IoT Firmware Security: Zero-Day Exploitation & Prevention

Posted by Trevagh Stankard on Tue, Mar 16th, 2021

There is a lot of talk about zero-day threats today and rightly so.  The frequency of zero-day attacks has vastly increased over the past decade.  There are a number of reasons for the surge in activity:

• Users rely on more applications than ever before,
• There has been a proliferation of IoT devices due to the shift to edge computing,
• The IT estate of enterprises has rapidly expanded as companies have pursued their digital transformations.

A simple way of summarizing these points is to simply say that more stuff equates to more vulnerabilities.  On top of that, hackers are getting much better at exploiting these vulnerabilities once they are discovered.  The period of time it takes to exploit a newly discovered vulnerabilities has been compressed from months into days.  In addition, the rate of discovery for zero-day exploits has sky rocketed in recent years due to the variety of aftermarkets in which zero-day exploits are sold and traded.  The buyers of these isn’t always criminals.  Researchers sell these exploits to government intelligent agencies as well as police and military forces. 

A Recent Example of an IoT Zero-Day Exploit

The term zero-day attack is used to describe any threat of unknown or unaddressed security vulnerability. While these vulnerabilities are commonly associated with software, they are just as present in hardware apparatuses as well.  The reality is that just about any connected device can be hacked.  For instance, the cybersecurity company, Check Point, demonstrated back in August of 2008 how hackers could remotely compromise a fax machine to steal data being transmitted.  HVAC sensor, cameras, medical devices and even smart elevators are common examples of network connect hardware with minimal internal protection systems to secure them from attack.  Work from home strategies have opened up additional vulnerabilities with the utilization of commercial or even consumer grade networking equipment. 

Check Point Security demonstrated how a hacker could break into a standard commercial router and use it to access additional devices within the internal network such an IP security camera.  While they specifically targeted a NETGEAR R6700 router for the sake of the demonstration, they could have selected anyone of a dozen models from multiple manufacturers to achieve the same result.  In this instance, they took advantage of a stack based buffer overflow exploit called CVE-2020-10923 which was first reported back in July of 2020.  The exploit uses a script that carries out the necessary commands.  When successfully implemented the exploit grants an attacker root access to the device.  From there, the perpetrator can carry out the dastardly mission of intention. 

Protection Measures to Take

Unfortunately, there is no guaranteed way to eliminate zero-day attacks as they are unknown until publicly announced.  There are some measures you can take however to reduce your exposure to these attacks.

1. The first step is to reduce your attack surface by retiring devices that are no longer needed.  This goes for applications as well.  Devices in dormant that are no longer utilized but remain connected are ideal targets.  Most often these devices are no longer supported by their manufacturer and have outdated protocols and services operating within them.  Only allow essential devices and applications to reside within your enterprise as inactive devices pose a great risk and can serve as harbingers for hackers.
2. While it may sound like a broken record, being proactive and diligent about updating all your devices with the latest security patches is critical today.  Responsible vendors do release patches to address newly discovered exposures.  The faster you can patch these vulnerabilities, the faster you can prevent them from being exploited.
3. Nothing works better over time than the market itself.  If organizations would start choosing to only purchase network devices from vendors that put security first, it would sway the industry to create products that couldn’t be exploited so easily.  Remember, you are the customer.  If we all expect more from our vendors, we will get more in the end.
4. You can mitigate the impact of a compromised device within your network by segmenting IoT and other less secure devices into separate zones.  At the very least, these devices should be separated into their own VLANs.  This separation can be further augmented through the use of access lists.  The most effect measure would be to zone them by a next generation firewall.
5. Every internet connected organization needs an advanced email security solution as email is the dominant malware delivery system used by hackers today.  Alternatives such as SpamTitan use inbuilt Bayesian autolearning and heuristics to find anomalous patterns that legacy solutions aren’t incapable of detecting. 

 

Zero-day attacks will continue to plague enterprises for the foreseeable future as organizations continue to digitally transform themselves.  While it may be impossible to totally eliminate these vulnerabilities that so many are seeking to exploit, you can go a long way to reducing their threat levels without breaking the bank.

 

Protect your organization from zero-day attacks with SpamTitan, an advanced email security solution. SpamTitan uses advanced predictive technology to to anticipate new attacks. Start 14-day SpamTitan trial.