Research on the Security Capability Baseline of IoT Devices

Research on the Security Capability Baseline of IoT Devices

GAN Xiang¹ ZHAO Zeguang² LIU Yu¹ LIU Muqing²

(1. Tencent Security Platform Dpt, Shenzhen 518052;

2. Tencent Keen Security Lab, Shenzhen 518052)

Abstract: This paper discusses the security issues of IoT devices, points out the current attack surfaces, and proposes a set of common device capabilities to support conventional network security, protecting devices, data, and systems. It discusses device security, analyzes the threats that IoT devices may face, and provides corresponding protection strategies and development recommendations for IoT device security.

Keywords: IoT; security baseline; cyber attack

1 Introduction

The massive use of IoT devices has opened the doors of networks for enterprises, making them more vulnerable to cyber attacks. Gartner predicts that by 2020, there will be over 20 billion IoT devices worldwide, and billions of connected devices will fundamentally change the way information is processed and used, while significantly increasing enterprise security risks. With the continuous advancement of IoT technology, IoT devices are becoming increasingly prevalent in our lives, but at the same time, device vulnerabilities have become a significant hidden danger. Currently, the protective capabilities of IoT devices are weak, and the attack surfaces are extensive, mainly including passwords, network protocols, interfaces, communication, and management.

2 IoT Architecture

The Internet of Things (IoT) is the information carrier of the Internet, traditional communication networks, etc., allowing all ordinary objects that can perform independent functions to achieve interconnection.

Here, “objects” refer to items that can be wearable devices, smart home appliances, cars, or houses, as well as smartphones, tablets, and other terminal devices. As long as they can connect to the network, they can be considered an “object” in the IoT. The IoT is about sharing information and generating useful information between “objects” through internet connections, operating without human management.

The IoT architecture^[1] can be simply divided into five layers: application, learning, collection, connection, and device^[2] (see Figure 1).

Figure 1 IoT Architecture

2.1 Devices

With the development of technology and networks, devices such as detection instruments, vehicles, and cameras from enterprises, governments, or individuals are exhibiting a trend towards networking. When manufacturing or procuring devices, factors such as sensors, CPU architecture, systems, components, and security should be considered. Computers typically possess architectures ranging from simple microcontrollers to fully functional CPUs that support ARM or Intel instruction sets and have powerful graphics processing capabilities. However, powerful software is also needed to provide strong support.

2.2 Networks

Devices can connect to networks (internet or local networks) in different ways. Different connection methods can be adopted based on data size, distance, bandwidth capacity, etc.

Access points typically have two types of connections: wireless and fixed. Fixed network access modes prevent operators from obtaining information from IoT scenarios, connecting IoT traffic to local private IoT platform services. Wireless access modes allow operators to obtain relevant information and are more conducive to connecting IoT traffic to the operator’s IoT platform for data exchange.

2.3 Platforms

The platform is the core of the IoT industry verticals. The connections of devices differ from other connections, as the massive data generated by IoT grows exponentially, far exceeding traditional network data volumes, requiring strong computing power support. The main functions of IoT platforms include connection management, device management, and application enablement.

2.4 Learning/Analysis

With the growth of IoT devices and data, the demand for data analysis and traffic analysis has begun to emerge, which requires support from corresponding query, AI algorithms, machine learning, deep learning, and other technologies. We are about to enter the era of 5G and edge computing 2.0, where decentralized architectures that enhance edge computing capabilities can provide a complete ecosystem for IoT.

2.5 Applications

Providing massive applications based on edge computing capabilities closely integrates IoT technology with the digital transformation needs of enterprises, achieving universal intelligent solutions. Various industries of IoT services will transmit the data they collect from their devices through networks and platforms to corresponding IoT servers, and based on the high-value data provided, conduct industrial upgrades, efficiency improvements, and intelligent transformations. Whether procuring, manufacturing, or building, the essential goal of constructing IoT applications is the economic benefits of enterprises.

As networks and applications become increasingly complex, they need to be supported by AI and automation technologies. SaaS (Software as a Service) has changed our understanding of network services, and with the continuous changes in demand and technology, XaaS (Everything as a Service) has emerged, which may become the mainstream service model in the future.

3 IoT Security

Security is the most important challenge for IoT. Security work needs to be ensured from aspects such as (terminal) device security, network security, data security, platform security, and application security.

3.1 Physical Security

The debugging interfaces of traditional network devices only allow physical access without any restrictions, allowing arbitrary configuration and debugging, and the same applies to IoT terminal devices. The storage, authentication, encryption, communication, and interfaces of IoT terminal devices may become entry points for attackers. Many manufacturers retain hardware debugging interfaces in IoT products. For example, the Console interface of a router allows direct access to high-level permissions for debugging without any authentication. Such interfaces usually have high permissions and may pose security risks. This also includes I2C, SPI, USB, SD cards, etc.

For example, the Google Nest thermostat^[3] allows USB drives to be inserted for boot updates after entering device firmware update (DFU) mode. By exploiting this feature, attackers can upload their custom images to the device ROM, including X-loader, first-stage bootloader, UBoot (embedded system bootloader), second-stage bootloader for loading the Linux kernel, and Ramdisk schemes for loading the file system into memory.

Attackers modify U-Boot to configure it to use a custom Ramdisk (virtual memory disk) to execute the kernel environment. U-Boot uses the attacker’s Ramdisk to boot Linux and install and modify the existing file system of Nest, providing root access to the device. Subsequently, they install the Secure Shell (SSH) tool on the device. Then, attackers bypass network address translation (NAT) and inject Odysseus malware, making it part of the home network, and remotely connecting to the attacker’s server. The “botnet” uses the thermostat to control the entire home network, and attackers may engage in illegal activities such as surveillance and taking personal photos and videos.

3.2 Password Security

Weak passwords are always a seemingly unimportant yet fatal issue in network security. Currently, most IoT terminal devices are based on a simple architecture model of “CPU + sensor + communication,” designed only to meet functionality without considering security factors. The key to device security, business logic, and behavior is based on bootstrapping and keys, while hackers often use brute force cracking to obtain device information and communication data, which may also lead to information replacement and impersonation as ordinary devices.

3.3 Computing Environment Security

This attack surface mainly manifests in application defects, system vulnerabilities, and information leakage. For example, most IoT devices currently use embedded systems, and attackers can exploit system vulnerabilities in lower versions to attack and obtain system information and open service ports. In addition, the development process lacks security requirements (lack of SDL process), and does not strictly filter, validate, or escape input information, which may lead to SQL injection or remote code execution when calling functions.

For example, the Edimax IP camera system vulnerability. This camera system consists of three parts: the IP camera, the controller (smartphone application communicating with the camera), and the registration command relay server. Each camera must register on the registration server before connecting to the network. Public IoT devices infected with malware (such as Mirai) act as software bots, sending asynchronous stateless TCP SYN (TCP synchronization messages) probes to randomly guess the 12-character MAC addresses of IPv4 addresses in the network, obtaining confirmation information to verify valid MAC addresses. They bind and register to the server following the same steps as the camera. Then, they send a TCP request to the command relay server, which responds to the software bot with a data packet containing authentication information (for the original camera). Attackers can easily extract passwords from this information, and once they obtain the password, the IP camera will be fully controlled by the attacker.

In a specific host system architecture, malicious software can be downloaded and executed, spreading and creating a botnet. In this attack, software bots simulate devices running Linux through internet connections and are used for remote control, included in the botnet.

As attacks such as malicious node insertion become more common, the demand for identity management in IoT devices is also increasing.

3.4 Secure Communication

Communication interfaces allow devices to communicate with IoT networks, cloud platforms, and mobile terminals. Firmware or drivers may become entry points for attacks. For example, man-in-the-middle attacks typically include bypass and chaining methods, where the attacker is positioned in the middle of the communication link, acting as a data exchange role, obtaining user authentication information and device information, and then using replay or wireless relay methods to gain device management permissions. For example, decrypting TLS data using a man-in-the-middle attack to obtain sensitive information.

3.5 Cloud Computing Security

With the development of cloud computing, IoT devices gradually achieve management through connection to the cloud, while vulnerabilities of cloud service providers, user terminal apps, and communication data between the two are all points of entry for attackers. Attackers can forge data for replay attacks to gain device administrator permissions.

3.6 Social Engineering

By extracting users’ personal information, attackers can pre-archive users in home networks, thereby affecting the data confidentiality and integrity of IoT devices.

For example, the garage door opener Chamberlain MyQ vulnerability. Vulnerabilities in smart appliances are easily exploited, allowing attackers to access sensitive data and control IoT devices such as door locks and sensors. After gaining access to user accounts, attackers can not only read the status of the garage door (open, closed, or moving) by monitoring network traffic but can also open or close it. By automatically notifying the door’s status changes via email, attackers can analyze the entry and exit patterns of the household.

3.7 Security Management

Security issues caused by improper management are the largest and most unpreventable problems. For example, weak passwords, management interfaces, and device ID leaks reflect technical issues, but they invariably result from a lack of SDL process management; product design phases do not consider authorization and authentication or manage access paths, allowing anyone to obtain the highest control permissions of the device; developers may write specific account authentications into the code for testing simplicity, and after production, these accounts remain in the system. As long as attackers can find this information, they can easily obtain the administrator permissions of the device.

4 IoT Device Security Protection

The network security capabilities of devices are technical means possessed by the computing devices themselves (i.e., device hardware and software). The network security baseline for IoT devices should be a set of common device capabilities to support conventional network security controls, protecting enterprise devices, as well as device data, systems, and ecosystems. The purpose of establishing a security baseline is to provide a basic reference for identifying the network security capabilities of new IoT devices being manufactured, integrated, or procured.

Computing devices that integrate physical or sensing capabilities and network interface capabilities are being rapidly designed, developed, and deployed. These devices are designed to meet customer needs but often lack design and consideration for security aspects and are mostly connected to the internet. As devices become smaller and more functional, their security issues become increasingly complex. It is very necessary to define the baseline of network security capabilities for IoT devices, which should be given attention in the face of the security challenges of IoT.

The establishment of security baselines is based on the management methods of common network security risks and the research on the risk response capabilities of IoT devices, refined and validated through collaborative processes and existing viewpoints.

Moreover, the security baseline suggested in this paper is not absolute nor unique. The baseline represents the coordinated work done to define common functionalities, rather than a comprehensive and detailed checklist.

The core baseline represents the minimum security level of default devices, but the network security capabilities of devices typically need to be added or removed from the design, integration, or collection of IoT devices to adapt to common security risks. The core baseline does not specify how to achieve the network security capabilities of devices, thus organizations adopting the core baseline have great flexibility in implementation. The requirements for each module of the core baseline of network security capabilities for IoT devices are detailed below.

4.1 Logical Access to Interfaces

IoT devices can restrict logical access to local and network interfaces, including the protocols and services used by these interfaces and authorized entities.

(1) Logically or physically disable unnecessary local and network interface capabilities.

(2) Be able to logically restrict access to each network interface, allowing access only to authorized entities (e.g., device authentication, user authentication).

(3) Configuration settings used with device configuration functions, including (but not limited to) the ability to lock or disable accounts for devices, or delay additional authentication attempts after multiple failed attempts.

Restricting access to interfaces can reduce the attack surface of devices, giving attackers fewer opportunities for disruption. For example, unrestricted network access to IoT devices allows attackers to interact directly with the devices, greatly increasing the likelihood of device attacks. Access to interfaces may be partially or completely restricted based on the device’s status. For instance, if a device is not equipped with appropriate network credentials, all actions accessing the network interface will be restricted.

4.2 Device Identification

IoT devices can be uniquely identified logically and physically.

(1) Unique logical identifiers.

(2) Authorized entities can access unique physical identifiers at the external or internal locations of the device. Unique logical identifiers can be used to distinguish devices and are typically used for automated device management and monitoring. This may require them to be immutable to allow consistent identification using identifiers. Unique logical identifiers can also be used for device authentication, but appropriate identifiers should be chosen for this purpose. When unique logical identifiers are unavailable, such as during device deployment and decommissioning stages, or after device failures, unique physical identifiers can be used to distinguish the device from others. This feature may also require an additional logical identifier, which does not have to be unique and can be used for more specific purposes, such as signaling device intent.

4.3 Device Configuration

The software configuration of IoT devices can be changed and can only be performed by authorized entities, specifically as follows.

(1) The ability to change the software configuration of the device.

(2) The ability to make configuration changes only for authorized entities.

(3) The ability for authorized entities to restore the device to a security configuration defined by authorized entities.

An authorized entity may need to change the device configuration for various reasons, including network security, interoperability, privacy, and availability. Without device configuration capabilities, authorized entities cannot meet their needs and cannot integrate the device into the authorized entity’s environment. Most network security capabilities depend at least to some extent on the presence or absence of device configuration capabilities. Unauthorized entities may change device configurations for various reasons, such as gaining unauthorized access, causing device failure, or secretly monitoring the device’s environment. The ability to restore a secure configuration is helpful when the existing configuration contains errors, has been compromised or damaged, or is no longer considered a trusted device.

4.4 Data Protection

IoT devices can protect their stored and transmitted data from unauthorized access and modification, specifically as follows.

(1) The ability to use provably secure encryption modules for standardized encryption algorithms (such as authenticated encryption, encryption hash, digital signature verification) to prevent the confidentiality and integrity of data stored and transmitted by the device from being compromised.

(2) Authorized entities allow all entities to access all data on the device, whether authorized or not (e.g., by erasing internal storage, destroying encryption keys of encrypted data).

(3) Configuration settings used with device configuration functions, including but not limited to the ability for authorized entities to configure the use of encryption, such as selecting key lengths.

Authorized entities (such as customers, administrators, users) wish to protect the confidentiality of the data they want to protect, so that unauthorized entities cannot access and misuse their data. Authorized entities typically want to protect the integrity of their data to prevent unintentional or intentional changes to data, as changes can lead to various adverse consequences (such as issuing incorrect commands to devices, hiding malicious activities).

4.5 Software Updates

IoT device software can only be updated by authorized entities using secure and configurable mechanisms, specifically as follows.

(1) The ability to update device software through remote (e.g., network downloads) and/or local means (e.g., removable media).

(2) The ability to confirm and authenticate before installing any updates.

(3) Authorized entities can roll back updated software to previous versions.

(4) The ability to restrict updates to only authorized entities.

(5) The ability to enable or disable updates.

(6) Configuration settings used with device configuration functions, including but not limited to: the ability to configure any remote update mechanism for downloading and installing updates; the ability to enable or disable notifications when updates are available and specify the entities or content to be notified.

Updates can eliminate vulnerabilities in IoT devices, reducing the likelihood of attackers compromising devices, correcting operational issues in IoT devices, thereby improving device availability, reliability, and performance capabilities. Some authorized entities may require the ability for automatic updates to meet their network security goals and needs, while others may prefer or need more direct control over updates and their applications. Some organizations may wish to provide rollback capabilities without impacting critical applications or integrating with other systems, while others may want to eliminate the risk of software rolling back to vulnerable versions.

4.6 Network Security Status Monitoring

IoT devices can report their network security status and only allow authorized entities to access this information, specifically as follows.

(1) The ability to report the network security status of the device.

(2) The ability to distinguish when the device may be operating normally and when it may be in a network security degradation state.

(3) The ability to restrict access to status indicators, controlling that only authorized entities can view them.

(4) The ability to prevent any entity (authorized or unauthorized) from entering edit mode, except for those responsible for maintaining device status information.

(5) The ability to make status information available as a service on another device, such as event/status log servers.

Network security status monitoring helps investigate hazards, identify abuses, and eliminate certain operational issues. How devices make other entities aware of their network security status will depend on specific needs and objectives, potentially including capturing and recording information events, storing devices, sending signals to external monitoring systems, or alerting the IoT device itself through an interface.

The network security capabilities discussed in this paper are merely a basic reference, providing potential methods to meet common network security needs and objectives. For example, the six parts defined in Figure 2^[4] can be viewed in conjunction with the security baseline discussed above.

Figure 2 Core Device Network Security Capabilities Supported by Risk Mitigation Areas

Figure 2 outlines the common risk mitigation areas considered in the security baseline, and we should understand these areas based on the baseline. IoT devices equipped with the basic network security capabilities described in the baseline can help most organizations more easily meet their network security needs and objectives, but in reality, they may face different, more specific risk mitigation areas. Therefore, it cannot be limited to just the six parts of the baseline.

5 Recommendations for IoT Device Security Development

Although the IoT device network security baseline can address the security risks of the vast majority of attack surfaces, it does not represent absolute security. Here are four recommendations.

(1) Reverse the situation of insufficient investment in reducing network risks.

Emphasize the importance of actively investing in network security. A constantly changing environment requires organizations to invest heavily in new technologies, processes, and compliance. For most publicly listed companies and large enterprises, network investment decisions often flow from the company’s board to management. On the other hand, small and medium-sized enterprises lack resources and capabilities to invest in IT security, making them preferred targets for cybercriminals. The 5G technology requires substantial security investments as it brings new risks that current traditional means cannot control. Small and medium-sized enterprises, smart home users, and all companies providing critical infrastructure products or services must step up efforts to proactively address cybersecurity risks.

(2) Emphasize DevSecOps.

For most programmers today, creating secure applications requires them to integrate DevSecOps into the development process. This involves building security practices at all stages of the development lifecycle, rather than integrating security into an already completed product. It requires introducing cybersecurity as a design into the development process, continuously considering it, and applying it to all new projects. Integrating security is more important than ever, not only in software but also in hardware and firmware development. This may require regulators to establish regulations where minimum security requirements are enforced in all hardware and software creation environments and centers. Similar to GDPR or the California Consumer Privacy Act, which both specify minimum security criteria for data protection.

(3) Device Inspection and Certification.

Protecting IoT devices from attacks is crucial for ensuring network security. Therefore, the government should inspect and certify devices before they connect to the network. Certification should begin at the production stage, verifying the effectiveness of the DevSecOps process, and end at the consumer stage; at the consumer level, only certified products should be sold.

(4) Strengthen Regulation and Standardization Work.

Regulatory authorities should introduce relevant laws and regulations to constrain IoT device manufacturers and service providers, focusing on key technologies under the international standard framework, jointly promoting security standards, and accelerating the formation of security solutions covering multiple application scenarios. Strengthen the security system construction of products and services, strictly adhering to security standards and specifications throughout the entire lifecycle, including design, research and development, and operation and maintenance.

6 Conclusion

Determining the precise security capabilities required for devices should consider the expected conditions of the IoT devices themselves. Based on industry research, further define the security capabilities of devices and add new elements. This means that device security functions can be used to support risk mitigation measures in other areas (e.g., penetration testing or other forms of component testing/validation, specific network architectures can reduce risks).

At the same time, beyond risk mitigation measures, attention should be given to other factors that may affect device security, such as considerations of customer and practical availability, roles and responsibilities related to network security, the distribution of customer expectations, and whether the social demand and goals for network security (such as resisting the development of botnets) can directly reflect customer needs and objectives.

IoT technology, with its advantages, has been significantly applied in multiple fields. However, due to its characteristics, it is easily susceptible to various security threats. Compared to abroad, there is still a certain gap in the development of IoT technology in China, and many issues remain to be addressed during the development process. Currently, research and solutions for IoT security issues are still immature, and relevant organizations and cybersecurity researchers should work together to create a complete IoT ecosystem.

References

[1] Hecun Masato, Otsuka Hiroshi. Illustrated Internet of Things [M]. People’s Posts and Telecommunications Press, 2018.

[2] Zhou Chenguang. Revealing the Principles, Practices, and Solutions of the Internet of Things [M]. Tsinghua University Press, 2019.

[3] Tejasvi Alladi, Vinay Chamola, Biplab Sikdar. Consumer IoT: Security Vulnerability Case Studies and Solutions [J]. IEEE Consumer Electronics Magazine, 2020, 9(2): 17-25.

[4] NIST. NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline [S], 2020.

[5] NIST. NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks [S], 2019.

[6] China Academy of Information and Communications Technology. 5G Security Report [R], 2020.

[7] National Standardization Management Committee. GB/T 37025-2018 Information Security Technology IoT Data Transmission Security Technical Requirements [S], 2019.

[8] National Standardization Management Committee. Information Security Technology IoT Perception Terminal Application Security Technical Requirements (Draft for Comments) [S], 2019.

Research on the security capability baseline of IoT devices

GAN Xiang¹, ZHAO Zeguang², LIU Yu¹, LIU Muqing²

(1. Tencent Security Platform Dpt, Shenzhen 518052, China;

2. Tencent Keen Security Lab, Shenzhen 518052, China)

Abstract: This paper discusses the security issues of IoT devices, to points out the current attack surfaces, then defines a group of common devices capabilities to support the conventional cybersecurity, to protect devices, data and systems. Based on equipment security, this paper analyses the threats, and gives recommendations for protection strategies and security developments.

Key words: IoT; security baseline; cyber attack

This article was published in 《Information Communication Technology and Policy》 2020, Issue 11