SAN FRANCISCO – Low prices and firms racing products to market are two of the biggest factors when it comes to why Internet of Things devices are not getting the type of security do diligence they deserve. According to Checkmarx researcher Erez Yalon, despite years of the infosec community sounding the IoT security alarms, things haven’t improved.
He said, smart devices are still too easy a target with vectors such as man-in-the-middle attacks. Case and point, in February Checkmarx discovered a bevy of flaws in a consumer smart scale that could allow hackers to launch a variety of attacks, from man-in-the-middle to denial of service.
Threatpost talked to Yalon, who heads up Checkmarx’s security threat research group, about how he thinks IoT security flaws will continue to evolve – and whether manufacturers will begin to feel any pressure to better secure their connected devices.
“We see less and less man-in-the-middle effects in web apps. It has slowly moved to mobile and now it’s in IoT,” he said. “Some technologies like web and mobile applications are starting to have some sort of standards or ways to mitigate these issues. In IoT we don’t see that yet.”
** What follows is a transcript of the interview **
Lindsey O’Donnell: Hi, everyone. I’m Lindsey O’Donnell with Threatpost and I’m here today with Erez Yalon, the head of the Checkmarx cyber security [research] team. Erez, thanks so much for joining us today. How is your RSA going?
Erez Yalon: Well, it’s fun. It’s exciting.
Lindsey O’Donnell: Yeah, it’s always fun. For people who don’t know you, can you give us a brief introduction about yourself and your background?
Erez Yalon: Sure. As you said, my name is Erez Yalon. I’m the head of the security research at Checkmarx, a software security company. My group of researchers… I have the privilege of working with really topnotch researchers every day in several teams around the world. We’re doing both research that is about the products we make, the solutions we make to make them better, and also just to see what’s going on out there, what’s going on in the situation of security in the field.
Lindsey O’Donnell: Great. Well, speaking of the situation of security, IoT security has been something that you guys have written about and done a lot of research on. One security report, in general, that you guys have discussed a couple of months ago was a smart scale you guys found a couple of vulnerabilities in. I think it was manufactured by AEG.
Erez Yalon: Yeah.
Lindsey O’Donnell: Just to start off, can you tell us a little bit about that research and how it relates to IoT security trends that we’re seeing as a whole?
Erez Yalon: Yeah, sure. IoT is basically software that runs something else, runs a thing. The reason that we’re currently putting our focus on IoT in general is that it happens that every time we touch any IoT device, it ends up breaking.
Lindsey O’Donnell: Right.
Erez Yalon: We were waiting for this trend to stop, but it didn’t happen yet. This specific issue you’re mentioning, it was an AEG Smart Scale, which was supposed to be very comfortable, an addition to the life of someone who was trying to take care of their health, I guess.
Actually, it was doing that work but along the way, we saw some vulnerabilities in the technology embedded in it, both in the way that Bluetooth was implemented and both in the way that the application that was not written by AEG but by a third party, the way it was communicating with the databases, which were storing the information. When we talk about information, we actually saw a lot of information that was a bit weird to us to see in the Smart Scale, for example, exact location of the user, the exact I.D. of the device, the network device, etc.
Lindsey O’Donnell: That’s a lot worse than just weight.
Erez Yalon: Yes, of course. When we checked the actual root of the technology, we noticed that it was not done in a safe way and we could crash the device, which is something that we call a denial of service. Well, it’s not really dangerous but it’s really annoying, especially when, to overcome it, you need to extract the battery or allow it run down and then you lose all the information you already installed on it. It does not make it smart anymore.
Lindsey O’Donnell: Right.
Erez Yalon: It’s just a regular scale. When we came to the application itself and noticed that there were just so many personal data, we decided to go a bit deeper in that. We noticed that a lot of that information that goes back to the servers is just not encrypted and can be detected by anyone. This is what we call a man-in-the-middle effect.
Lindsey O’Donnell: Is that fairly common with IoT devices that you’re seeing, particularly in the smart home? I feel like those have big privacy implications if they are breached or if there is a security issue with them.
Erez Yalon: Absolutely. I think we see less and less man-in-the-middle effects in web apps. It has slowly moved to mobile and now it’s in IoT. We actually see this trend… Well, some technologies like web and mobile applications are starting to have some sort of standards or ways to mitigate these issues. In IoT we don’t see that yet.
In IoT, it seems like everyone is just trying to ship out their device and then, yes, we see the same old mistakes again and again. Man-in-the-middle is just one of them. When you have the device constantly on you that knows everything you do, knows where you are, this may be a problem.
Lindsey O’Donnell: Right, so how is the process of disclosure for the manufacturer and going off that, how typically is it talking to these IoT manufacturers when you find a security flaw?
Erez Yalon: I don’t think I can say anything typical about that. We’ve got everything between accusations that we’re wrong and then they checked and saw we were right. We’ve got people not picking up their phone or answering emails and we’ve got some really good teams responding quickly and fixing everything. I cannot tell you, really, about the typical way.
In this specific case, AEG gave us a generic response that they would take care of what they need to take care of. We contacted the software manufacturer, which we found is a third party in China, which means that they actually keep all the details and all the private details in a server in China. We contacted them and they said that there is absolutely no problem and everything is okay.
We noticed, after a couple of weeks, they changed the traffic to be encrypted. We managed to see that they still are sending all the information, but now it’s encrypted.
Lindsey O’Donnell: Interesting.
Erez Yalon: They had an interesting way of remediating this.
Lindsey O’Donnell: I feel like that’s a really interesting point, though, because between the hardware, the software, kind of the web development piece of it or the app development piece of it, there are so many different vendors and manufacturers that go into IoT solutions and products. Do you find yourself chasing down multiple vendors or what kind of issue does that present when it comes to security vulnerabilities?
Erez Yalon: Well, yeah, we actually chase multiple vendors. The reason is that we want the issues to be solved. We don’t want to just tell them, “Listen, you have a problem,” and then go away. We try to be the good guys. We try to do some disclosure, responsible disclosure, when we can. When we see that the main vendor is not responsive enough, we try to contact the third party. Usually these third parties give their services to others. For example, the vendor that was working with AEG we noticed works with Texas Instruments and others as well, so if we can get to the bottom of it and find the reason for it, we will try to make it better.
Lindsey O’Donnell: Say I am an IoT manufacturer. What would be your first steps for me to secure my device, just at the very simplest level?
Erez Yalon: Okay, so the knowledge is out there. It’s not something that is not solved yet or not fully thought through. If your developer decided not to implement encrypted traffic, it’s not about the technology. It’s either lack of knowledge or either lack of time thinking about it or problems in architecture. The solutions are out there. After all, it’s software and the all the parts, also, they have standards for security.
I think the reasons that IoT is going out vulnerable these days is probably the pace that vendors feel that they need to ship out things. Also, the price needs to be very competitive. Security always gets the hit when you talk about budgets.
Lindsey O’Donnell: Right. That makes sense. I feel like we’re seeing more and more very cheap IoT devices hit the market that have that cool factor but may not have that security factor. Looking ahead, what do you see as the future of IoT security? Do you see any solutions on the horizon or just more problems?
Erez Yalon: Okay, the bottom line is I see more problems, definitely. IoT is everywhere at the moment. I don’t think any of us can imagine their lives without IoT. If it’s watches, small clocks, all the home assistance, so it’s there and it’s there to stay. The thing is that it makes the tech surface for attackers way, way bigger than it used to be. If vendors are not going to make sure that they’re delivering safe software, safe IoT, things will not get better.
Also, well, I see the full responsibility of shipping out a safe product from the vendors, obviously, but I think us, as users, need to know that the risk is very clear and it’s out there. We need to be sure that we want these devices to have all these private details about ourselves.
Now although vendors are not doing illegal things, they do not take details from us that we’re not supposed to know because there is the end user license agreement, of course, on every product, but I think that users should try and choose and pick IoT devices that have license agreements that can be tweeted, very short.
Lindsey O’Donnell: Right. Well, I’m curious to see if there will be any sort of regulation or pressure even just from the customer, like you said, on IoT vendors in the future, so something to look out for, I guess.
Erez Yalon: Yeah.
Lindsey O’Donnell: Erez, thank you so much for joining us here at RSA.
For all Threatpost’s RSA Conference 2019 coverage, please visit our special coverage section, available here.