How IoT software security compares to other business sectors
How big a threat to the IoT is ransomware?
IoT is becoming a very large target because there is so much opportunity. Ransomware is just one way to monetise exploited vulnerabilities. Exactly how big a threat ransomware specifically is, depends on the device and the intended use.
If ransomware infected your fitness tracker and you had to pay to unlock your steps, would you? What about a hospital that had ransomware on their medical devices, such as their electronic medical records systems, would they pay it? These two scenarios represent vastly different motivations for unlocking devices infected with ransomware.
Different organisations will respond differently, based upon their business risks. What is important for the organisations to do is to incorporate this as a potential attack scenario in their risk assessments, and ask themselves the question of what would they do, says Dan Lyon, principal consultant, Cigital.
How can you spot an attack, and what does it consist of?
Ransomware spreads by various mechanisms, but the most widespread outbreaks will leverage remote code execution vulnerabilities to infect other systems on the network. The spread of ransomware to healthcare organisations earlier this year was the result of known vulnerabilities in a common software system used in healthcare organisations. So, rather than healthcare having been specifically targeted, it’s more likely to have happened because healthcare systems used some common software.
What steps can service providers and the IoT ecosystem take to protect themselves?
In most cases, an organisation is dependent upon their vendors to be releasing secure software. An organisations best chance for prevention comes when they can drive their vendor’s software security programs forward.The recently released BSIMM7 describes all the activities that organisations across the world are doing to secure their software while they are building it. If a service provider’s vendors aren’t doing any of these, it means that they are not building security into their software product. The spider chart below is from the BSIMM7, and shows the average scores for all 95 participating firms. The concepts and data in the report can be used as a guide when talking to vendors about their software security practices.
How do service providers decide what is an appropriate level of protection for their service?
Any determination on what an appropriate level of protection is will come back to looking at the associated risks. What happens in the worst case scenarios? Compare losing control of your bank account vs. losing control of your fitness tracker. Obviously one has larger impact, and therefore likely deserves stronger controls.
Can you give examples of attacks you have come across and how they might have been prevented?
I always go back to looking at root cause, and identifying how the flaw or bug was introduced in the first place. Many IoT devices ship with default configurations which have a common, hardcoded password. Hardcoded passwords were recently revealed as the attack vector for how the Mirai IoT botnet spread.
The author of the code claims that by exploiting default passwords, several hundred thousand devices can be compromised. Hardcoded passwords are one of those things that should be looked for during design reviews, and corresponding steps taken to address it. As evidenced by the BSIMM7, 31% of organisations are performing formal design reviews, called Architecture Analysis, on their high-risk applications.
For those making and using IoT devices, performing a security focused design review that identifies hardcoded passwords as a risk is a necessary first step in preventing attacks that real-world malware systems are exploiting.
The author of this blog is Dan Lyon, principal consultant, Cigital.
Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow