Internet of Things: Too Many Devices For Traditional Scrutiny

In recent weeks, security researcher Michael Jordon from the consultancy Context set social media circles on fire. His research demonstrated a port of the first person shooter game Doom running on the tiny LCD panel found on a Canon printer. The story quickly made the rounds because of the novelty of seeing a classic game running on a non-gaming platform.

The ability to get the game running on the printer’s hardware is certainly a clever hack in itself, but the main point of his research highlights the risks that network connected devices face. He loaded the code onto the device by exploiting a number of its security weaknesses. The net result is humorous in this case, but it could have easily been code damaging. Let’s examine why. 

There were several security weaknesses baked into the device in question. For starters, the administrative web interface did not require any authentication. As a result, anyone could tinker with the device without needing any credentials. While this could lead to some general mayhem, Jordon took an additional measure to trick the device into downloading a firmware update that contained the proof of concept payload.

The firmware did not have any code signing, but it was obfuscated with the XOR function. With further analysis and some educated guesses, Jordon was able to ascertain the XOR mask, which allowed him to create a new payload that the printer happily consumed and installed.

As the Internet of Things grows, we won’t have the ability to scrutinize every device on our network. There will be security oversights and bugs in the code, and some of them will be exploitable. But we can apply next-generation network security to both prevent unnecessary levels of access to various devices.

To start, any type of shell, file transfer or remote access tool should be managed very carefully, and reserved for administrative purposes only. That’s because shell-level access to the device is almost never necessary for the end user — and it’s a key way to compromise the device. End user functions and administrative functions should be scrutinized closely and separated when possible.

Second, all security professionals should think about which zones the device needs to communicate with. It goes without saying that the device’s interface should not be internet facing, but a quick scan of the Internet with device searching tools such as Shodan showed that many devices are exactly so. Think of this like the network segmentation concept: keeping your devices in a segregated network is a smart way to isolate the device and better scrutinize what types of traffic it generates. In any case, even when the device is placed in the correct zone, it still should have limited interactions with the Internet to stop unnecessary communication.

Third, it’s possible that a device could be compromised through out-of-band measures, or it could have been compromised before it was brought into the organization. The same principles used for disrupting an APT also apply here. Spot unusual activity being performed by the device by using threat prevention measures and policy control to spot it.

As organizations further expand their application of “zero trust” network principles, these planning measures should start to become the norm rather than the exception for dealing with the Internet of Things. Start your planning by not trusting any device on your network, and provide only minimal levels of access to other network services.