Internet of Things: Investigative Challenges

 

Frank Kardasz, MPA, Ed.D.  Editor: Ava Gozo.

September 1, 2021

Updated September 11, 2021

Introduction

Internet of Things (IoT) devices can sometimes contain weaknesses that permit attackers to improperly control devices or permit the unintended release of data. Data integrity, privacy, data ownership, energy-efficient cryptography algorithms, legal and liability issues are becoming growing concerns in the IoT domain (Watts, p. 26). IoT devices are a burden, but also a benison for investigators. Malicious criminal actors can misuse devices to facilitate a growing number of crimes. Conversely, law enforcement can sometimes benefit from IoT devices by lawfully obtaining information that solves crimes and brings offenders to justice. This work discusses some considerations related to IoT vulnerabilities and challenges for investigators.

IoT Defined

The Internet of Things can be defined as a computing concept that describes the idea of everyday physical objects connected to the internet and able to send and receive data.  The term is associated with radio frequency identification (RFID) as the method of communication, although it also may include other sensor technologies, wireless technologies or QR codes (Techopedia, 2020).

Rise of the Machines

The IoT device market is continuing to grow.  According to a report from Global Industry Analysts Inc. (Le Lezard, 2021), the IoT Device Management Market will grow to be valued at seven billion dollars by 2026.  Meanwhile, Cision reports that the IoT Warehouse Management Market will grow to 18.4 billion dollars (Cision, 2021). The ongoing march to develop, sell, deploy and manage IoT devices has resulted in amazing innovations that are useful for consumers, businesses and government. Sadly, in the development frenzy, software designers and manufacturers sometimes overlooked or underdeveloped security features that can protect devices from nefarious use.

Vulnerabilities - Mandiant/Fireeye

New IoT vulnerabilities, hacks and malware opportunities are being identified with alarming frequency.  A vulnerability was recently revealed affecting millions of devices associated with the ThroughTek Company using the Kalay protocol. Researchers from Mandiant/Fireeye found that the vulnerability would enable adversaries to remotely compromise victim devices resulting in the ability to listen to live audio, watch real time video, and compromise device credentials for further attacks. These further attacks could include actions that would allow someone to remotely control the devices (Valetta et. al., August 17, 2021). This vulnerability revelation is one of many in the continuing exposure of security weaknesses in IoT devices.

Vulnerabilities - Dan Petro at DEF CON

Another widespread vulnerability involves random number generators involved in the encryption process.  In his August 2021 presentation at DEF CON, Dan Petro's presentation titled, "You're Doing IoT RNG described a "systemic minefield of vulnerabilities" related to encryption keys that may not always be providing the required random numbers. The problem involves hardware Random Number Generators (RNG"s) that are not robust enough to produce the required randomness but instead often produced zeros. He called IoT random number generators "fundamentally broken" and recommended that future manufacturers instead use a cryptographically secure pseudorandom number generator (CSPRNG). Petro opines that millions of existing and already deployed devices will probably never be updated or replaced (Petro, August 5, 2021).

Vulnerabilities - Bluetooth and BrakTooth

Some vulnerabilities are only exposed after devices are reverse-engineered by dedicated researchers. Researchers at the Singapore University of Technology and Design reported 16 Bluetooth security vulnerabilities that they titled "Braktooth". The Braktooth vulnerabilities permit denial of service and arbitrary code execution and effect over 1,440 product listings (Garbelini,  M.E, Chattopadyay, S., et.al., August 31, 2021). 

Security expert and podcaster Steve Gibson, reporting on the researcher's findings,  said of the BrakTooth vulnerabilities:

"So here again with BrakTooth, we have researchers who, because this technology is closed, have been forced to hack into and reverse engineer important implementations of technology that will be used by millions of people.  And once shipped and sold, (the devices)  will almost certainly never be updated, once it's in the field."  Gibson also said, "We are rapidly filling the world with a bunch of incredibly complex crap that ships the moment it stops crashing in the lab.  And that's an entirely different result from having potentially mission-critical technologies being actively resistant to attack and abuse.  They're (the flawed devices) obviously not.  The moment anyone starts poking at our stuff, it collapses.  So these researchers just showed us once again that the world we're living in today is one where hoping for the best is apparently all we can do. If I sound disgusted, yes, you know, it's true (Gibson, September 10, 2021)."

Book: Abusing IoT

Manuals describing IoT weaknesses and vulnerabilities have sprung up. In the book, Abusing the Internet of Things, Dhanjani (2010) describes vulnerabilities in several devices. The book discusses electronic door locks, actuator switches, light bulbs, baby monitors, autonomous vehicles, tire pressure monitoring systems, magnetic stripe cards, Z-Wave and other items.

Book: IoT Hacking

In another text, The IoT Hacker's Handbook, (2019) Gupta discusses a variety of approaches to explore and exploit devices including thermostats, vehicles, navigation systems, home security systems, insulin pumps, and other devices.  The book explores Pentesting, UART, I2C, SPI JTAG, BLE, Zigbee and much of the rest of the alphabet.

U.S. Legislators in Slow Pursuit

Laws and law enforcement officials are struggling to catch up to the growing calls to protect people from IoT related crimes. While legislators in Australia recently updated laws to improve oversight in the area of critical infrastructure, the US may be falling behind. Speaking on the OT and IoT Security Podcast, former Assistant US Attorney Jonathan Rusch commented about the state of Cybersecurity in the US and compared the current US laws with prescient legislation in Australia.  Rusch said (21:30 min - 23:25 min):

"The situation in the United States is a polar opposite from Australia.  Despite multiple administrations in the US government, there is still no consistency of approach, no "This must be done".  As opposed to; "it would be really good If everybody would get behind the banner of cyber security and do more things".  My analogy would be for Australians, imagine if you were asked to play in a game of Australian rules football where you have not 7 but 50 or more different umpires, each with a different rule book who can penalize the players who step on to the field for any one of the violations that they see in their rule books and there has to be no consistency between the rule books and where the owners of the teams don't even want to shell out enough money to give the players proper footwear.  That's the kind of fragmented, disjointed, asymmetrical kind of approach that we have currently in the United States and where P.S., some of our best efforts by law enforcement only come in after the damage has occurred and then you bring in the investigators to try to find out how the catastrophic event happened."

Law enforcement efforts are often at a disadvantage in combating IoT related offenses. While offenders misuse devices and obtain data without regard to laws, law enforcement investigations typically require some elaborate and time-consuming combination of informed consent, subpoenas, search warrants, careful digital forensics examination and documentation.  Law enforcement is typically playing catch-up to more agile maleficent adversaries.

Universal Precautions

There are some precautions and preventative measures that users of IoT devices should consider. In general, the following tactics may slow some of the attacks:

• Network segregation - Place IoT devices on networks separate from other computers and devices.
• Change the factory-given default user names and passwords that accompany new devices.
• Use multi-factor authentication.
• Use complicated passwords and never share or re-use passwords.
• Update operating systems and software as soon as updates become available.
• Replace outdated vulnerable devices with updated devices containing strong security features.
  

Mitigations - Mandiant/Fireeye

Specific to the case of the ThroughTek/Kalay vulnerabilities, the following mitigations are suggested (Valetta, August 17, 2021):

• Companies using the Kalay protocol should upgrade to at least version 3.1.10 and enable the following Kalay features:
• Datagram Transport Layer Security, which protects data in transit.
• Authentication Key, which adds an additional layer of authentication during client connection.
• Harden features including Address Space Layout Randomization (ASLR), PIE, NX, and stack canaries should be enabled on binaries processing Kalay data.Remote Procedure Call functions should be treated as untrusted and should be sanitized.
• IoT device manufactures should apply controls around web Application Program Interfaces (APIs) used to obtain Kalay UIDs, usernames, and passwords to minimize an attacker’s ability to harvest sensitive materials needed to access devices remotely.
  

Conclusion

Internet-connected devices are a help and a hindrance to law enforcement.  The growing misuse and abuse of devices will necessitate an increased number of responses from investigators and the judicial system.

• Legislators should improve existing laws.   
• Manufacturers should focus increased efforts towards device safety and the prevention of device misuse.
• Users should employ all available security precautions.

References

Cision. (August 31, 2021). Global Industry Analysts Predicts the World Internet of Things (IoT) in Warehouse Management Market to Reach $18.4 Billion by 2026. https://www.prnewswire.com/news-releases/global-industry-analysts-predicts-the-world-internet-of-things-iot-in-warehouse-management-market-to-reach-18-4-billion-by-2026--301364984.html

 Dhanjani, Nitesh. (2010). Abusing the Internet of Things. O'Reilly Media, Sebastopol CA. ISBN: 063-6-920-03354-7

Garbelina, M.E., Chattopadhyay, S. et. al., (August 31, 2021). BRAKTOOTH: Causing Havoc on Bluetooth Link Manager: Vulnerability Disclosure Report. https://asset-group.github.io/disclosures/braktooth/

Gibson, S. (September 10, 2021). Security Now. Transcript of Episode #835. https://www.grc.com/sn/sn-835.htm

 Le Lizard. (August 26, 2021). Valued to be $7 Billion by 2026, Internet of Things (IoT) Device Management Slated for Robust Growth Worldwide. https://www.lelezard.com/en/news-19970438.html

 Petro, Dan. (August 5, 2021). DEF CON 29 - Dan Petro - You're Doing Iot Rng. Video. 40 min 03 seconds. https://www.youtube.com/watch?v=Zuqw0-jZh9Y

 Rusch, Jonathan. (March 4, 2021). Dissecting the Security Implications of the Australian Critical Infrastructure Act. The OT and IoT Security Podcast. [Audio Podcast]. https://tunein.com/podcasts/Technology-Podcasts/The-OT-and-IoT-Security-Podcast-p1354400/?topicId=161285361

 Techopedia. (November 27, 2020). Internet of Things (IoT). https://www.techopedia.com/definition/28247/internet-of-things-iot

 Valleta, J., Barzdukas, E., and Franke, D. (August 17, 2021). Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices. Threat Research Blog. Fireeye. https://www.mandiant.com/resources/mandiant-discloses-critical-vulnerability-affecting-iot-devices

  Watts, Sylvia, Ed. (2016).  The Internet of Things (IoT) : applications, technology, and privacy. Nova Science Publishers Inc, NY.  ISBN 9781634846264

=-=-=-=-=-=-=-=

Link: https://kardasz.blogspot.com/2021/09/IoT.html