A Watchdog continuously searches for reported vulnerabilities and CyberSecurity alarms. The Watchdog searches forums and company websites. Vulnerabilities are not uncommon and will always be here. They occur again and again because software is constantly evolving.
Let´s define cybersecurity as tech-enabled companies that offer products and services for which the primary use case is the protection of digital assets from unauthorized access and malicious use by cybercriminals.
Cybersecurity typically breakdowns into:
It is crucial to identify vulnerabilities in time, then develop the appropriate improvements (patches) and install them quickly. In the second and third steps, the average user is dependent on knowing in the first place that he has to take action himself. Smartphones and PCs offer automatic updates. But for smart home devices, this process is relatively unfamiliar. Regular users consider a WiFi radio a household consumer device and do not realize that software also plays a role here that needs to be updated. 💥 🚧 An IIOT watchdog monitors vulnerabilities in the Industrial IoT (IIOT) environment. These are simple, smart home components (IOT) and components that control industrial machines.
A watchdog can never avoid that hardware and software become compromised but will give you valuable time to respond. Now think about a water supply system for a small town or a small production facility. With digitization moving on, these traditionally siloed tech stacks become exposed to cybersecurity attacks. Large plants probably have state-of-the-art protection in place – many companies don´t update their policies and protection routines immediately. In February 2021, many thousand companies are still exposed to the Solarwinds hack. That results in massive risk for the company and society.
The IIOT Watchdog listens to search feeds and monitors vendor initiatives and white hat forums. Exactly who is behind the account sensor can be answered in several dimensions: independent technical editors are responsible for monitoring the components. Of these, there are thousands who publish their findings. Among them are manufacturer blogs, technical publishers, but also hacker forums.
We monitor these account sensor reports via specialized software. This is an essentially automated process, similar to the analysis of RSS feeds. As soon as a reference to a software/hardware component relevant to our plans appears – the more detailed examination for content quality and relevance is carried out by a human.
Connected Devices usually have four main components.
The device properties the following:
Internet Pairing - The configuration of network credentials to connect the device to the Internet.
Configuration - The device configuration during the setup phase, creating an account, setting up preferences, etc..
Upgradability - The device’s upgrade options. Does the device update automatically or require user interaction?
Exposed services - Visible running services on the device, like UPnP, mDNS, HTTP server, etc.
Vulnerabilities - Running services on the device that contain vulnerabilities, which are scored based on a Common Vulnerability Scoring System (CVSS)
The mobile application properties are based on static analysis to identify three types of security issues. Sensitive Data - Sensitive data includes artifacts like API keys, passwords, and cryptographic keys that are hard-coded into the application. Programming Issues - Implementation errors and incorrect use of libraries include weak initialization vectors in cryptographic functions or guessable seeds to pseudorandom number generators. Over-privileged - Mobile applications request excess permissions that are not required or used in the application code.
The cloud endpoint properties are based on the assessment of services that the device and/or the mobile application communicate with.
There are three properties to inspect:
Domain categories - Domain categories define three main categories, namely first-party, third-party, and hybrid. First-party domains are endpoints that are owned and managed by the vendor of the product. Third-party domains are endpoints that use external services like Google Maps. Hybrid domains are endpoints that are run on cloud infrastructures like Amazon or Azure but managed by the vendor of the device.
TLS configuration - TLS configuration refers to the proper setup of TLS/SSL including the use of trusted and valid certificates along with avoiding legacy versions of TLS/SSL with known vulnerabilities.
Vulnerable services - The deployment of vulnerable services on the cloud endpoint includes the use of cleartext authentication, misconfigured services, exploitable services, or the use of unsupported legacy operating systems as the host for the cloud endpoint.
The network communication properties are based on the observed network traffic between the three components, which are the smart-home device, the mobile application, and the cloud endpoint.
There are three areas to inspect:
Protocols - The use of third-party DNS, HTTP, UPnP, NTPv3, or custom protocols are considered under the protocol category. These protocols have security implications shown under the attack scenario section. Susceptibility to man-in-the-middle (MITM) attack - Identifies whether the communication between device-to-cloud, mobile application-to-cloud, or mobile application-to-device can be MITM attacked. Use of Encryption - Identifies whether the communication between device-to-cloud, mobile application-to-cloud, or mobile application-to-device uses or lacks encryption.
Vulnerabilities (CVSS) – An attacker can use one or many vulnerabilities in the device to expose sensitive information or gain control of the device. The vulnerabilities are in four categories (low, medium, high, and critical). The critical category means the device has an active vulnerability that has been exploited. The high category means the device has a serious vulnerability but has not been exploited yet. The medium category means that the device has misconfiguration issues that could lead to information disclosure or device compromise. The low category means the device has minor issues like running legacy protocols or debug reporting is turned on.
Excess Permissions – An attacker (type 2) can utilize excess permissions to disclose sensitive data about the end-users. A mobile application that requests only needed permissions is more secure.
Vulnerable Services – An attacker can exploit vulnerable services on the cloud to gain control over smart-home devices remotely or infer sensitive information. Old unsupported operating systems (OS) can suffer from vulnerabilities that developers no longer support, which leaves the cloud endpoint exposed to attackers. Information disclosure from misconfigured cloud services can leak sensitive information about the services that will help attackers in crafting an effective attack. Cleartext authentication can be snooped by attackers (type 1 and 2) on the network and used to gain unauthorized access. Exploitable services can be targeted by attackers to gain unauthorized access to a cloud endpoint and control smart-home devices.