Following the Dyn attacks in 2016 and the recently discovered “Devil’s Ivy” vulnerability, IoT devices are no longer simply the new trend in the security industry. Now, they are also the focus of cybersecurity strategies.
The Dyn attacks revealed that “IoT devices can be used in nefarious purposes,” says Mathieu Chevalier, head of Genetec’s cybersecurity team in the product development department.
“Even though a device may not have valuable information or assets, it could still be a target of attack,” adds Jerry Zhang, director of security product line, Dahua. “The attack to IoT devices was not the ultimate objective in the Dyn attacks in 2016.”
Hackers targeted domain name servers (DNS) for the provider Dyn (now Oracle) through the Mirai botnet, which used vulnerabilities in “an army of IP cameras and NVRs and DVRs” to overload the DNS, explains Chevalier.
“The Mirai botnet primarily consists of insecure IoT devices: insecure cameras, insecure routers,” adds BlackBerry’s chief security officer Alex Manea. “The coders looked for, I believe, 60 different default username and password combinations that were put on those routers and on those cameras.”
Ryan Zatalokin, senior technologist, Axis Communications, says the industry has encouraged end users and installers to use strong passwords and either isolated networks or networks behind a firewall to prevent hackers from exploiting the devices.
“The biggest thing is it’s not just cameras or other Axis devices (in our case), but it’s any network device that’s potentially at risk,” he elaborates. “So it’s not just about securing one type of device on the network, it’s about securing all devices on the network.”
Manea agrees: “Anything that’s connecting to your enterprise network that’s also connecting to the Internet is going to become a security threat. So you need to a) make sure you can manage all of those endpoints and b) make sure you can send software updates to those endpoints, because if you have IoT endpoints you can’t update and somebody hacks them, you’re toast.”
The rise of new botnets makes securing IoT endpoints even more critical, as seen with the discovery of the “Devil’s Ivy” vulnerability last summer.
“Devil’s Ivy was an attack on a third party library that was used by multiple vendors,” explains Chevlaier. That third party library was a source code called gSOAP, produced by Genivia.
This time, hackers used a different botnet, the Reaper botnet. They send two GB of data to the devices, running code that could disable it, install malware on it or intercept a video stream.
Ethical hackers at security firm Senrio initially found the vulnerability in an Axis camera.
In response to this vulnerability, Axis worked with Genivia to “crack their source code,” explains Zatalokin, and then deployed a patch to fix the vulnerability.
Since a number of ONVIF members used the same source code, Axis then also informed the organization about this vulnerability.
According to Chevalier, manufacturers then conducted internal assessments to determine if their products were vulnerable. If that was the case, they provided firmware to patch the vulnerability.
Although Genetec recently issued a new feature in its Security Center platform to help manufacturers patch vulnerabilities, Chevalier says “it’s really the customer’s responsibility to keep its IoT devices updated.”
Lessons learned: education is key
As such, Axis, Dahua and Genetec have focused strongly on education, not just for the dealers and installers, but for the end user as well.
“User awareness and engagement are very important steps to cybersecurity,” says Zhang. “As reported in OWASP [Open Web Application Security Project] Top 10 — 2017, security misconfiguration is one of the most commonly seen issues. It is important to establish effective communication to users about security threats, software fixes and best practices.”
Chevalier agrees. “What we try to do first is warn our customers about [a vulnerability],” he says.
For example, Genetec issued a security advisory on its website about the Devil’s Ivy vulnerability.
“Even though our products weren’t directly affected, we know our customers might be using products that are affected, so we try to let them know that they might have to do something,” he explains.
In Genetec’s newest version of the Security Center, Security Center 5.7, a page informs customers if they use weak passwords, and warns users if they leave the default passwords on their devices.
Additionally, the sofware platform provides firmware upgrades.
“This is the second most important thing you can do to secure your IoT devices,” explains Chevalier. “In the last version of our software, 5.7, we’ve come up with the automatic warning. So if you use, let’s say, an Axis camera that is vulnerable because the software is old, we are getting that information on our websites, and then we’re showing it to the user inside Security Center directly.”
Likewise, a few years ago, Axis began an education campaign to increase awareness among their engineers and sales force, as well as in its R&D department.
Axis also has a dedicated web page for CVEs (Common Vulnerabilities and Exploits), where the company publishes information about vulnerabilities that may affect its products and advice regarding risk mitigation.
“A lot of this also still comes down to education. Even just as short as a few years ago, people were still using the default passwords on our products and the other vendors’ products, and it’s obvious in this day and age that it’s something that really can’t be done,” Zatalokin says.
Axis also introduced features such as a password strength indicator and disabled services on a number of legacy products in 2017.
New cybersecurity features
This doesn’t mean that the security firms aren’t taking steps to increase the security of IoT devices.
While Dahua’s products weren’t affected by the Devil’s Ivy vulnerability, the company has made cybersecurity mandatory in product design, and began implementing the Dahua cybersecurity baseline standard in firmware releases in July 2017.
“We have adapted advanced scanning tools to screen our products against known vulnerabilities,” Zhang adds. “Penetration tests are conducted by independent test teams. We keep updating the Dahua cybersecurity baseline standard to reflect the change in cybersecurity threat.”
Additionally, the Dahua Cybersecurity Center was established in early 2017 to receive security vulnerability reports, communicate security announcements and notices, and share cybersecurity knowledge with their customers.
Genetec is also introducing a new platform to raise more awareness: the Genetec Trust Center. The Trust Center will provide resources and content material for everyone from integrators to consultants to end users, evaluating the security and integrity of their hardware and software.
Axis is also focusing on securing platforms. The company now has the tools to deploy encryption by default.
“We’ve introduced HTTPS [HTTP Secure] by default in our products so that when you initially log into your products that connection is secure. So if somebody was eavesdropping on the network, they wouldn’t be able to see things like usernames and passwords,” Zatalokin explains.
Zatalokin believes these changes “have greatly reduced the chances of somebody finding a simple exploit that they can attack our products with.”
— With files from Neil Sutton