A recent report highlighted by the National Cyber Security Centre uncovered a 37% increase in supply chain attacks in the previous year. Unsurprisingly, this increase coincides with a growing demand to integrate Internet-of-Things (IoT) and Industrial IoT (IIoT) into company networks. Supply chain corruption via (I)IoT is an area that demands further research and attention.
IoT is a popular market for vendors to enter and deliver services. To offload the difficulty of standing up full IoT environments, vendors will often rely on turnkey frameworks. Using turnkey frameworks, vendors can leverage pre-built hardware, firmware, software development kits, and cloud resources to deploy their products to market rapidly. These pre-packaged environments significantly reduce vendor research and development costs and time to deliver a product to market. Examples of these environments include the Apexis Camera. Vendors can purchase an Apexis camera and associated framework and then apply their own branding.
While turnkey frameworks offer several promises, they introduce significant risks. Outsourcing the development of your entire architecture to a third-party Turnkey framework raises the possibility of a malicious attacker corrupting the supply chain at various vantage points. An attacker could insert a backdoor into the cloud-based CDN servers, hard-code credentials into the firmware, or add an undocumented and unintended API to access devices.
IoT supply chain corruption can be the result of naive or malicious actors. For example, a nation-state attacker could ask Turnkey providers to insert backdoors for covertly accessing deployed devices. In contrast, a naive Turnkey provider could simply introduce vulnerabilities while rapidly developing a solution.
For example About eight months ago, our Florida Tech IoT S&P research lab identified a vendor that had deployed a turnkey solution with hard-coded credentials. As we reverse-engineered the code and tested the device, we further determined that the device did not log when a remote attacker logged in via the hard-coded credentials.
Our initial research identified a vulnerability in a single doorbell branded by Geeni. However, our subsequent research uncovered that the Geeni product was based on the Apexis APM-H803-MPC turnkey platform. Searching the original vulnerability on Shodan across other vendors yielded over 5,000 non-Geeni-branded devices using the same Apexis board and software.
While this is just one Turnkey provider, it extrapolates a story towards what could happen with a malicious vendor who might choose to pivot through (I)IoT, gain access to internal networks, and stay hidden.
These turnkey frameworks abstract away the supply chain of the devices. While consumers may believe they are buying a product from a US-based company, the source might be from various platforms assembled by the Turnkey provider.
Not every (I)IoT supply chain corruption is on purpose. They can happen in two different ways.
While IoT standards are beginning to emerge with NIST SP 800-213, few regulatory controls exist to hold vendors responsible for conforming to those standards.
Our lab recently analyzed a Kangaroo security camera sold at Walmart stores. The camera had a telnet server that allowed unauthenticated root access to the device. An attacker could use this to access stored recordings and user configuration settings. Our team analyzed the firmware for indicators of how this occurred. We believe that the developer enabled this access during the development process for testing but failed to disable it in the production build.
The developer did not intend for the bug or attempt to obscure it, leading us to believe that this was just a lack of quality assurance and not malfeasance.
In contrast to the naive example, malicious attackers attempt to conceal their backdoors from discovery. An attacker may manipulate log files, enable a service upon receiving a specially encoded message, or purposely insert a remotely exploitable vulnerability.
In 2019, Congress included a provision in the National Defense Authorization Act banning the use of security cameras from specific vendors suspected of state-sponsored espionage. Section 889 of the 2019 NDAA prohibited government procurement from the Hikvision vendor, who had a track record of vulnerabilities. While Hikvision sells a Hikvision-branded camera, they also offer turnkey frameworks for rebranding and resale.
Security and privacy concerns present the most significant obstacle to the widespread adoption of (I)IoT devices. Nobody wants their recorded digital speaker conversations to appear on the front page of the New York Times. Nor does anyone want their security camera recordings to end up on a billboard in Times Square. Without regulatory assurances that companies have considered security and privacy in their build process, consumers are left unprotected to these concerns.
Even well-branded companies with a strong reputation have had concerning incidents.
One example, is the ADT security company, which has a lengthy history of installing home security systems. However, an ADT employee just pled guilty in federal court to hacking customer security feeds. The technician used his access to the camera feeds of 221 victims over four years. He repeatedly violated the privacy of users over 9,600 times until the ADT company identified his malfeasance. This incident presents a significant concern that ADT should have established a system to identify this anomalous behavior much earlier. Internal controls and continuous monitoring are essential components that appear lacking in this incident.
Calculating risk is a factor of the sensors of each IoT device. IoT devices present an attractive spying target due to the sensors that collect auditory, visual, or environment data on the victims. Microphones, cameras, motion sensors can allow an attacker to see and hear beyond the concrete and wood of our homes or businesses.
Another risk consideration is the actuators on (I)IoT devices. A malicious attacker can compromise a thermostat to manipulate temperature. While energy companies have been observed manipulating temperature to avoid black-outs, this presents a much greater concern for IIoT. Imagine the impact on a farmer whose crops are watered by an internet-connected sprinkler system.
We must understand the attack surface to reduce it. While our companies may rely on (I)IoT for specific applications, we must continuously test and monitor their attack surfaces to understand that risk. Red Teams can proactively hunt these threats on our networks to reduce this risk,. Red Teams can help us model how vulnerable IoT devices introduce risk to our network, and suggest recommended network segmentation approaches to isolate that risk.
Visit our website for more about our Florida Tech IoT S&P Lab
TJ O’Connor, Ph.D., LTC (Ret)
Ph.D., Computer Science, NC State University, 2019.
M.S., Computer Science, NC State University, 2008.
B.S., Computer Science, US Military Academy at West Point, 1999.
Dr. O’Connor’s research has centered on computer security with an emphasis on internet-of- things security, machine learning approaches for security, software-defined networking, information security education and wireless security. He has authored a book in the area and published his research in the proceedings of several academic conferences. His latest work investigated sensor blinding and state confusion attacks against internet-of-things devices and was recognized as the best paper for WiSec 2019.