By: Debrup Ghosh, Senior Product Manager, Synopsys Software Integrity Group
IoT devices are ubiquitous in our daily lives — whether it’s at home with connected home automation devices, or at work with connected factories, hospitals, and even connected cars. According to Gartner, there were over 20 billion IoT devices in 2020. As businesses globally over the past decade have transformed their processes with more embedded IoT-driven intelligence, these billions of connected devices have also become a soft target for cyber criminals. Nokia’s Threat Intelligence Lab reported in 2020 that IoT devices are now responsible for 32.72% of all infections observed in mobile and Wi-Fi networks — up from 16.17% in 2019.
Key drivers for attacks on the IoT
With millions of exposed endpoints, cyber criminals not only leverage compromised devices to launch distributed denial of service (DDoS) attacks, but they also present a sustained national security threat. So it’s no surprise that even the FBI has taken notice and provided continued guidance on how to practice secure IoT practices to defend against cyber criminals targeting unsecure IoT devices. We have consistently noted that inadequate security capabilities, lack of real-time vulnerability patching, and lack of consumer awareness are key drivers for repeated attacks on IoT devices.
How penetration testing can help
The Center for Internet Security, Inc. (CIS) has recommended best practices for securing IT systems and data. For large organisations it is key to implement organisational CIS controls to focus on people and processes — and drive change, executing an integrated plan to improve the organisational risk posture. CIS Control 20: Penetration Testing and Red Team Exercises is a well-defined method to implement organisational controls. These tests allow cyber security experts to detect vulnerabilities and assess the overall strength of an organisation’s defence by simulating the actions of an attacker. Often attackers target software deployment vulnerabilities — such as configurations, policy management, and gaps in interactions among multiple threat detection tools to exploit security gaps.
First, IoT devices can have several types of interfaces — web-based interfaces for consumers, or object interfaces for governance as code – type of application such as control systems. Hence input validation, command injection, and code injection should be a primary focus of penetration testing of IoT devices.
Second, the network infrastructure interconnecting IoT objects can often be vulnerable and for IoT devices on a single network, malicious attacks need only a single exploit to be successful. It is important to use both automated tools and manual penetration testing methods to do complete specialised penetration testing on the network infrastructure, associated cryptographic schemes, and communication protocols.
Finally, it is critical to scan proprietary programs which represent the entire system architecture. Eighty-four percent of proprietary programs contain at least one open source vulnerability according to the sixth “Open Source Security and Risk Analysis” (OSSRA) report produced by Synopsys. This represents immense heterogeneity and complexity in the codebases — hence it is important for experienced penetration testing professionals to use intelligent grey box testing to have excellent coverage on test types required for a comprehensive penetration test.
Build a stronger security defence posture
It is key to build a comprehensive security defence posture with governance by code, policy management, and coaching team members to secure the entire software development life cycle (SDLC). As software releases become more frequent and more complex, penetration testing is an easy process for security professionals to periodically test their defences, identify gaps, and drive remediation with the product development teams. By conducting sophisticated penetration testing that includes diverse attack vectors such as wireless, client-based, and web application attacks, organisations can get deeper insights into the business risks of these various vulnerabilities, enabling them to configure an appropriate defence posture that is suited to their ecosystem.