IoT security is like a game of Whac-A-Mole. Fix one CVE and four new bugs pop up.
Last month, researchers found a slew of vulnerabilities in Axis cameras that could enable an attacker to access camera video streams, control the camera, add it to a botnet or render it useless. Also in June, IP camera manufacturer Foscam urged customers to update their security cameras after researchers found three vulnerabilities that could enable a bad actor to gain root access to the devices by only by knowing the camera’s IP address.
Both of these security issues were found by IoT security company VDOO. Threatpost talked to Netanel Davidi, founder and co-CEO of VDOO, about the IoT security market and what threats to look out for.
TP: The vulnerabilities you found in the business-class Axis IP cameras and consumer-focused Foscam cameras are quite different. How were the security threats you found inside them different and similar?
Davidi: Axis and Foscam for us represent two sub-segments of the camera market, but they’re both different from each other, in terms of the technologies surrounding them, and the impact of the threats on their users.
A successful attack on a baby camera — which is one of the things Foscam makes — would have a significant impact on the privacy of the end user. An attack on a professional surveillance camera at an airport — one of the things Axis is making — will have financial or operational impacts. It would even impact the physical security of locations.
Home cameras are highly distributed, they rarely have centralized management systems. Meanwhile professional cameras have management systems. Now, clearly those differences create different threats and attack landscapes. But surprisingly enough, our research shows that they still have common mistakes in both the consumer cameras and the high-end cameras. These are both related mostly to inappropriate implementation of security building blocks during device manufacturing and device deployment.
TP: What’s the biggest threat out there for IoT devices right now?
Davidi: We see three major trends. The first is about utilizing connected devices to blackmail their owners whether by hijacking the device and impacting its operation or by stealing sensitive data from it such as video stream. The second is utilizing connected devices for lateral movement, meaning to target other assets in the same networks in which the devices resides. The third, is to utilize a large number of devices for intensive tasks such as attacking other targets (AKA dDoS attacks), decrypting files or mining bitcoins.
TP: What kind damage can attacker do once they gain access to IoT devices?
Davidi: I’ll start by saying that practically, the thing that attackers can do with these vulnerabilities begins with the very specific functionalities of the cameras targeted and what device are made to do. If it’s a camera, the target functionality is around the camera, but also… facial recognition and motion detection. All will be available to the attacker to utilize. And if you are connected to other devices like a pacemaker or insulin pump, the attacker can reach those devices and turn them off as well.
Usually it’s not only about the functionality of the device, but about the ability to get root permissions. Because once the attacker achieves this they can do practically anything – not only things that the device was made to do. With control of a device, an attacker can utilize it for other purposes like attacking other parts of the networks through the device, utilize the device to mine bitcoins, to run denial of service attacks, or to simply embarrass the owner. That’s also one of the trends that we are seeing.
With IoT, it’s more than IT. It’s not just about data. It’s about making a physical impact as well.
TP: How open are connected device manufacturers to making IoT security a priority at this point?
Davidi: We are working with many manufacturers and entities in the supply chain – like service providers, software design providers, the integrators. We see that there is a direct correlation with companies that work with the entire supply chain and more secure devices.
The attackers are getting more agile and effective. We think it’s going to get much worse before it gets better. But most importantly, we are watching the implications of these new attacks and how they are – or not – raising awareness among IoT device makers.
TP: Have you seen an increasing awareness around IoT security, especially after the 2016 Mirai DDoS attack that compromised more than 300,000 IoT devices?
Davidi: We do see an increasing awareness over the past years, particularly over the past 12 months. And we do expect to see more awareness later on. As an example, we are already observing makers [of low-margin IoT gear] that two years ago didn’t really care about security measures starting to prioritize it. And they’re now taking IoT security even more seriously than the ones that sell the high-end products to businesses. So there is a shift. Companies are starting to understand that being transparent about the vulnerabilities is meaningful and that pushing patches to the field immediately has direct positive implications to their customers.
Click here for more Newsmaker Interviews and Threatpost discussions with top cybersecurity experts.