You know IoT security is a serious concern when startups are getting funded to the level of $17M by Tier 1 investors like Sequoia Capital and Tenaya Capital. Armis, an Israeli and Silicon Valley startup, is on a mission to identify compromised IoT devices on the corporate network and quarantine them. Lest you forget, this is not such a far-fetched concern. Recently, an army of IoT cameras and WiFi routers, operating as an IoT botnet called Mirai, was used to create a Denial of Service of Attack on Dyn’s DNS service that brought the Internet to its knees.
Said another way, security in IoT products is such a concern that companies are basing their entire business models on protecting from their presence. If you are a company that makes IoT products, or any product that runs on a customer’s network for that matter, this should scare the bejesus out of you! You do not want your product to be the cause of the next botnet or worse to compromise your customer’s business.
Cameras in people’s homes are soft targets, but it is only a matter of time before industrial machines, medical devices, ATMs, home security gear and other mission critical infrastructure is targeted – and then it won’t be a Denial of Service attack that the bad guys are trying to accomplish.
Let’s think of the ways that a product of this class can be compromised.
- Like the botnet attacks, it can be compromised by an internal attack. There is malicious software running on a network, it finds your machine on that network, and exploits an attack to gain entry. Anything that gives your machine a footprint on the network is a possible open door for bad guys: telnet service, web service, etc.
- Machine is compromised by a poorly designed remote service solution. Remote access is one of the most useful and potentially troublesome methods for exploiting a company. Most remote access solutions allow unattended access without the permission of the company that owns the machine. Furthermore, this unattended access often provides the remote access user, a person outside the company’s security policies, with open network access.
- Machine is compromised by the machine vendor’s own employees. Some of the craziest stories we have heard involve a machine vendor’s very own employees using their remote access solution to plant backdoors that they could later exploit for nefarious means. While it is hard to believe, it is a legitimate threat and must be guarded against.
So how do you have your cake and eat it too? A product that takes full advantage of the internet, provides support access when it is required, yet protects both the customer and product vendor from the bad guys, inside and outside the company. In our experience, over 150 Internet and Service enabled products, we recommend the following approach:
- Close all open ports on the device: An open port is an invitation for a bad guy to exploit a device. We recommend that our customers close all of them.
- Utilize indirect access: This approach uses a third-party solution, like RevTwo (shameless plug) to provide access to elements of the machine or device that are required. For example, if you want to access a web-server present on the machine or device, access it through a remote tunnel on localhost (i.e. ports that are exposed to localhost only – not visible at a network level). You can use this technique to access web pages, local screens, even terminal screens.
- Respect sandbox limitations: Often we see microservice architected solutions that blow away the elegance and security of their solution by utilizing root security level remote service solutions that provide access at the machine level vs. the microservice level. Respect the sandbox limitation and support from the inside out.
- Permission based access: In the end, the customer is king. We recommend that all access on a customer’s network should initiated only after permission has been explicitly granted for that session. This protects both the customer from unauthorized access to sensitive equipment, but protects the machine manufacturer from liability associated with that access.
- Audit everything: Trust but verify. A comprehensive audit log not only gives your customer peace of mind that they have a record of all activity on their network but it also protects the machine vendor in case there is a security breach at the customer location.
In the end, while we applaud companies that try to find compromised IoT devices and protect their owners from them, we advocate a more proactive approach. We believe it is the responsibility of all IoT products to be safe and secure and we view it as our job to make the tools and infrastructure to make sure that happens!