A playbook to secure IoT against attacks

Mark Lambe

“A team of IBM hackers has discovered a vulnerability in a component used in millions of mobile Internet of Things (IoT) devices. 

Source: ZDNET

Preventing exposure to IoT attacks

The truth is, the risks associated with the Internet component of IoT are never far from the headlines as per the recent article on ZDNET. In this blog, I will assess IoT risks and present a playbook to secure IoT, by answering key questions that I hear most from customers:

  1. Why does IoT remain vulnerable and exposed to malicious attacks?
  2. Can we do more to protect our IoT deployments against the unknown?

Why does IoT remain Vulnerable?

Ripple20 was this summer’s hottest vulnerability; it exposed a vulnerability in a communication library prevalent in many devices. Additional headlines that appeared over the summer included hardware vendors with weaknesses in their software stack.

Secure communications use Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL). The history of security libraries has demonstrated numerous vulnerabilities exposed over the years. Even for a robust operating system, TLS/SSL libraries have had exposures, one such vulnerability been HeartBleed.

With the emphasis on speed to market and cost, developers have a choice of licensing libraries or building on known working libraries, even if they are 20 years old. The old cliché of “If it’s not broken, don’t fix it!” comes to mind.

A playbook to secure IoT against attacks, in 6 simple steps:

Vulnerabilities are a fact of life in telecoms. But what can we do to mitigate against risks of the IoT attacks? The following are a few suggestions on how we can help rebuild confidence in IoT.

1. The Private Internet of Things

The “Internet” part of the IoT acronym is where the challenge lies; everyone can see everything connected to it. Organizations persist in connecting to the public network using public static IP addresses, as it was the only way to manage and enable remote access to their devices.

At Asavie, we advocate the idea of a Private Internet, a network that any organization with minimal IT resources can control. The key is for an organization to be able to assign private static IP addresses to a bi-directional network, facilitating secure remote access and control over connected devices. When coupled with 360-degree enterprise visibility of all traffic, organizations have the foundation to build a robust, in-depth security strategy for IoT.

2. No by-pass Network-based controls

Using the example of a Local Area Network (LAN), the IT administrator applies policies at a network level. At Asavie, we believe that a similar capability is crucial to secure all corporate-owned mobile IoT endpoints outside the organization.

Network-based policies circumvent the ability to by-pass security —irrespective of a human or malware interference on the device. The fundamental separation of the security plane from the device makes it easier to roll-out IoT deployments at scale. Furthermore, by allowing IT control over the network and security, the Operations Technology (OT) team can focus on the core job of delivering value from the IoT data.

A private internet with network-based controls mitigates against the risks of unknown vulnerabilities. In some cases, serious vulnerabilities may never have to be patched, as there is no exposure to the public Internet.

3. Principle of least privilege (or zero-trust by another name)

The principle of least privilege is by far the easiest security methodology to adopt in IoT. In basic terms, IoT gateways collect and transmit data to known destinations. Therefore, applying an IP access list and DNS whitelist policy means the device can only ever communicate with legitimate addresses or locations. When applied at a network level, the result is:

  • No settings are required on the device: simplifying setups and enabling faster roll-outs
  • No security by-pass: reduced exposure and risk from human tampering on the device
  • Consistent security: all devices have the same security posture irrespective of location
  • Device freedom: not constrained by device capabilities of OS, memory, or power

4. Secure IoT identities

Seeding trust in the communication from an IoT device is a significant hurdle to overcome. Traditionally, digital credentials of the form X.509 are used. The issue is that each device requires unique credentials, which is cumbersome to implement and maintain at scale.

The advantage of cellular IoT is that there is a secure and tamper-proof identity available in the form of the subscriber identity module (SIM). The identity provides secure authentication and authorization for a device to connect into a private network. SIM identities simplify inventory management, assignment of policies, and act as a means to anchor secure access to IoT servers and public IoT cloud services.

5. Secure DNS

Domain Name System (DNS) is the base protocol used to communicate on the Internet. It is increasingly evident that whoever controls the DNS response can influence and control how IoT endpoints behave.

Poisoning public DNS resolvers is a way that malicious actors target IoT on the Internet. Furthermore, by spoofing DNS services, malicious actors can obfuscate command and control servers responsible for malware and ransomware attacks, resulting in unsuspecting mobile endpoints connecting to the hostile service and being infiltrated.

As part of the private network capability, I recommend that a secure DNS is made accessible. One way to achieve this is to control the route of all DNS requests. The DNS should be from a trusted source in the private network or behind a firewall within the organization.

Several critical advantages of controlling the DNS are:

  • No embedded static IP addresses: future-proofing the agility to move server locations
  • Optimized DNS responses: reduce data needs over the lifetime of the deployment, with indirect savings on power and dollars
  • Enhanced security: responses limited to essential addresses, restricting the ability to freely connect to the internet

6. Credential free devices

Cloud providers such as AWS, Azure, and Google are traditionally reliant on seeding an identity using X.509 digital credentials; if credentials are exposed due to a vulnerability, as per our headline, the impact could mean compromised data sent to the cloud.

At Asavie, we believe there is a better and more efficient way to secure access to the cloud by building secure access intelligence into the private network. The benefit of automating access to the cloud simplifies roll out of scaled deployments. However, by placing the burden of cloud access security in the network, there is no need for credentials on the device. Thus, eliminating the risk associated with tampering or of an unknown vulnerability exposure.

Have IoT attacks or vulnerabilities impacted you?

If you are concerned or impacted by exposure in a cellular IoT deployment, Asavie can help. With a simple Access Point Name (APN) update, any cellular IoT fleet, of any scale, can be taken off the public Internet and onto a private network within hours. With the Private Internet of Things, get the peace of mind and confidence that IoT remains safe against the unknown.

To learn more:

Check out our IoT solution pages and case studies for more ideas on securing IoT:
Asavie Secure IoT Solutions and Use Cases.

Or if you require further details on any of our services, please get in touch: support@asavie.com