SOURCE: TrapX

TrapX

March 11, 2015 06:00 ET

TrapX Report Overviews Rapidly Growing Security Risk in Internet of Things (IOT) Devices

TrapX Labs Research Confirms Security Risks in NEST Learning Thermostat™

SAN MATEO, CA--(Marketwired - Mar 11, 2015) - TrapX™, a global leader in deception-based cyber security defense, today released its latest Anatomy of an Attack (AOA) report, "The Internet of Things (IoT) - The Hidden Danger Exposed," which confirms design flaws discovered in the Nest Learning Thermostat™. For the purpose of this report, TrapX Labs validated the attack vector presented at the Black Hat 2014 conference by compromising the device and an entire home network. 

"While the Nest Learning Thermostat™ has relatively robust security compared to most IoT devices, the attack vectors presented at Black Hat enabled our lab to completely compromise the device within our Advanced Test Bed Facility (ATBF)," said Carl Wright, general manager of TrapX. "For real-world validation, the lab then took the compromised device outside of the ATBF and installed it in a participant's home network."

Once the Nest Learning Thermostat™ was installed, TrapX Labs used it as an initial point of attack and was easily able to compromise an entire home network. Once the network was under the lab's control, researchers were able to track the user's Internet surfing activity and get access to their private credentials as well as data collected by the Nest Learning Thermostat™, such as whether anyone was at home.

"We took the Nest Learning Thermostat™ apart and did a complete analysis of the operating system and potential entry points," said Moshe Ben Simon, vice president and co-founder of TrapX and general manager of TrapX Labs. "During our analysis, we found an ARM processor that was running under a hardened Linux operating system. We gained root access and then were able to control the Nest Learning Thermostat™ from our attacking server. Make no mistake, the Nest Learning Thermostat™ is a well-designed and relatively secure IoT device. The problem is that the hackers are moving faster, with more intensity and more funding. We are losing an undeclared cyber war even before most of us recognize that this war has already started. Solving this problem requires far greater investment in cybersecurity and a change in strategy as we go forward with IoT," Simon concluded.

"The whole point of this report was to show that any single IoT device, without adequate security, can present a serious threat to the networks to which they are connected," said Wright. "The report shares our forward view of the impending dramatic escalation in IoT cyber attacks and the risks these pose to corporate, government and personal security."

Looking beyond the Nest Learning Thermostat™, which is relatively secure, there is a serious concern that the manufacturers of IoT devices at all points in the supply chain do not seem to have the economic incentives to provide initial cybersecurity support or ongoing support, including the regular integration of software and/or hardware updates. At every level of manufacturing and design, the manufacturers involved with IoT are obsessed with cost cutting and minimal design footprints. The design chain for electronic components such as IoT usually includes two or even three manufacturing tiers, each integrating their products with the products of their suppliers. Unless their customer specifies it or unless the regulatory environment requires it for compliance, additional features for cybersecurity will not go into the product.

Seven Key Steps IoT Manufacturers Can Take to Improve Device Security

  • Perform a complete design review of all OEM components, especially those manufactured overseas. This is essential for anyone in the defense industry and highly desirable for most manufacturers that integrate electronic components and chips.
  • Consider a strategy to rapidly integrate and deploy software fixes and/or hardware fixes to your end-user customer base, especially when there is a two- or three-tier supply chain.
  • Do not allow any production versions of these devices to be bootable from a USB port.
  • Sign the software -- this is a mathematical technique used to validate the authenticity of the software.
  • Use an outside penetration-testing firm to run security tests to discover vulnerabilities and help with the design review of OEM components.
  • Implement firewalls on every device to resist hacker attacks and allow only specified IP addresses in or out.
  • Protect the management channel interface from attackers and only allow limited access to the management server.

The full report, "The Internet of Things (IoT) - The Hidden Danger Exposed," can be downloaded here: http://deceive.trapx.com/AOA---The-Internet-of-Things.html

Trademark Notice
Nest Learning Thermostat™ is a trademark licensed by Nest Labs, Inc.
TrapX Security™ and DeceptionGrid™ are trademarks licensed by TrapX Security, Inc.

About the AOA Series and TrapX Labs
The Anatomy of an Attack (AOA) Series highlights the results of TrapX Labs' research into current or potential critical information security issues. The mission of TrapX Labs is to conduct critical cybersecurity experimentation, analysis and investigation and to bring the benefits back to the community at large through AOA publications and rapid ethical compliance disclosures to manufacturers and related parties. Since its inception, TrapX Labs has worked to create the next generation of technologies and best practices so that they can ultimately provide leading resources for the evolution of cyber security.

The research facility conducts applied research that is focused on specific cyber threats and their countermeasures. Team members develop and apply leading-edge technologies in computing, network architectures, network forensics, malware analysis and analysis of commercial hardware and software to solve and understand the anatomy of today's most complex cyber attacks.

For more on TrapX, please visit: www.trapx.com
Visit the TrapX blog: http://www.trapx.com/blog/
Follow TrapX on Twitter: @trapxsecurity
Follow TrapX on LinkedIn: https://www.linkedin.com/company/trapx
Like TrapX on Facebook: https://www.facebook.com/pages/TrapX/258804147648401

About TrapX

TrapX Security is a leader in the delivery of deception-based cyber security defense. Our solutions rapidly detect, analyze and defend against new zero day and APT attacks in real-time. DeceptionGrid™ provides automated, highly accurate insight into malware and malicious activity unseen by other types of cyber defense. We enable a pro-active security posture, fundamentally changing the economics of cyber defense by shifting the cost to the attacker. The TrapX Security customer base includes global 2000 commercial and government customers around the world in sectors including defense, healthcare, finance, energy, consumer products and other key industries. Learn more at www.trapx.com.

Contact Information