What you need to know to keep your IoT software secure.
The Internet of Things (IoT) has been hailed as an integral ingredient of the 4th Industrial Revolution, transferring the power of software and connectivity into the physical world. However, before we can run into the “smart” future where our coffee pot talks to our toothbrush, we need to remember that these connected devices face significant security risks.
We are continually receiving rude reminders that the software that puts the brains in our IoT devices can have serious vulnerabilities hidden in their code, leaving them open to exploitation by hackers.
Researchers at the mobile security firm Zimperium announced that a member of their team had identified 13 vulnerabilities in the FreeRTOS open source project, one of the most popular operating systems for IoT devices.
The CVEs that researcher Ori Karliner turned up were some real doozies, including vulnerabilities that could lead to remote code executions, denial of service, information leaks, and one which was left undefined. While these exploits have not yet received a CVSS score, it is safe to assume that they will be on the higher end of the spectrum.
According to their release, the Zimperium team has reached out to Amazon, which maintains the FreeRTOS open source project, alerting them to the vulnerability and worked with them to produce patches for exploitable components.
Due to the need to alert a wide range of stakeholders who are using the vulnerable FreeRTOS open source components in their products’ software, the researchers have reserved CVEs with MITRE and the National Vulnerability Database (NVD), but are withholding details pertaining how to carry out the attacks for a reported 30 days so that hackers cannot gain a quick and easy payday off of their work.
While news of this discovery did not garner the type of press that we normally see around a mass data leak where user data has already fallen into the hands of cybercriminals, these vulnerabilities should make us stand up and pay closer attention to how we secure our embedded devices.
The Future Of IoT Will Be Built On Open Source
Even if you have not heard of FreeRTOS before, seeing as it is less discussed than projects from the Apache Software Foundation or other big names in the open source space, chances are that you are using a device that is using this wildly popular operating system.
Due in part to the space constrictions and the fact that we do not need the functionality of a full-blown operating system, IoT devices use lighter weight operating systems, like FreeRTOS which is backed by AWS or Linux’s specially designed OS for IoT.
The role of open source in IoT is that the majority of the vendors producing devices are like any other organization that is developing software in that they want to use high-quality, ready-made components to reduce the amount of code that their team has to produce in order to release a functional product. Open source components allow them to add powerful features to their applications that they would otherwise have to write on their own.
There is also the additional advantage here that open source components are available for free use within the restrictions of their license, making for some serious cost savings for these hardware companies who would otherwise have to pay for a commercial software product or many more hours of coding.
For companies with minimal experience and capabilities in writing software, turning to open source software solutions can be a boon that allows them to enter this very enticing market.
However, as we have seen in the disclosure of these vulnerabilities, keeping IoT safe is hardly a walk in the park.
Why IoT Security Faces Different Challenges
We often forget that what makes our devices smart is that they are embedded with little computers that are connected to the internet. It is this connectivity that enables the flow of communication between the device and a backend that collects the data and helps the user do something more efficiently. These devices are essentially the physical manifestation of applications like we have on our phones or the web.
From a security perspective, hackers can attack the devices much in the way that they would exploit a traditional endpoint device like a desktop computer. This means that with the right vulnerability, they can take it over, access its data, overwhelm it, or perform other kinds of malicious activities. However, unlike your desktop computer, there are some key differences that need to be considered.
First, a breach of an IoT device in, say, a car or industrial facility like the Stuxtnet attack on the Iranian nuclear program can have some very real world effects. Data leaks are bad and can be severely damaging for a company, as we saw in the Equifax case.
Centrifuges spinning out of control, power grids going offline, cars failing to break, and a myriad other real-world safety concerns are something else entirely and should give us pause when we think about what we want to make digital.
On a less catastrophic example, many IoT devices pick up a lot of data about us that can be quite sensitive. We might not want the world knowing about our health, schedules, or other habits, and the idea of your smart TV watching you can be fairly disturbing.
Second, IoT devices and their software are generally not well protected against cyber attacks as a laptop computer or mobile device. Companies like Apple, Microsoft, and Dell have years of experience in learning how to make their devices and software harder to hack than, say, the company that is trying to sell you a smart toaster.
The truth is that many consumers are unwilling to pay for better security in the devices that they buy, and the vendors just want to keep costs down. Unfortunately, security is rarely the highest priority.
Finally, ensuring the implementation of patches or other fixes to the affected devices is really hard to do. Because so many vendors are using the same components, the impact of a single vulnerability — let alone 13 — can be massive. The cost of going about patching these devices can be prohibitively high, if such a process is possible in the first place. Just imagine how a company would go about fixing a vulnerability in pacemakers, an arduous endeavor to say the least.
Taking Control of Your Application Security
So what can you do to help make your devices’ software harder to exploit?
While you always want to protect your products throughout the software development lifecycle (SDLC), ideally you want to implement good security practices at the earliest stages possible. This starts by keeping with OWASP’s #9 recommendation to avoid using third-party components with known vulnerabilities.
In the case of open source components, only Software Composition Analysis (SCA) tools can identify open source components that have vulnerabilities associated with them, even if there is one buried deep in one of its dependencies. Being able to catch a risky open source component early in the development process, can make it easier and faster to get a more secure product out the door, reducing those last-minute tear and replace ops before a release.
In the less optimal situation, new vulnerabilities are discovered in a product post-deployment. Thankfully, according to the State of Open Source Vulnerability Management Report, in 97.4% of cases, there is a fix available. For as much of a hassle as it can be to push out the patch to the devices, it is still a far cry better than having your customers compromised in a hack.
The problem for many companies is that they are simply unaware of which open source components they have included in their product, let alone when new vulnerabilities that could impact their product have been published.
Unlike commercial products, like Windows, that send out patches regularly through a single channel, the open source community is fairly distributed, making staying on top of them difficult.
This is where an advanced SCA tool can come to the rescue since it automates the identification and inventorying of open source components as they enter a product or repository, and it is able to match newly discovered vulnerabilities that are published on a wide range of databases and advisories like the NVD.
These alerts can help a company stay a step ahead of the hackers, remediating promptly before their products can be exploited by hackers who use these vulnerability databases for free intelligence on which components are vulnerable and how to attack them.
Where Do We Go From Here?
According to some estimates, IoT will only become a more dominant force in the years to come. Cisco predicts that by 2020, the number of IoT devices will grow to some 50 billion in use.
Hopefully, the discovery of these vulnerabilities will inspire more research into open source components that are used for IoT, helping to make our devices more secure. Uncovering vulnerabilities is a healthy part of the development process and just the start of the conversation. The question for vendors seeking to prove that they can be responsible actors is how they choose to implement security moving forward.
It is now up to the companies that are producing IoT products to adopt the tools and best practices to stay relevant in this market.