With recent high-publicity attacks involving IoT technology such as the Colonial Pipeline attack and the Florida water treatment plant attack, IoT penetration testing has become a hot topic.
I’m sure a lot of the readers who landed here are wondering, “what should I do? How do I secure my IoT infrastructure?”
We’re going to answer those questions and more, but let’s start with the simple stuff.
What is IoT anyway?
The definition of IoT is varying.
The most common usage of the term, Internet of Things, describes the network of physical objects that are embedded with technology to connect to and exchange data with other systems. Think sensors, devices, machines, pumps, automation, printers, patient and system monitors, VoIP, etc.
However, it can really be dumbed down to this: anything that is not a computer or server that exists on your network.
There is another usage of the term—Industrial Operational Technology.
This is a blanket description of Industrial Control Systems and Operational Technology (like the Colonial Pipeline example). This could also include SCADA systems.
For the context we’re going to be diving into here, it doesn’t really matter. The logic we follow will apply to both contexts.
What do we know about IoT devices?
What They Do
They are important—really important!
These devices are responsible for controlling our supply of water, protecting human life, ensuring goods we need can be manufactured, controlling the distribution of critical supplies, and more.
So, it seems like securing these devices should be of the utmost concern.
How Protected They Are
Despite this, they are vulnerable—really vulnerable.
Let’s look at one of our biggest and most crucial IoT consumer sectors: healthcare.
A recent study by ForeScout on vulnerabilities in healthcare devices found that healthcare organizations have the highest number of vulnerable devices on average (almost 500), the highest diversity of devices (eight device types), and the highest diversity of vulnerable vendors (12) on their networks.
Now, let’s pair that data with another statistic from WhiteHat Security. As of May 2021, once a critical vulnerability is discovered, the average time taken to provide a fix is 205 days.
Alright, let’s throw one more statistic in here. From a FireEye study: 58% of all vulnerabilities are discovered through zero-day exploits.
Let’s break this down. If I’m a healthcare provider, I’ve got a network full of vulnerable IoT devices and it’s going to take me roughly six to seven months to get a fix. And hackers already have the exploit code.
Broken down further: I’m in trouble.
So, we should conduct a penetration test on our IoT devices, right?
IoT Penetration Testing is Snake Oil
Don’t get me wrong, traditional penetration tests are still valuable engagements for finding unknown gaps in your security infrastructure, understanding what could happen if an attacker exploited those gaps, and what the risk of having those gaps truly is.
An IoT penetration test is not that.
Because we already know these devices are vulnerable (or going to be), testing them for weaknesses is like trying to find a hole in swiss cheese.
It doesn’t matter what they find or don’t find because we already know they are vulnerable.
And just because other security companies will point to a rising number of IoT attacks as a reason to conduct one of these tests, it does not change this. The number one reason any firm will sell you IoT penetration testing is simple—they want your money.
Rather than waste time, money, and other resources on testing these devices, here are some things you can and should be doing instead that will make a bigger and lasting impact.
Things You Can Do in Place of IoT Penetration Testing
Let’s start by digging into the OWASP Top Ten for IoT, and I think the solution will present itself.
1. Weak, Guessable, Hard-Coded Passwords
The use of easily brute-forced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grant unauthorized access to deployed systems.
You can control your own accounts. Create secure accounts and passwords, don’t share access, use non-human guessable passwords, use the principle of least privilege, do all the good stuff we continually talk about—however, you cannot control how those passwords are stored on the device.
You cannot control hard-coded (backdoor) passwords created by the manufacturer.
You don’t need a penetration test to know this! Research your devices and understand the risks behind them.
Segment all your IoT devices from your common network.
Only permit required traffic in/out of the IoT segment. Govern this tightly with a solid inventory of systems and users that are permitted in/out of this segment, and monitor the segment.
If you see anomalies, investigate and respond.
2. Insecure Network Services
Unneeded or insecure network services running on the device itself, especially those exposed to the internet, that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control.
Lots of these devices operate on insecure network protocols and unencrypted channels, and usually, this cannot be changed. We must accept that these devices are insecure by default.
As mentioned above, removing these devices from your main network limits the chances that a vulnerability in them can cause further damage. Plus, it makes it easier to find and detect anomalies.
3. Insecure Ecosystem Interfaces
Insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering.
Like the previous categories, many of these things are baked into the device.
So, you actually have no control over remediation—you are 100% at the mercy of the vendor in this situation. Plus, it is a known issue that many IoT manufacturers are not very punctual in their patching.
Network segmentation. Are you seeing a theme here?
4. Lack of Secure Update Mechanism
Lack of ability to securely update the device. This includes lack of firmware validation on a device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.
What can you do here? Again, you’re kind of at the mercy of the vendor in this situation.
What is a penetration test going to tell you that you don’t already know?
Updating IoT is hard. It takes a long time for vendors to provide updates, and it is likely going to cause some downtime for your critical infrastructure.
You must accept that these devices are insecure by nature, so again…
You guessed it—network segmentation.
5. Use of Insecure or Outdated Components
Use of deprecated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms and the use of third-party software or hardware components from a compromised supply chain.
A compromised supply chain.
I think we’ve heard that a few times this year, and most are well aware of the implications.
In the recent high-profile supply chain attacks (or those called supply chain attacks) observed this year, there was one constant: properly securing communications to and from those devices would have prevented all impact.
Hopefully, you’re starting to see a trend here. If your IoT devices are running deprecated components or are victim to a supply chain compromise, you can’t do anything other than replacing the devices with a newer version (which is typically expensive) that will inevitably suffer from the same vulnerabilities in a rather short period.
6. Insufficient Privacy Protection
Users’ personal information stored on the device or in the ecosystem that is used insecurely, improperly, or without permission.
Here, we must consider the general architecture of the device. In this scenario, any data that is stored on the device is stored without proper controls. These controls are not modifiable by the user and would require a response by the vendor.
We know that most IoT vendors are slow in patching identified vulnerabilities, so you should expect that a remediation effort of this capacity will take a very long time. They may never even be resolved.
It’s important to understand that IoT is inherently vulnerable, and therefore:
7. Insecure Data Transfer and Storage
Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing.
Now I’m sounding like a broken record, but what do you believe your vendor is going to do when you identify this during a penetration test?
They’re going to say, “Yeah, we know. That’s just how it works.”
You don’t need a penetration test to understand how IoT devices transfer and store your data.
If you don’t have control over how data is being transferred and stores, the best thing to do is keep it at arm’s length from your other critical devices and infrastructure. Network segmentation is once again the best way to combat this vulnerability.
8. Lack of Device Management
Lack of security support on devices deployed in production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities.
Does your IoT device have a centralized management capability? Does it allow you to inventory all systems, update all systems, and monitor their status?
If not, you have a problem–and you don’t need a penetration test to tell you that.
9. Insecure Default Settings
Devices or systems shipped with insecure default settings or cannot make the system more secure by restricting operators from modifying configurations.
What?! Did you ship me a device that restricts my ability to modify configurations?
There’s no need to do a penetration test to figure this vulnerability out. You’ll learn about it during the deployment stage when you try to change default configurations.
10. Lack of Physical Hardening
Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.
Here we go—one that is not the burden of the vendor, but the owner.
Finally, something we can control, right…?
It all depends on your technology.
In healthcare, this is going to be tough. We’re talking about things like critical infusion pumps responsible for protecting human life. These pumps are always going to be physically available for a bad actor to exploit.
No worries though, we’ll lock down the unused port in the configuration panel. Wait, we just learned that we can’t change configurations. So, our best bet is going to be to configure a secure network that (you guessed it) isolates the device.
Then perhaps we can implement a physical security mechanism around the pump to prevent local network jacking—just a fancy way to say a protective panel or case that prevents physical tampering.
That one I bet you the manufacturer can help you with (because they’ll make even more money on it).
Moral of the Story
You don’t need a special engagement to tell you that your device is vulnerable.
If it’s not known to be vulnerable, it is still vulnerable. And if by some miracle it’s not vulnerable, it will be tomorrow (or sometime soon). Security researchers know this. Attackers know this. Manufacturers and vendors know this as well. We’re better off accepting the environment is vulnerable or has the potential to shortly. These are undeniable facts.
Stop wasting your valuable security budget on IoT penetration testing that will simply tell you what you already know (or should assume) to be true.
Disclaimer: I’m not implying that these suppliers are neglectful of the situation. Patching firmware, software, and systems that are responsible for securing human life is not an easy task.
What should you do?
Beyond the now-obvious network segmentation and device isolation, here are some things you can do to better protect your organization against IoT vulnerabilities.
Start with a solid inventory.
Understanding and documenting your environment is a critical step in securing it. We can’t secure what we don’t know exists.
Document all your IoT systems in use. Understand the functionality of the device and research and understand the risks that are present in each device.
Research and Analysis
When considering IoT device introduction into your ecosystem, take the time to review the technology and understand the risks before production implementation. Through thoughtful research and analysis on all devices in your inventory, you will quickly be able to understand the risks and vulnerabilities of each device.
Get to know the CIA triad—confidentiality, integrity, and availability—and make informed decisions based on them.
Is data being stored and passed through my technology confidentially? How important is the integrity of the data? How important is the availability of this system?
Follow the logic path with the use of these core concepts, and decide what the acceptable risk level is for each device type.
Share your concerns with potential vendors during the sales process and review multiple options. Identify which vendor is willing and more capable of developing a secure deployment method.
If you aren’t comfortable analyzing these systems on your own, hire a security partner to analyze and audit the systems with you—not a penetration test, but an overall security assessment.
- Each environment is unique, so I can’t spell out exactly how to segment your network but start with the idea of an air-gapped network and work backward from there.
- The principle of least privilege always applies.
- Develop a patch management policy and process for your IoT network.
- Practice secure account hygiene.
- Implement network monitoring for the segmented IoT network.
- Retain all available logs.
- Regularly backup device configurations.
- Monitor for configuration changes.
Now We Penetration Test
After all these things are in place, then we can start thinking about penetration testing!
Even still, the test would not be an IoT penetration test. This would be a test focusing on testing the segmentation of your network.
Is it possible to pivot from any segment within your enterprise into your IoT network? A good penetration testing partner will attack your enterprise infrastructure as well as testing segmentation.
This is an exercise that will give you value.
If you have implemented network monitoring within your IoT network, this will also give you the chance to confirm you are fully capable of identifying anomalous traffic in/out of the network.
It will also test your ability to properly respond to observed events.
Every single IoT attack we’ve seen has resulted from a lack of proper segmentation!
Think like an attacker—if we can get to something that is known to be vulnerable, we can exploit it.
The only true defense is to keep attackers away from our main networks by segmenting our IoT devices and putting security measures in place to minimize their ability to move laterally onto your other important networks.
If you need assistance with network segmentation, other security measures pertaining to internet-connected devices, or you suspect you’ve been compromised through an IoT device, please don’t hesitate to reach out to us. We’re happy to help where we can.