IoT Device Vulnerabilities

Kindus has previously discussed how IoT devices have become targets for hacker attacks. The 2023 Microsoft Digital Defense Report highlights further issues caused by outdated or unpatched IoT systems.

Microsoft’s data comes from its own Defender for IoT sensors software.  This works by uploading the firmware directly and then scanning and reporting on weaknesses detected.  It is a particular benefit to anyone creating their own IoT device software as the process often involves an established SDK and some of these are outdated and vulnerable; for example the drag and drop logic controller code builder CODESYS v3.  Using Defender for IoT is a wise precaution to take when deploying new software but it might not be possible to extract completely firmware from an existing device and then run Microsoft’s checks.  Of the firmware examples that have been tested by Microsoft 32% were found to be vulnerable to known hacker exploits but within systems that could be patched.  A further 46% were not only vulnerable but no longer supported and impossible to patch.  Patching IoT firmware can be a much more complex process than downloading and installing personal computer OS updates.  It may be possible to push updates across the network but in the worst case devices will need to be taken off-line and individually connected to another machine loading the patch.

Patching may be further limited by legal or industry needs for software to meet specific requirements such as SIL2 Safety Certification.  SIL is Safety Integrity Level, there are 4 levels from 1 to 4 with 4 being the most vigorous.  SIL2 is the standard used in the petrochemical and hazardous chemical sectors. It is a measure of the ability of the device not to fail dangerously (perhaps leading to a fire) or at least to control the consequences of any such failure.  If updated software is available but it cannot be proven that this meets industry regulations then its potential deployment will be limited.

An example of outdated software still in relatively widespread use is the Boa web server.  In November 2022 Microsoft discovered one million internet-exposed Boa web servers.  The purpose of a web server on an IoT device is to allow connection through a remote web browser with the relative convenience of a graphical interface for control and reporting.  The Boa code has not been updated since 2005; its vulnerabilities include the ability to access files outside the directories used by the web interface itself as well as the susceptibility to SQL injection attacks that are blocked by more advanced database servers.  There is no way to update the code issues within Boa.  If it cannot be replaced within firmware the only viable approach is to set complex Boa passwords and to change them regularly.

Even the practice of not connecting devices to any external network, air gapping, might not be enough to prevent their becoming compromised.  Such devices would still be susceptible to attacks through computers or removable storage devices used to update the network or from insider attacks.  This was the case with the Kudankulam Nuclear Power Plant attack (pictured at the head of this article) in India in 2019.  Here the attack was through a work computer infected with malware that had been connected to the ‘isolated’ network.

Organisations need to be aware of the software in use within their IoT systems.  Software components such as Boa may be unknowingly present as it is bundled within device operating systems.  Solutions can be run to search for systems such as Boa or for open ports although any systems administrator needs to research what to look for.  Software should be updated regularly.  Where hardware constraints mean that this is not possible every effort must be made to restrict access to the system.  The Kudankulam example is proof that a system should never be assumed to be hacker proof.

 

 

More from Security

04/11/2024

UK Data (Use and Access) Bill

The Data (Use and Access) Bill had its first reading in the Lords on 23 October 2024.  This step is merely a formal introduction …

Read post

28/10/2024

Zero-Day Attacks

In October 2024 Google Mandiant reported on 138 exploited vulnerabilities since 2023.  They concluded there had been an increase in the number and speed …

Read post

14/10/2024

SSL Certificate Renewal

SSL/TLS authentication is part of the encryption suite to ensure that a requester is who they say they are and to grant or refuse …

Read post

30/09/2024

The SPAM Bomb

The symptoms of a SPAM, email or subscription bomb attack are almost impossible to miss.  The victim will suddenly receive a very large volume …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories