-attack. For example, Telnet support that gives shell access with an enabled “root, root” login is a design flaw, as is a web interface with a hidden backdoor that allows access to any user who knows how to access it. A web interface thataccepts input into a fixed-length bufferwithout range-checking the data creates a buffer overflow attack, which is animplementation error.

The potential impacts of vulnerabilities are also important to understand. They range from minor performance degradation, to injecting malicious firmware that takes completecontrol of a device, and everything in-between. Impacts of a cyber-attack include:

• Performance degradation/reducing battery life• Stealing data• Temporary denial of service• Bricking the device (disabling a device)• Implanting malware (for example, creating bots for a botnet)• Changing the behavior of a device

The consequences of a cyber-attack can vary widely depending on the function of thedevice. In a world where our vehicles, electric grids, and medical processes are dependent on connected devices, the potential for harm is far greater than just the data theft that is seen in traditional IT cyber-attacks.

Understanding the real vulnerabilities present within the firmware of a device provides OEMs with information they need to properly address and prioritize the necessary fixes.

WHITE PAPER

Copyright ReFirm Labs, Inc. 2019 | www.refirmlabs.com

Vulnerability Implications of the vulnerability

Unauthenticatedaccess

Allows unfettered access, making it trivial for attackers to gain access and controls of the device.

Weak authentication Simple password-based authentication or weak cryptographic algorithms than can bebroken by brute force attacks.

Hidden back-doors While potentially helpful for customer support, they are staple features that hackers quicklyidentify and exploit, often with severe consequences.

Password hashes stored in firmware

Hard-coded passwords that users are unable to change, and default passwords that users rarely change, result in devices that are trivial to exploit. Exploited by the Mirai malware to create a botnet of roughly 2.5 million IoT devices.

Encryption keys stored in firmware

Encryption keys are critical, but when stored in firmware, they can result in easilycompromised devices.

Buffer overflowsvulnerabilities

Use of insecure string handling functions such as strcpy, strcat, etc., instead of their more secure strncpy, strncat counterparts, may result in buffer overflows that can be exploited, creating denial of service and code injection attacks.

Use of open source solutions with known vulnerabilities

Automated hacking tools include exploits targeting known vulnerabilities in open source platforms and libraries. The latest versions will frequently include fixes, yet many devices are released un-patched.

Debug services inproduction systems

While critical during development and testing, they provide unfettered access and control over the device.

Types of Vulnerabilities in Embedded/IoT Devices

Exploiting vulnerabilities is one of the main techniques hackers use when they attackdevices. While they may also use stolen credentials, social engineering and other “soft” methods during a cyber-attack, vulnerability exploits remain their bread and butter. As long as exploitable vulnerabilities exist in devices, hackers will go to great lengths to find them. Certain classes of vulnerabilities require a higher level of skill to discover or to exploit.Arguments have been made that such vulnerabilities are not as grave a concern as those that are more easily discovered and exploited. This is simply not true.

Nation-state sponsored hacking groups and criminal enterprises pour tremendousresources into finding vulnerabilities. Once the vulnerabilities are found, automatedattack tools are created and often sold to hackers. In some cases, these tools arepublished in hacker forums, leaving them only an internet-search away from would-be hackers.

The only way to ensure the security of connected devices is to find and removevulnerabilities before the devices are released.

Consequence of Security Vulnerabilities

WHITE PAPER

Copyright ReFirm Labs, Inc. 2019 | www.refirmlabs.com

Making the Device Secure

Modern embedded devices and systems are complex connected devices that are charged with performing critical functions. Therefore, including the highest level ofsecurity in these devices is a critical design task. Despite our best efforts, many IoTdevices are replete with security vulnerabilities, and hackers are taking advantage of it.

We all agree that IoT devices can be protected from hackers. Securing IoT devices starts with knowing what vulnerabilities need to be fixed. An automated risk management tool, such as the Centrifuge Platform, provides developers the information they need to fixsecurity problems and make their devices secure.

Summary

Two separate issues must be addressed in developing IoT devices with strong security. First, security vulnerabilities introduced during design and development must be found and addressed. These range from insecure string handling functions such as using sprintf() instead of the more securevariants such as snprintf(), to hidden backdoors andencryption keys that are stored in the device. Removing these is paramount.

Second, security countermeasures must be included. Having strong authentication, secure boot, hardware-based secure key storage, encrypted communication, and securefirmware updates are critical security elements for IoTdevices. Care must be taken during the implementation process to ensure security flaws are not introduced as part of these features. This would include hard-coded security keys or password hashes stored in firmware, insecurecoding practices which can lead to buffer overflow attacks, or any of the other vulnerability types described in thispaper.

Security countermeasures must be considered early in the design of a new device or system. Support for secure boot or device tamper detection requires specific hardwarecapabilities - these features must be considered prior to hardware selection.