INDUSTRY REPORT

24

AUG

UST 2017 ● w

ww

.asmag.com

Security

IoT

The Internet of Things (IoT) has definitely become a dominant par t o f our lives. According to Gartner, 8.4 billion connected things will be in use worldwide

in 2017, up 31 percent from 2016, and will reach 20.4 billion by 2020. While these devices have helped made homes, offices, buildings and even cities smarter, more and more people are asking: Are they secure?

Some recent examples illustrate why people have become wary of the security of network-connected devices. The rampancy of baby cams and monitors being hacked caused the New York Department of Consumer Affairs to issue an alert in January 2016. Verizon’s latest Data Breach Digest reported that at a certain college campus, connected vending

machines and streetlamps were used as bots to slow down the university’s network. Finally, in October last year, IoT devices including network cameras and NVRs infected with the Mirai malware were also used to launch DDoS attacks against Dyn, an internet performance management company. The result was a shutdown of service across various websites including Netflix and Amazon.com.

According to the experts we spoke to, the security of devices found in the market varies. “Today’s IoT devices range from very insecure to very secure, which I don’t find surprising in an unregulated market,” said Adrian Sanabria, Director of Research at Savage Security. “There will always be businesses that, given the choice, will skip the added expense of making a product safe or secure.”

Today, more and more connected devices are online under the IoT framework. While this brings automation and convenience, it has also introduced new risks particularly in the area of security. This column explores how industry experts and vendors address the security issues facing IoT devices.

BY William Pao

Mars Kao, Senior Engineer, Institute for Information Industry

Adrian Sanabria, Director, Research, Savage Security

17815P0271.024-028.indd 24 2017/8/15 22:09

Some Best Practices for IoT Security: An Alliance’s PerspectiveWith cybersecurity for networked devices becoming more important than ever, the Reston, Virginia-based Online Trust Alliance (OTA) has published its latest version of “The IoT Trust Framework,” a set of guidelines to help vendors design devices that are secure and more effective at countering cyberattacks.

“These updates incorporate key learnings from field testing, the evolving threat landscape and feedback from industry leaders and related efforts. Core to addressing the inherent security risks and privacy issues is the application of the principles to the entire device solution. These include the device or sensor, the supporting applications, and the backend/cloud services,” the paper said. “Serving as a risk assessment guide for developers, purchasers and retailers, the Framework is the foundation for future IoT certification programs. It is the goal of OTA to post and highlight devices which meet these standards to help consumers, as well as the public and private sectors, make informed purchasing decisions.” The guide is divided into four categories — security principles, user access and credentials, privacy, disclosures and transparency, and notifications and related best practices — with must-dos and recommenda-tions for each category. Here are some of the main points that the OTA listed in each category.

Security Principles• All personally identifiable data in transit and in storage must be encrypted using

current, generally accepted security standards.• All IoT support web sites must fully encrypt the user session, from the device to the

backend services.• Establish coordinated vulnerability disclosure, including processes and systems,

to receive, track and promptly respond to external vulnerabilities reports from third parties including but not limited to customers, consumers, academia and the research community.

• Must have a mechanism for automated safe and secure methods to provide software and/or firmware updates, patches and revisions.

Access and Credentials• Include strong authentication by default, including providing unique, system-

generated or single using passwords, or alternatively using secure certificate creden-tials.

• Provide generally accepted recovery mechanisms for IoT application(s) and support passwords and/or mechanisms for credential re-set using multifactor verification and authentication (email and phone, etc.) where no user password exists.

• Take steps to protect against “brute force” and/or other abusive login attempts by locking or disabling user and device support account(s) after a reasonable number of invalid log in attempts.

Privacy, Disclosures and Transparency• Ensure privacy, security and support policies are easily discoverable, clear and readily

available for review prior to purchase, activation, download or enrollment.• Conspicuously disclose what personally identifiable and sensitive data types and

attributes are collected and how they are used.• Disclose the data retention policy and duration of personally identifiable information

stored.• Only share consumers’ personal data with third parties with consumers’ affirmative

consent, unless required.Among other best practices listed by OTA are adoptions of authentication protocols for end-user communications, including but not limited to email and SMS, to help prevent spear phishing and spoofing; and enacting a breach and cyber response and consumer notification plan to be reevaluated, tested and updated at least annually.

2525

17815P0271.024-028.indd 25 2017/8/17 上午12:27

INDUSTRY REPORT

Authentication and EncryptionVulnerabilities range from using default passwords to weak

web/app interfaces through which to hack devices. Also, data at rest or in motion may also be exploited. As such, IoT authen-tication and encryption will stand as two of the most important IoT security technologies to watch for.

Authentication grants access to those with the permission to do so through the use of usernames and passwords. While changing a device’s default password is a must, changing it repeatedly may not be so necessary. “Changing passwords often is actually not very important these days. Studies have shown that changing passwords frequently results in individuals choosing less secure passwords. Also, if a password hasn’t

been compromised, changing it offers no real tangible benefit, especially when multifactor authentication (MFA) is in use. As for complexity, length is always more important than complexity, which is why passphrases should be used in place of passwords, along with MFA if available,” Sanabria said.

“Rather than asking the user to change passwords regularly, which is unrealistic, there should be a mechanism to prevent brute-force attacks,” said Mars Kao, Senior Engineer at the Taiwan-based Institute for Information Industry. “For example, upon failure to sign in three times, the system will lock the person for three minutes, and then make the lock-up time five minutes and one hour upon each subsequent failure.”

Encryption, meanwhile, will also play an important role,

AUG

UST 2017 ● w

ww

.asmag.com

26

AUG

UST 2017 ● w

ww

.asmag.com

26

Making Video Surveillance More Cybersecure: A Vendor’s PerspectivesCybersecurity has emerged as a big challenge for security players. Recent reports on hackers using cameras to launch DDoS attacks further underscores the importance of guarding against cyberattacks.

Best practices from changing passwords to encryption should be implemented to secure a user’s video system.That’s the point raised by Panasonic Business in its latest whitepaper titled “Just how secure is your video surveillance.”According to Panasonic, cybersecurity has become a serious issue as video surveillance migrates from analog to IP. “This problem was very unlikely to occur in the ‘old’ analog world since we already had a high level of security provided by separate networks and tapping and manipulation of data was (and is) very difficult,” it said. “The ever-growing prolif-eration of IP cameras makes the need to protect camera systems and the underlying network more and more important as knowledge regarding attack methods is becoming easier to obtain, especially over the internet.”Among the common attack methods cited by Panasonic are backdoors — parts of software (often introduced by the author) that enable users to avoid the standard access security control to obtain access to a computer or IP camera — and errors in a camera’s operating system. “IP cameras are nowadays miniature high-performance processors with their own operating systems and software for image processing. Potential software errors and security gaps in the software of a camera can be exploited to launch attacks on the camera,” the whitepaper said.And camera hacks can lead to dire consequences, contrary to what some users believe, Panasonic said. “We regularly hear

from our clients that they believe their video cameras are of little relevance to outsiders and that therefore there is no danger associated with the IP cameras. However, it should be noted that cameras can indeed also indirectly provide vital information,” it said. “Any potential offender can see exactly

when offices in a company are vacant and, in the easiest possible manner, discover through spying on habits and working hours practiced in a company or shop the best time for carrying out a burglary or raid with minimum risk. Even more critical are instances of video data from the private sphere becoming public. Nobody wants to be filmed when at home on the couch or when engaged in other private matters.”To this, Panasonic made several recommen-

dations, including immediately changing the standard password when setting up a camera; notifying users of update options; encrypting all data transferred between camera, recorder and VMS; installing a virus scanner in all video systems to detect changes in the network without delay; checking the firewall policies and open ports; and using data verification to detect changes in the user’s network.The company added its solutions come with the following features: password protection that no longer allows the cameras to be operated with the default password; full encryption of data transfers between cameras, recorders and the VMS; and provision of certificates to customers who have encapsulated source code that enables very fast data encryption (17 ms in comparison to OpenSSL with 43 ms).

17815P0271.024-028.indd 26 2017/8/17 上午12:27

protecting data that are at rest or in transit. “The level of encryption depends on how sensitive your data is and is usually divided into commercial grade and military grade. For commercial grade, encryption algorithms that haven’t been cracked are good enough. For military grade, AES-256 is ideal,” Kao said.

Sanabria, meanwhile, said encryption should be used with caution. “Encryption is important for protecting customer data. We see cases where the customer prefers to be sole owner of the private keys required to decrypt data, but there can be serious tradeoffs in convenience as a result. It all depends on the management architecture for the IoT devices. We increasingly see more and more cases where lost encryption keys cause bigger issues than the lack of encryption could have caused,” he said.

Vendors’ RoleGiven the threats that IoT devices are subject to, users expect

vendors to do more to make their products secure. To this, Sanabria has the following suggestions.• Use certificates for authorization/authentication where possible.

Where it isn’t possible, use multifactor authentication along with the standard username/password combination.

• Don’t ship or sell devices with default credentials.• Hire a third-party specialist to perform due diligence on a

product before selling it. This is key, as we often see the same mistakes made again and again, so an organization that specializes in due diligence is likely to find the most common issues more quickly than an internal team might.

What Users Should DoAs cybersecurity is a two-way street, it should be practiced

by vendors and users alike. According to Kao, users can protect themselves through a product selection approach and a technical approach. “On the product selection side, users can ask several questions, for example does it require authentication or is it cloud-based so the use of password is not required, how strong is the encryption, and whether an activity log can be provided if someone else has tried to log in to the system,” he said. “Then, from the technical side, users should change the default password and set the authorization levels so that different users have access to different data.”

Sanabria, meanwhile, has the following advice:• Perform network scans against devices from internal and

external networks (if applicable). It is important to understand the device’s attack surface. Also check infrastructure scanning tools like Shodan and CENSYS.

• Consider past attacks and vulnerabilities related to IoT devices and explore those same scenarios against your devices to see

2727

17815P0271.024-028.indd 27 2017/8/17 上午12:27

INDUSTRY REPORTINDUSTRY REPORT

how they hold up. • Don’t consider only preventative controls — detective controls,

the ability to respond to and recover from an attack are even more important.

• Do your due diligence with the vendor, and ask questions like:

Has this product been tested by a third party for security vulner-abilities? Can we review the findings? And what’s your average vulnerability response time and time-to-fix on a vulnerability?

28

AUG

UST 2017 ● w

ww

.asmag.com

Taiwan Institute Announces Draft Standard on Cybersecurity for VideoTaiwan’s Institute for Information Industry (III) recently announced the draft standard on cybersecurity for IP video surveillance, seeking to help local manufacturers develop cybersecure products for overseas markets.

Taiwan’s Institute for Information Industry (III) recently announced the draft standard on cybersecurity for IP video surveillance, seeking to help local manufacturers develop hardened, cybersecure products as they export to overseas markets.The draft proposal, announced in a news conference on July 27, was co-developed by III and Taiwan Association of Information and Communication Standards as they joined forces with vendors, government agencies and the academia to work on a topic that officials of the organizations said has become one of the most pressing issues facing the industry in the era of IP video as well as the Internet of Things.Cybersecurity has gained the attention of security players across the world, especially after a spate of recent incidents. At the end of last year, hackers exploited vulnerabilities in networked devices, including certain IP camera models, and used them to launch DDoS attacks against major web hosting services, resulting in service shutdowns across major web services such as Amazon.com and Netflix.This has created a rippling effect across the industry, prompting calls on exercising best practices against cyberthreats for users and vendors alike. Against this backdrop, III announced the draft standard in hope of providing a set of guidelines for Taiwan vendors, most of whom compete in overseas markets where users attach a great significance to cybersecurity.According to III, they are looking to publish the official standard towards the end of the year. The standard initially covers video

surveillance and equipment under it, including IP cameras, NVRs and NAS, and will eventually be extended to other IoT devices, the institute said.The draft standard is roughly divided into the following sections, and requirements under each section are summarized as follows:

Operating system• The camera shall leave on only ports that are for

necessary web services.• The camera must have a firmware upgrade

mechanism, and all upgrades must be encrypted.• The web interface should not contain any of

the top ten risks listed under the Open Web Application Security Project.

Transmission• The transmission of data between the camera

and other devices must be encrypted, and the strength of encryption must conform to interna-tionally recognized guidelines.

• The camera shall not have wireless settings that are deemed unsafe.

Authentication• The default password for each IP camera from the

manufacturer must be different.• The vendor must require the user to change the

default password upon initial setup.• Different access levels must be set for accessing

resources within the camera. Privacy• When recording, some form of reminder should

be given.• Data stored in the camera must be encrypted.• Accessing data in the camera should only be

granted to those authorized to do so.

17815P0271.024-028.indd 28 2017/8/15 22:09