Here at VDOO, it is our long-term mission to continuously assess and improve the security of the connected-devices that are rapidly surrounding us. The only real way to succeed in these missions is by utilizing a critical and methodical approach and technologies to inspect all the different layers of a modern embedded and connected device – its application layer, protocols, operating system, hardware, controllers, gateways and backend connectivity.
In the coming months, we will be releasing some of our insights, as well as technical findings of the issues we have identified using our platform and our top-notch research team. These issues stem from the complexity that is integral to building connected and embedded devices, especially given the lack of device-specific standards and best-practices. Given the substantial amount of research effort that is required to reveal these issues, it would seem that they would be very hard to fix. However, our research shows that this is almost never the case and that most of the time, there are simple design and implementation changes that could prevent them altogether.
The platform that we offer and continuously improve is based on the hard-earned experience of our researchers evaluating the security of actual devices and their components. As we discover more and more vulnerabilities and security flaws, we are able to break-down the attack and identify the root causes that make these vulnerabilities exploitable or escalated their impact and importance. We are then able to detect these tell-tale signs in a scalable manner as well as provide information on how they are best avoided.
Our security researches planned for 2018-2019 are prioritized by commonness and impact of devices on businesses and consumers, as well as the significance of their role in the IoT ecosystem. Given their importance, the initial phase of our research was focused on devices that are supposed to have a positive effect on their users’ physical security. The goal is to verify that this effect is indeed a positive and beneficial one and that these devices couldn’t be tampered with by malicious attackers abusing their connectivity. We have thus conducted comprehensive security research on several security and safety devices by leading vendors, and have since contacted them according to the best-practices of responsible disclosure and work with them to solve the issues in the most cost-effective manner.
As part of the disclosure process, we thoroughly reviewed the vendor’s security patches and mitigation steps. VDOO strives to help vendors to make good use of our findings, so they will defend against such attacks in the most comprehensive way possible.
Finding of a significant vulnerability usually indicates that there are additional areas that require improvement. Therefore, a positive outcome from a well-conducted disclosure process is to have a concrete roadmap that will allow a vendor to better improve their security posture. Such a roadmap should include not only steps to find vulnerabilities and patch them, but also an implementation of missing security essentials, removal of backdoors, hardening and re-configuring of software pieces and a methodical hunt for known vulnerabilities both in software and hardware.
While most of the vendors have been very forthcoming and were eager to learn from their specific issues on their broader issues, some have been either too narrow minded or just wanted to put a quick band-aid in the form of an incomplete patch. That is something we believe needs to change for IoT device vendors and makers to be able to cope with their unique security challenges. One obvious challenge that comes to mind is security updates. Given the inherent limitations of upgrade mechanisms in IoT devices, the patch rollout process is a complex operation that requires special attention and care from the vendor and the disclosing research body that is different from classic IT systems. While implementing robust and secure upgrade mechanisms is a crucial step forward, it is our opinion that the more vendors will invest in security essentials and security architecture, the lower the chances that vulnerabilities on these devices will be discovered and therefore the vendor and its customers and users would not need to chase after patches frequently. Even if discovered – the chances to remotely exploit them will also be lower and therefore the chance the users will be attacked are also dramatically reduced.
Looking ahead, we are planning to share with the security community multiple security findings in the coming months. This will be done in the most open and direct manner while keeping in mind that the safety and security of production systems that are already deployed is of the highest importance. Therefore, we will strive to work hand in hand with vendors to ensure that the outcome of any disclosure we make will be for the best. All updates will be right here through our blog – stay tuned.
Drawing by: John Tenniel, under the CC BY-SA 3.0 license.