RSA Conference 2019: The Expanding Automation Platform Attack Surface | Threatpost

SAN FRANCISCO – Automation platforms are increasingly being used to chain multiple IoT devices together to create user-friendly smart applications – but that’s also creating unpredictable attack surfaces that can be hard to manage.
A Trend Micro report released at RSA Conference 2019 warns that these types of complex IoT environments, which can involve a mix of local standalone servers, cloud-based servers and virtual assistant-based servers, are opening new risks for smart buildings. Attackers could compromise this infrastructure to spy on users and stealing data, or to carry out physical attacks, like unlocking doors at a smart facility.
Threatpost talked to Greg Young, vice president of cybersecurity at Trend Micro, and Stephen Hilt, senior threat researcher at Trend Micro about the biggest threats in the smart home and automated complex environments.

** What follows is a transcript of the interview **

Lindsey O’Donnell: Hi everyone. This is Lindsey O’Donnell with Threatpost at RSA, and I’m here today with Greg Young and Stephen Hilt with Trend Micro. Thank you guys for joining me today.

Stephen Hilt: Thanks for having us.

Lindsey O’Donnell: Just to start off, can you guys introduce yourselves and give some background on your roles with Trend Micro for the audience?

Stephen Hilt: I’m Stephen Hilt, I’m a senior threat researcher within Trend Micro Research. My day-to-days are normally doing general security research, looking at, in a lot of cases lately, IoT research and how attackers and several criminals might be abusing IoT devices in the near future.

Lindsey O’Donnell: Great.

Greg Young: And Greg Young, vice president of cybersecurity with Trend Micro. My role is mostly on outreach with clients on security trends and the like.

Lindsey O’Donnell: Great. So, you guys at RSA have unveiled a new IoT report that talks a bit about smart homes and the different security issues that are in these smart homes and complex IoT environments. Can you tell us a little bit about the report and what the key takeaways are from that?

Stephen Hilt: We released a report about, as we define it, complex IoT environments, which is an amount of IoT devices that are in your house or your business or anything like that and how when you start adding all these devices together, the complexity of the systems themselves become sometimes very daunting and overwhelming, especially as you try to build automation into these to have them be more automated. You build very complex rule sets and logic that we took a lot of time to look at and try to figure out how an attacker could abuse the logic.

Lindsey O’Donnell: So, what are a couple of attack factors that you guys came across? What’s the impact there?

Stephen Hilt: Yeah, so what we really tried to do was take a couple of examples of attacking the logic, for an example. So one of the things that I really like doing in this was, we had a smart lock and cameras, and what I was able to do was partner the smart lock and the cameras to make an attack. What we did was, on motion of a camera, unlock the door. So, if an attacker had access to the logic and was able to write such a rule, all he’d have to do is walk by the camera and the door would unlock for him just to walk in.

Lindsey O’Donnell: Right. That’s so interesting because I feel like all these different smart home connected devices are all interconnected in their functionalities at this point.

Stephen Hilt: Yeah, they’re just becoming more and more connected – and you really want them to be connected so you have an easier life, otherwise why would you have them?

Lindsey O’Donnell: Right. What did you guys find in terms of how easy it would be to carry out some of these attacks on smart home devices?

Stephen Hilt: We really looked at the automation servers that control all the devices themselves. And so at the initial part of the research, a lot of the devices themselves didn’t support very good authentication and was more open authentication where you could just go to the website of the home automation platform and be able to just go to it and be able to control things directly. You can click on a button to unlock a door, turn on lights, view the cameras, things like that. All that was there.

Over the course of the research that we did there have been updates to these platforms, and they do more and more authentication – and more and more proper authentication. So it’s an evolving, very quick field and they’re trying to address security concerns pretty rapidly as they’re trying to push it forward pretty quickly.

Lindsey O’Donnell: That’s really interesting. I feel like another piece of connected devices is, there’s so many different pieces to them, from hardware to software to the app development piece of it. What would you say, if it’s possible to pinpoint, is there a certain piece of an IoT solution that’s more easily vulnerable than others, or is it kind of across the spectrum?

Stephen Hilt: It’s how you implement all these things together and then how you present them. In a lot of the cases, the insecurities come from them accidentally being exposed to the internet. Yes, they’re insecure on your own network but the attack footprint’s smaller. Somebody has to already be on your network. So we also recommend that you segment these things and even in your home to having a separate network where these devices are so you would greatly reduce the amount of probability of attacks.

So, when you start decoupling all those things and you can make it, the amount of people doing home automation versus the amount that’s actually exposed on the internet, I feel that it’s a pretty good number that are accidentally being exposed because people want to see them on the Internet. But we need to make sure it’s being authenticated and we’re keeping them up to date, because in a lot of cases these people, the people running these systems, are updating the systems. Once you have them up and running, you keep it static so you don’t have to do constant changes.

Because even some of the times when I run an update on mine, things break and I have to rewrite some of the rules or change some things or how things are working.

Lindsey O’Donnell: I’m curious, too, in terms of the users of these devices. What kind of user awareness do you see when it comes to IoT security? Do you think that there’s any sort of concern there or is it still kind of –

Stephen Hilt: Yeah.

Lindsey O’Donnell: Yeah?

Stephen Hilt: If you go through the forums, people care about security. Most of these platforms have very active community-base, and a lot of people have really good security mindsets, so if somebody copies and pastes a configuration, and it has some sensitive information, people are already out there saying you need to change that post so [the information is] not out there, and these are the reasons why you wouldn’t want to post it that way.

There’s a lot of people who are very security conscious in these groups and everyone’s trying to make it better and more secure as we go.

Lindsey O’Donnell: Right. I feel like another piece of it too is the fact that in the smart home there’s an aspect of privacy so it’s not just, you know, DDoS attacks or other main security issues, it’s also eavesdropping or spyware or other things.

Stephen Hilt: Yeah, yeah. One of the things we talk about in the paper is the ability also, abuse the logic for spying. So what we did was we made a notification rule that when there was motion on cameras, upload pictures of it to a Slack that we controlled. Of course, this was in a lab, in our tests, but we could do this on any of the ones that were exposed to the point where I had the ability to change the logic.

Lindsey O’Donnell: That’s creepy.

Stephen Hilt: Yeah.

Lindsey O’Donnell: For sure. So, looking ahead when we’re thinking about IoT security in general, where do you see IoT security going? Do you think that it’s going to get better, do you think it’s only going to get worse from here? I’m curious about your thoughts on that.

Greg Young: I think a lot of the security’s going to stay the same, it’s just there’s going to be a whole lot more of it. So today, there’s about a billion devices being added every year and generally, they’re insecure. When you add the controllers on top of it there’s a whole kind of infrastructure that can be attacked now.

Definitely for buyers, they can make selections; there are some products that are going to be more secure than other. It won’t always be the cheapest one – it probably won’t be – so you can use your dollars to try to find one where there is some security talked about or added there.

There’s some other trends though such as, for example, cryptomining, so there’s always the privacy concern that we’re worried about cameras that are in our home or if somebody, you know, knowing too much about us. But instead, they’re using these other trends such as using device resources to mine for Bitcoin. Well, instead of attacking you or invading your privacy, I’m just going to do that. Or if you’re a work-at-homer, I’m going to go after your corporate information through your weak home network rather than going after that crusty, hard, difficult to attack corporate network.

So those I think are probably the two biggest ones.

Lindsey O’Donnell: That’s a really good point about cryptomining and I feel like attackers are really kind of evolving their techniques, too. That’s a really good point.

Yeah, and we know as well that the investment in security is really hard for a lot of IoT devices. The controllers, they’re evolving, definitely more so. But the devices, for example, one manufacturer I know they make a chip 10 cents each. If they kept the development teams so they could patch it, it would be 12 cents a chip. The competitors sell for 11. So if they go secure, they’re out of business. So it’s a really hard choice for them to make, and the obvious one is they’re going to stay in business and hope somebody else secures their stuff for them.

Lindsey O’Donnell: That is kind of a catch-22, but when you’re thinking about the future, do you think that there’s going to be more regulation or pushback from actual users or do you think that it’s going to have to be something else?

Greg Young: I think it’s going to be just recognizing these devices are insecure and surrounding them. So like Stephen said you’re going to segment them, you’re going to surround them with good security, you know, secure your router. You can patch things virtually using things like intrusion prevention systems to protect them. Even if you can’t patch this device, you can at least protect them. I think that’s where the future is.

I don’t think standards are going to help us. I was at one roundtable in the Middle East where there’s oil producers and they all were hoping standards would fix it because that would be the least expensive path. But, you know, I think it’s you spend correctly, you buy secure solutions and you get more involved in the devices in your home.

Lindsey O’Donnell: I’m curious: If I am a consumer and I have a house full of smart technology, what are the steps that I could take to secure this from a very high level?

Greg Young: One is get a controller that has security involved. In Stephen’s report there’s a really good chart of some of the capabilities and who’s involved there, and they dig even further into this. That’s one.

The next one is paying attention to what’s going on in your network. So we all have a router in our home, most people don’t pay attention to the log or update it or the like. So getting more involved there I think is important.

And last is updating things and paying attention to the new ones that you buy to make sure they’re more secure.

Lindsey O’Donnell: Great. Well, those are good pieces of advice to keep in mind. Greg, Stephen, thank you so much for joining us today at RSA.

Greg Young: Good.

Greg Young: We’re attacking your home while you’re here right now.

Lindsey O’Donnell: Uh-oh.