Recently our CEO, Natali Tshuva, presented at IoT Tech Expo Europe, where she gave a keynote speech about IoT security challenges and soft spots, from the attacker’s point of view.
Below is the recording and the transcript of Natali’s talk, and the link to her deck.
Natali Tshuva: Thanks, everyone. Thanks for being here. First, I’m not a professional football player. Just some hobby. I moved to some other things. Today we will be discussing IoT security slightly from the other side of the picture, from the hacker’s perspective. How they see IoT security, how they’re targeting, how they are exploiting, and how, in some sense, they are also bypassing everything that we’re trying to do.
So before that, a little bit about myself, I started with computer science when I was pretty young. I liked playing FIFA, so I thought if I learned computer science, I could program some cool games. But the path led me to Unit 8200, which is the Israeli NSA. There, I practiced mostly cybersecurity and not video games. Basically, reverse engineering, finding vulnerabilities in the most advanced systems like Windows and Linux kernel, and Android devices.
Then I moved to Cellebrite, to develop exploits, which is more than just finding the vulnerability, but how to build an exploit that will generically be able to hack into systems and extract intelligence, even if it’s encrypted, or even deleted, and restructure deleted information from mobile devices.
That led me to the thinking that in Unit 8200, and in Cellebrite, and in companies like NSO, it seems that no matter how we try to secure our systems, hackers always find a way in. And I knew that because when I was on the other side, it was always possible for me to find a vulnerability. So when I thought about what I really wanted to do next, it was really about building a technology that I will not be able to exploit. Building a technology that will end the loop of hackers and defenders.
This is how Sternum came to be. With great co-founders, we founded Sternum, which is a proactive security for IoT devices and embedded systems. I can tell you more about us later on. I want to start with a video showing how exploitation today can be super easy, completely remote, even on top vendors like Cisco. So let’s take a minute to watch this.
So what you’re seeing here is remote exploitation on a business router. They are getting root access on the business router. And this business router is actually the gateway to an entire enterprise network. This video is on YouTube, and the exploitation is available for everyone. This is just one example.
So let’s take a short step back and just talk about numbers you all probably know. Maybe the most significant one is 1.5 billion IoT breaches in six months, the last six months. This is an outstanding number. Since 2021, the pandemic, the rise of IoT attacks has been super significant. And we’re seeing more and more IoT security spending, trying to address those issues.
The problem with security spending is that money isn’t enough to build secure systems. And this was my first point about millions of dollars being spent on security. But are we really secure? And why not? And this number is pretty acute – 127 new devices connect every second. So the amount of attack surface is increasing exponentially, but the amount of security defenses especially for IoT is lagging behind.
Why is it so extremely difficult to secure IoT devices? I can tell you that I’ve been in endpoint security, in malware research, in network exploitations, and IoT security is the most complex challenge I’ve ever faced. And the reason is basically those three main components. One is diversity. Unlike endpoint protection, in IoT devices we are dealing with real-time operating systems, with embedded systems, with different system hardware – and with communication protocols that are varied. We’re dealing even with homegrown code. Since everything is embedded, it means everything is not like anything else. Everyone is building their own, which makes it hard to secure in a general way.
Second element is third party dependencies. So remember the Bluetooth library that you integrated, or the TCP/IP stack, or maybe some encryption library that is making your life easier building your device? It’s also endangering you! Because IoT devices have no segmentation isolation, no advanced security controls, and every third party is an attack surface and an entry point to the device.
The third element is super important-resources. Most security solutions, especially active ones require 20% to 30% overhead. I assume none of the people here or in the conference, generally speaking, can accept 20% to 30% overhead increase in memory, cpu, battery resources. So it makes all of our solutions ineffective for these kind of devices, and makes the challenge even more complex.
IoT devices are a very consequential asset and they become a very desirable target for hackers for three main reasons. One, if I want to penetrate an enterprise, today, the enterprise is super protected, email is protected, network is protected, cloud is protected. So what I’m looking for is the weakest link. Sometimes a vulnerable security camera, a vulnerable video home recorder, a router becomes the weakest link that can expose the entire enterprise to me as a hacker. Hackers are looking for the easiest way to penetrate. And if those assets are not protected, they become an easy starting point.
Second element is device manufacturers are vulnerable to ransomware, reputation damage, and even regulation requiring them to secure their devices. That also means that there is a lot of, let’s say, potential in targeting device manufacturers through hacking their devices, stealing IP from the devices, and doing other manipulations.
The third element is that those devices go beyond security cameras to very sophisticated PLCs infrastructures, smart cities and medical devices. Damaging them or affecting them could mean even military grade attacks or threats. So we have to secure them, we know that otherwise, probably we wouldn’t be here.
So what we know as hackers, and here starts the hacker’s perspective. We know that there are vulnerabilities. They are inevitable, and probably endless. But it’s not me saying that, it’s the data. So let’s take a look at the data. We have 2000 new CVE’s, new disclosed vulnerabilities every month. We have 70% of Patch Tuesdays, those are the patches that Microsoft released due to memory vulnerabilities. So 20, 30 years in the market, and they still, every week, patch new memory vulnerabilities that they find. It’s an endless race.
58% of companies have a publicly available exploit. That’s a really strong number, because publicly available exploits means that everyone can download the exploit and exploit you and upload the video to YouTube, as we saw at the beginning. Lastly, we have 15 vulnerabilities per a thousand lines of code. That’s a hard number. As your code increases, you’re building more sophisticated devices, you’re integrating more third parties, you have more vulnerabilities. That’s inevitable.
And the bottom of the slide really shows something interesting. I know many of you are using Static Analysis. That’s good and keep using them. But Static Analysis has failed to find the most recent vulnerabilities in third parties. Amnesia, Urgent/11, BlueBorne even the vulnerabilities in the operating system itself. Actually, 50% of vulnerabilities are being left when you use Static Analysis.
So as a hacker, I know a vulnerability exists, right? That’s the most rational, reasonable conclusion that as a hacker I can assume. There is no system without vulnerabilities so when I try to attack a new target, I know I will find something. I have no doubt about it.
This video was aired nine years ago. I’m sure you know about it. It’s from Homeland, and a pacemaker has been hacked. So a lot has been discussed about this video. But nine years has passed and this situation is still frightening, because we didn’t really make any progress. This is from today, the US government declares IoT firmware, a “Single point of failure”. We’ve seen attacks on Schneider Electric devices penetrating the enterprise networks, ATMs, infusion pumps, routers, malwares targeting IoT devices, and more and more.
What progress have we seen in how we secure IoT devices? Have you used any innovative solution lately to tackle these challenges? So when I try and think about how I can penetrate the devices, I can have two targets. Large volume of devices, I want to hack everything. Or, I want to target one specific company, one specific device manufacturer.
If I want to target large volume of devices, I will find and look for vulnerabilities in third parties. Why? Because if I find a vulnerability in a Bluetooth library, I can attack any device using that library of different vendors, different enterprises. But if I’m looking for exploiting one specific vendor’s device, I can look for one vulnerability in that specific device.
Examples of third parties are here, the operating system itself, every component that is shared among the different vendors. That’s something that you should remember when you think about security. Hackers usually don’t care about your code and your device. They care about something big that they can use on various vendors and various situations.
Every third party that you’re using on your device is something that hackers and attackers are targeting more likely than your specific code. Your code is targeted as well. You can see here a few examples of each, Schneider Electric’s, Verkada and so on. But it’s slightly different in terms of volume. And the outcome, you can imagine starting from IP theft to ransomware, to persistent threats, to more and more.
Let’s take even a step deeper into the attack vectors. So I know where hackers are looking for vulnerabilities, but where inside the device? To answer, we broke down the attack vectors of three very different devices – an insulin pump, a smart camera and a router. But what’s interesting to see is that the attack vectors are actually the same. The hacker doesn’t need any industry understanding to look for vulnerabilities in the protocols that those devices are using, even in the code within the chip and modules that you integrate into your device.
Go into the mobile application that communicates with your device or the gateway, or the Bluetooth protocol, and of course vulnerabilities in the application code itself, how you parse packets, incoming and outcoming, how you parse certificates, how do you handle user input. Everything is a potential attack vector, and many of them are shared among different industries. So you can have the exact same device in an exact same vulnerability in a pacemaker and in a baby monitor – they could be the exact same vulnerability with different outcomes.
That leads us to that simple picture describing the situation today. As defenders it feels like we have to block everything to be protected, 100% of the vulnerabilities we have to find to remediate or patch. That’s impossible. But the attackers being Messi, for the point being, only need to score once. You can have 99% of your code perfectly written without any vulnerabilities but Messi only needs one vulnerable point so he can score. This is a problem because it means that we will keep losing.
Let’s take an example of what is an attack, a cyber attack, right? Vulnerabilities, exploitation, everything is words, but let’s take the flow of the attackers. So there is a hacker on the internet, and there is a publicly available stack overflow vulnerability, and I can download the exploitation from the internet. Now I can use this exploitation to actually access and remote exploit the Cisco business class router using this stack overflow vulnerability.
Exploitation means that now I can run malicious code on the router itself. It is under my control, all the information is decrypted because I’m on the device. And I can see everything that’s happening beyond the device. At this point, I can do many things, ransomware, move inside the network, and the enterprise or the manufacturer has limited options. It can react if he identifies that something happened. Then he can try to remediate, to patch, but everything is very passive. And after the damage has already happened.
Let’s take another example of a different story; no publicly available exploit. I’m still a hacker on the internet. I bought the device from eBay, I’m reverse engineering the code, and I’m seeing a stupid mistake, a bug. Heap overflow, use-after-free, command injection, pick one from top 10 OWASP vulnerabilities.
Now I can develop a simple exploitation and basically find those devices on the internet, or behind some kind of an isolation or segmentation. It’s not like a wall and I can’t access it. So in some cases, all I want is just to break the device. So I can, in this example, record the board meeting. This is a real example, by the way, that we come across in our practice.
So we’ve seen several examples. This one is a real-life example, penetration to the access control systems. If you can see at the bottom, they were able to unlock and control the doors, and to supersede the system monitoring protections. So they shut down all of the protections, and were able to control the administrative system accessing all the doors. This vulnerability was used by 20 different OEMs. So 20 different OEMs were vulnerable to the same issue. And this is a real-life example, just from this year.
So what do we do today, or what do you think you can do today? Most of the solutions out there are either reactive imposed by other industries, like we’re trying to copy from other industries and do the same for IoT. An example is patching. Patching is super reactive and costly. Patching devices is a nightmare. Building the patch, releasing the patch, making sure devices receive the patch-all of that cost a lot of money. And it is still reactive; no protection in real-time, no protection against the 0 days, no alert if something happened. So we invest this time, money, and effort, but what do we get from it? And is it enough?
Second is encryption. I sometimes hear people saying, we use encryption, so we are secure. So I have to talk about it a little bit. This quote is from Adi Shamir, the S in RSA, the inventor of RSA. And what it says here is that usually there are much more simpler ways of penetrating security than cracking the crypto. What it means is that I don’t need to break your encryption in order to break the device and then have the decrypted data. I only need a software vulnerability. So encryption is a different layer of security. It’s not holistic. It’s not enough to secure a system.
Lastly, static analysis tools find 50% of vulnerabilities. So when you go to market, what do you do with the rest of the 50%? So in our opinion, we can’t really fight vulnerabilities, we don’t believe in it. We find vulnerabilities in every system that we want-but we can fight exploitations in real-time. And let me explain what that means.
First, what is an exploitation? Exploitation is a piece of software or a sequence of commands that takes advantage of a bug or vulnerability to cause an unintended or unanticipated behavior. Take a look at this carefully; to cause an unintended or unanticipated behavior on the system. If you didn’t cause any unintended behavior you didn’t exploit, nothing happened. Causing an unintended behavior is a must to exploit the system. So what if instead of finding the vulnerability, we’ll just look for unanticipated behaviors and prevent them from happening? Software is deterministic? Why can’t security be deterministic as well?
So let’s even take a slightly more technical example of exploitation. Let’s say you have a buffer overflow. To exploit it, you have to overflow the buffer and corrupt the address for returning or for jumping to, in the memory. This – if you corrupt the address, this is where you can put OxDEADBEEF for a malicious address and cause an unintended behavior.
If you have a buffer overflow, but nobody corrupted the memory address, nothing happened. So if you have a buffer overflow, instead of looking for the buffer overflow, let’s just keep the memory safe, keep the addresses safe, what will happen then?
So what I’m trying to say is that even though every vulnerability is different, and you can have thousands of vulnerabilities, the way of exploiting the vulnerabilities have a unique fingerprint, a shared fingerprint. You have to do some things that are inevitable in order to exploit a bug or to exploit a vulnerability, like causing unintended behavior, co-opting a memory address, injecting a command. So you see where I’m going? Every vulnerability type has a way to exploit it that is general. It has its own fingerprint.
So what if, and this is Sternum patented technology, instead of trying to find vulnerabilities, we will fingerprint the exploitations in real-time, and look for those patterns of overflow in a buffer of injecting a command, of manipulating the execution flow, or the behavior of the software. What if we’ll do that and build into devices long-term security that can stop attacks zero days and one days? They can reduce the amount of patches that we need to do and provide real-time alerts to our customers if there is an incident or unintended behavior, someone is trying to execute it.
Power will flip. The defenders will have a scoring mechanisms while the hackers will try to stop and manipulate and maneuver those different fingerprinting of exploitations to find an exploitation or vulnerability that is not fingerprinted. That is much more difficult. The same example with Sternum or any other endpoint protection (but preferably Sternum!), the attacks will stop at the edge. Nothing will happen, no malicious code will be running, everything is going to be prevented, alerted, and you can behave as you need.
So I have only a few minutes to conclude and summarize. Sternum is bringing industry standards into the IoT space. What I just talked about isn’t our invention. RASP, Runtime Application Self-Protection, EDR, XDR, Zero-Day Protection, they exist for other systems, they exist for native servers, they exist for our applications. And now, they can exist on IoT devices because we overcome the challenges of overhead. So we only use less than 3% of the device resources. We overcome the diversity. So we integrate directly into the firmware using hooking and instrumentation. And it supports all real-time operating systems, Linux, and homegrown.
And basically it brings everything I mentioned to new and legacy devices. So you can start using as you build the devices to elicit more security into the field. Or, on already existing devices in the field to upgrade or even reduce patching cost and support costs that you already have on your existing devices. We’d be happy to show you a real demo of attacks, exploitation simulations and our platform at our booth. Thank you so much for attending.
Peter Spencer: And my name is Peter Spencer, I work for Capgemini. And the question is, is when you say you’re only using 3% of resources, how can you possibly say that given the variety of endpoints?
Natali Tshuva: I don’t see how the variety of endpoints is really a matter because our security mechanisms is relative to the existing code size. And we are adding protections into the code, which reflects in 3% additional CPU usage. So it’s the same for any kind of endpoint, the relative addition CPU cycles that you add when you use our software. Since it’s very measurable opcodes that we are adding, it’s the same percentage overhead for everything, including, by the way, footprint.
Moderator: OK. Well, everybody, please give a very, very, very warm round of applause for Natali Tshuva.
Natali Tshuva: Thank you!