Outsmarting IoT Defenses: The Hacker Perspective – Embedded Open Source Summit

Natali Tshuva
Natali Tshuva

9  min read | min read | 20/07/2023

Natali Tshuva: OK. Hello everyone. Thanks for joining today. So as Kate mentioned, we’re going to discuss some cybersecurity aspects but maybe more importantly how hackers perceive cybersecurity when they attempt to perform a successful attack.

So as Kate mentioned, most of my training is in the Unit 8200 of the Israeli Intelligence Unit but more than just vulnerability research, which is something I did for plenty of years, the most interesting part of the job was actually crafting exploitations because finding a vulnerability is one thing that is interesting but developing a scalable attack that could remotely penetrate assets and gain intelligence was really the interesting part. I want to walk you through how such exploitations work and why it’s actually an advantage from a defender’s perspective to understand it.

So the importance of security is something that everyone is already very familiar with but I think that what’s the most important part is when you add software to something, you might get hackable and this is true for pacemakers, gateways, PLCs and really anything.

[Video plays]

Natali Tshuva: Yeah. So this is pretty much it and this is what’s going on with IoT and embedded devices. We took embedded devices that were previously unconnected. We connected them and we see more and more attacks.

Why? Why hackers love IoT devices? Honestly, hackers love everything they can hack. So it’s just one other thing. But IoT devices are everywhere. The number speaks for itself. Their security level though is usually very low and what hackers are looking for is always the path of least resistance.

There is no goal targeting the most secure system. You just need one entry point, one way in and IoT devices usually have the basics, like encryption, stack canaries, best practices I hope. But not on device endpoint protection, not malware detection and not zero-day prevention.

So it means that it might be easier to hack into them and the stakes are high, medical industrial, infrastructures, enterprise IoT that can use as an entry point to the network like the casino hack through the aquarium and so on.

Lacking advanced security solutions keeps the door open. So as I mentioned, unlike other assets, IoT devices, even though now they have some security in place and operating systems like Zephyr that have advanced security in the infrastructure itself, they are still missing application-level security, endpoint security and so on.

So this is what we’re actually seeing. Two thousand new CVEs each month, CVEs and new vulnerability that is disclosed. It means that as we keep using static analysis and so on, we still have new vulnerabilities every month.

Seventy percent of patch Tuesdays are due to memory vulnerabilities. Patch Tuesdays for those of you who don’t know is a patch that Microsoft releases every Tuesday. So every week, Microsoft has new vulnerabilities that they need to patch. That means that even though they are using all the best practices, they still have new vulnerabilities.

Fifty-eight percent of companies have a publicly available exploit and the most important number in my opinion is 15 vulnerabilities per 1000 lines of code. So vulnerabilities is really a matter of how big your code is. It’s not a matter of how good you develop.

I want to say a word about static analysis. So static analysis are great tools but the numbers are – they are missing 50 percent of the vulnerabilities and the best example that I can give is those recent vulnerabilities in large third-party libraries.

Bluetooth libraries, TCP/IP libraries, Ripple20, Urgent/11 and what’s interesting about them is they are integrated in millions of devices and were scanned by multiple static analysis tools and yet when researchers researched them, they were able to find new vulnerabilities.

So really the only reasonable conclusion is that for a hacker, they know a vulnerability exists. Whatever and whichever assets they are researching and this was really our feeling in the unit. We knew that we were going to be successful.

We weren’t starting a research project thinking, “Oh, maybe this system doesn’t have vulnerabilities,” because something like that does not exist. Every system, every software has vulnerabilities. We just need to find them and this is how hackers feel confident when they come to research a new system.

So – and of course, there are also a few examples of what we already discussed. By the way, some of the examples of vulnerabilities that Sternum disclosed in Wemo smart plug by Belkin, QNAP devices, Zyxel devices and really everywhere we looked into. Some of the vulnerabilities our product even detected automatically.

So why is it so different to secure embedded systems? The obvious reasons, right? One is limited resources. You don’t have the battery capacity memory CPU to run CrowdStrike on your system.

Second, there is a different attack landscape. So if we are talking about protecting endpoints or servers, we need to think about phishing, emails, downloading malicious applications, all these attack surfaces that hackers penetrate through. So endpoint protection for additional ones are handling these attack surfaces but IoT devices are different. They are deterministic. They are aiming to do one specific thing or a few things but in a deterministic way.

That means that their most attractive attack surface is software vulnerabilities, really programming mistakes, command injections, buffer overflows and so on and so forth.

This also means an advantage for us as defenders because if you have something that’s supposed to behave deterministically and not allowing downloading or surfing the internet, you can actually leverage that to maintain the integrity of the software in real-time.

I think one of the most difficult parts of securing IoT devices is the diversification. So we’re talking about more than 100 different operating systems. Most security solutions today are leveraging operating system capabilities to protect the system. The kernel permissions, policies. When you have very – sorry, very different operating system, it’s hard to build endpoint protection that is based on kernel services. Also, the diversification in hardware application makes it hard to develop one solution that can really feed them all.

So when an attacker wants to actually be successful in attack, there are two main ways to penetrate. One is I want to target one specific company, one specific device. In that case, you can read our research on the Belkin smart plug, how we do firmware instrumentation, how we start investigating, how we found a vulnerability and exploited it.

But this is – will be applicable to one specific device and it’s somewhat easier than a more scalable attack when we want to attack millions of devices. In that case, hackers will target third parties. Libraries, communication protocols, Bluetooth, encryption, because those libraries go into multiple different types of devices and the way to exploit them remains the same, right?

So if there is a communication library in a medical device or a gateway, the way to exploit it is the same. So I can have a scalable attack without researching multiple devices, without even the need to acquire the device physically. I just need to research a piece of code that is within the device. Many times it’s an open-source code.

So inside the device, there are many attack vectors. So many people ask me, “But how they get in?” So the entry point to hack a device goes through user input and sometimes we are even not aware of some of the penetration points that we have. For example, when you build a device, you use models, Bluetooth models, Wi-Fi models. Those models have software within them, parsing pockets remotely, parsing the Bluetooth protocol and so on.

In many cases, we’ve seen attacks that are able to penetrate directly through a model vulnerability. Third-party code we discussed, your own application code of course and mainly through protocol vulnerabilities and communication with the outside world, be it through a mobile application or through a server.

Whenever you connect outside, there is also some incoming data and this incoming data can use the attacker to craft an exploit.

So really this slide says it all. When we try to patch vulnerabilities, when we try to catch all the vulnerabilities in advance, when we try to use best practices, we actually are trying to remove 100 percent of the vulnerabilities because that’s the only way to be protected.

A hacker on the other hand, he only needs to score once. He needs to find one way in. So even if you remove 99 percent of your vulnerabilities, the hacker still just needs one and I think everyone would prefer to be Messi in this situation and not the goalkeeper. Even though I was a goalkeeper but that’s something else.

So really if we dive into a real exploitation, so this is the recent Sternum disclosed vulnerability and Belkin really uses all the best practices. Static analysis, encryption, secure boot, over-the-air updates to patch devices. Everything that you keep hearing, SBOM of course, and – yeah, which is important. But still what I want to show is how reactive it is, how when there is a new vulnerability, a zero-day, there is nothing that those tools and techniques can do.

What Sternum disclosed and I invite you to read the research is a memory vulnerability that enabled us remotely to get on the device and take complete takeover on the firmware and software. What that means is that the data wasn’t encrypted anymore, right? WhatsApp is encrypted but when you read messages on your phone, they are decrypted. So if someone is running code on the phone itself, it is able to read the messages, especially if it’s on the kernel.

That’s the same for every asset out there. If you are running code on the endpoint itself, the data is not encrypted and it can be leaked. So all the tools that help patch one day and so on cannot really help against what we disclosed.

So the current approach is reactive, imposing from other industries. What I mean by that is that we’re trying to take techniques from other industries and just use them on the embedded systems. That is really not a great thing to do because embedded system is a different ecosystem, different attack landscape, different architecture.

So patching. Patching is reactive for sure because we are patching something only after we know it existed but also very costly. So patching could be a nightmare in some industries. It’s not like updating your Windows or iPhone device and in many cases, devices left unpatched for many months making them even more vulnerable.

Encryption. So I really like this quote because it’s by Adi Shamir, the S in RSA. Basically the inventor of one of the most used encryption algorithms and usually he says there are much simpler ways of penetrating a security system than cracking the crypto. What it means is that nobody is going to crack your encryption algorithms.

What they are going to do is find a simpler way to get on the device or to bypass your certification checks and then everything is exposed and this is really how security vulnerabilities or attacks look like.

Lastly, static analysis misses 50 percent of the vulnerabilities. So if you don’t have 15, you have 7 per thousand lines of code. That’s still pretty high.

Of course what has not been discovered by static analysis is then being discovered in post-production. So we can’t fight vulnerabilities. This is at least my opinion. Everyone has vulnerabilities and every software has vulnerabilities.

So what can we do? So while every vulnerability is different, actually when you exploit a vulnerability, there is some specific set of techniques that you can use. So if you are exploiting a buffer overflow, you need to do something. A, if you are exploiting a command injection, you have to do something different.

But the things that you have to do like overflow the memory, manipulate the execution flow, inject the command using malicious characters, those exploitation techniques are not changing even if you are exploiting 10 different vulnerabilities, if the vulnerabilities are from the same family, from the same type.

So a CVE is an instance of a vulnerability but a CWE is actually the type, the family that these vulnerabilities are associated with. If we target not the vulnerabilities but the way of exploiting them in real time, how it looked like, we will actually be able to understand the exploit chain and detect it in real time.

So what you see on the screen is the Wikipedia definition of exploitation and what you can see is that every exploitation is linked to a system weakness and an exploit is actually a piece of software intended to change the intended behavior of the device, of the software.

So what we hear about, what we understand is that exploitation is deterministic. It’s a piece of code. Second, it has to cause malicious operation and this is the attack chain. Exploit is connected to a vulnerability. It has to exploit the specific vulnerability.

So what if instead of trying to stop the vulnerability, we will stop unintended behaviors from being executed? We will stop overflows in the memory. We will stop malicious characters from being executed inside commands. Sternum technology is the exploitation fingerprint. It’s really about understanding what is the fingerprint of exploiting each type of vulnerability and identifying those fingerprints in real-time execution.

In many ways, it operates like zero-day prevention in traditional endpoints but the uniqueness of our solution is how you can do that in a way that is less than three percent overhead and can really fit real-time operating systems as well as an embedded Linux smoothly.

But what it really gives defenders is a power flip because now as a hacker, I not only need to find one vulnerability. I also need to find a vulnerability that the exploitation technique of it will bypass all the detection mechanisms on the system.

The problem is exploitation technique is connected to the vulnerability that I found. It’s not something I can change without having a special vulnerability that I can exploit differently. That means that now I need to find this one special exploit technique and vulnerability that we bypass the protection solutions that operate in real time.

To visualize it and because I don’t have a lot of time, I will go fast. Sternum deployed our solution of all the devices that we would discover to be vulnerable and our exploitation fingerprint technology was able to stop memory corruptions, command injections, manipulation of execution flow and by doing that, stopping in real time the attack attempt, sending a notification, including the line of code where the vulnerability existed and now you can patch it of course. But most importantly, you are not vulnerable. No malicious code is running on the system.

So we really try to bring IT standards into the IoT space including full observability, real-time monitoring of the system, anomaly detection, zero-day protection and most importantly operating in real-time execution. What happens in real time cannot be found passively statically during development.

Yeah. A little bit about the company. Three components to a platform, runtime protection, continuous monitoring and operational insights from the devices and data that we monitor. We are already deployed on millions of devices, mainly the medical space, industrial space and consumer and enterprise IoT and as you can see, we are already working with leading companies like Medtronic and others. So thank you very much.



Enter data to download case study

By submitting this form, you agree to our Privacy Policy.