IoT Security Testing – Identifying the Scope
IoT (Internet of Things); Where it stands now?
A couple of years back only a handful of people who were involved in the subject knew what IoT is all about. IoT or Internet of Things you should know by now. It’s revolutionized the way we interact with the day-to-day devices and of course technology is very common and IoT will be the next big thing in the coming years. If you want to ensure that, simply google the IoT predictions. Here I am not going to talk about what IoT all about.
There are thousands if not maybe millions of articles on the same subject on the Internet. So in case if you are sitting in the IT industry for several years by now, I hope that you might get crossed with IoT at some point in your career by now. Or if you are a newbie who just entered the arena, my advice is that it’s worth paying some attention to the subject.
Security of an IoT device
Let me dig into the subject now. Day by day, second by second every application and every device connected to the internet is becoming more vulnerable to hackers. The reason is it’s a constant battle where hackers are trying to steal valuable information and people who developed them releasing patches to close the holes in their systems. Why? Ultimately it’s all about money and business. There will be a time where cybersecurity knowledge for a local police officer is mandatory. When it comes to IoT devices, this will be far more critical as they are all about your private data or devices where you get services for your own needs. This leads developers/testers to have a serious thought on the security (physical, firmware and software) of the device.
There are considerable differences when ensuring the security of web/mobile applications to IoT devices. Here onwards, I’ll talk about the areas where you should concentrate on when identifying the scope for an IoT security testing initiative. If you are someone who is engaged in an IoT project and who is also playing the role of developer, QA or just an enthusiast about the subject, the content below will be a valuable piece for your arsenal on the cybersecurity domain.
- Process matters
The basics should exist where you will start with scope identification. Then you should start with the threat modeling and map the attack surface. With this, you will be able to see the bigger picture. And you will be able to easily identify the rest what describes below.
- Hardware (Physical) security
This will be something new for you in case you only dealt with the application security so far. When you are ensuring the security of the hardware, there are several aspects that you should concentrate on.
- Does the device have places that are exposed to human interaction?
For example, If there is a display (front-end) that exists and applications are usable then we are mostly talking about android (mobile) application security testing. If there is no real estate to display something or having a display just for informational purposes, then you completely out of that headache.
- Does the device contain any physical ports?
Here you need to make sure that if the device having physical ports what are they used for and for what purpose they used. You need to make sure that unnecessary physical ports do not exist. If there are USB ports, then you need to make sure the accessibility of the device by using those. USB debugging should be false unless a hacker will be able to get the root access and do whatever he wishes.
- How does the device get access to the internet? Is that through Ethernet or WiFi?
You need to find out whether a device can connect to the internet via both Ethernet and WiFi or only using a single medium. Based on that your testing methods will get change.
- What are the other connectivity methods?
And at last, if the device connects to Bluetooth, Zigbee or another wireless communication medium, then you need to make sure required security measures are addressed when implementing them. Also, evaluate whether the device trusted the data before accepting them. When it comes to physical security, we have to think about how the device is intended to be accessed from outside. Then close all the access points other than the intended channel. Also if the device store any passwords or any other sensitive data, it is required to make sure that the hardware exists will not expose those data to an outsider (tamper mechanisms).
If you are interested in this particular subject, it’s better to get more familiar with secure microcontrollers, secure key storage, encryption for physical data channels (pin pad cables, inter IC communication links) and tamper switches. And last, the hardware security standards. It’s worth getting to know the kind of standards your hardware following (Ex- MISRA C). Once you make sure of the above aspects in terms of the coverage on hardware security, you are pretty much safe.
- Does the device have places that are exposed to human interaction?
- Firmware security
This is the most important piece of your IoT device. This will control all that matters from sensors to the operating system. So having a look at installed firmware on your device is mandatory and if you missed it then you probably missing the big fish of your IoT security testing initiative. There are three major areas in firmware security.
- Invest more time on debugging interfaces (USB/Serial/JTAG/SWI)
- Protect your bootloader
- Implement continuous monitoring on both devices and firmware sides. In addition to the above, please be aware of the firmware level attacks. Below are the possible areas you should consider,
- Vulnerabilities in third-party components and libraries.
When developing the firmware there are many third-party libraries and components developers use. So not only scanning via an automated tool but getting a list of all of them and manually validating is critical.
- Injection attacks where a hacker can alter the firmware logic.
Then the injection attacks, this is a broader subject. What you need to ensure is if the IoT device can directly interact with the user interface and user can input data via a provided application or even when interacting with the operating system you need to make sure all the fields are properly validated so the user cannot perform injection attacks. Based on the technology the method of injection attacks getting different. If you deal with an application then it can be SQL or NoSQL attacks.
If you dealing with the OS it can be command injections where you can alter the firmware logic so that you disrupt the normal functions of the device. So it’s very important that making sure your IoT device having a very good defense (on-boot/periodic firmware integrity check) on these types of attacks.
- Sensitive information at rest and transit
When talking about sensitive data or PII (Personally Identifiable Information) whether they exist or not in your IoT device will depend on which purpose they intended to be used. It can be even inside your body which monitors your health condition or operating at home or operating publically. What you need to worry about is making sure what kind of data passing through and stores in your device. Can they be classified as sensitive information? If yes, you need to make sure two things. How they transit within the device or to the outside and how they stored.
When data in transit especially from the backend server to the IoT device and vice versa or when passing the data to some other third-party peripherals it should be secured. Make sure the channel was secured. And make sure they use not only TLS is enough but also the version. Anything below TLS version 1.2 considered not recommended by the industry now. When storing data you should verify PII data stored in plaintext or ciphertext (result on encryption performed on the plain text).
- DoS attacks
Another important aspect that you should look at is the DoS (Denial of Service) attacks targeting the firmware. With this hacker can crash the system by utilizing all the available memory. In such a situation please make sure proper mechanisms are enforced concerning the security of the firmware.
- Key management on client-side
Another important point when it comes to firmware security is the key management of your IoT device. As you know when a device service or an application communicating with its backend server it uses a secret key to establish the connection. So, in this case, it could be a service running on the firmware. So please make sure where the key is stored on the device and how it stored. Was that the same key used all the time or any key rotation mechanism is implemented. This is very important since a hacker can steal the secret key and do whatever he wants after that.
- Open ports and services (To the network)
Finally, you should be aware of what are the open ports and services to the network. Any unnecessary ports should be closed. For example, if the device allows port 23, someone can get into the device via Telnet and take control of it unless proper security mechanisms are not enforced.
- Software security
If your IoT device dealing with some applications on top of the firmware then this section matters. Some devices may not have any software which is directly running with the firmware but some may have software that will interact with the firmware and the device (This will depend on the service your IoT device provides). If it uses any software, that means mostly we talking about android applications. You should primarily look on below,
1. Vulnerabilities exist in the APK
2. Data in transit and at rest
3. Injection attacks via input fields
4. Authentication and authorization mechanisms.
Here I would not be going to describe each in detail as most covered in the previous sections. But here the applicability is about the software applications. So that you should separately test each area.
In conclusion, before you start everything as I mentioned in the beginning, planning matters where you will perform a deep dive into the overall architecture and then to the threat model. By doing that you will identify where your device stands in terms of the security and how well you should enforce the corresponding security mechanisms. If you consider the areas that I highlighted above when identifying the scope in your IoT security testing, you have a good start to a secure IoT device.
If you have time for preparation, It’s better to study common IoT infrastructures and components first to get some understanding of individual components. Then it will also help to design and study testing procedures relevant to them.
So fasten your seatbelt and start securing your IoT device if already not. You will save lots of money for your business and maybe you will be the one who saves the business ultimately. And besides, I would like to write down that if you are to become a security test professional and you were succeeded in performing your IoT security testing work, please be aware that you enlightened your security testing journey with an area that the future represents…