Recently, California Governor Jerry Brown approved a bill meant to secure Internet of Things (IoT) devices and protect end-users and consumers. The Senate Bill No. 327, beginning on January 1, 2020, outlines the following:
“(a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:
(1) Appropriate to the nature and function of the device.
(2) Appropriate to the information it may collect, contain, or transmit.
(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:
(1) The preprogrammed password is unique to each device manufactured.
(2)The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”
Breaking this down and interpreting all of this in a CIA (Confidentiality, Integrity, and Availability) context:
- Security features should be employed that protect the data it collects, contains, or transmits. This implies both data-at-rest and data-in-motion, and thus encryption-at-rest and encryption-in-motion.
- Additional security features that protect the device from unauthorized access, destruction, use, modification or disclosure. Our interpretation of this is that all accounts should have a strong password (and no defaults), unnecessary services disabled that could create low hanging fruit for an attacker (e.g. clear-text http access via port 80, no telnet or ftp, etc.). Additionally integrity checking and logging to inform the owner of modification (e.g. a virus or malware).
- A preprogrammed password unique to each device manufactured, is obviously included to ensure there are no common default passwords known to the device that could be exploited by local wireless access, Internet-based, and malware infestation attacks.
- And forcing the user to change the password upon 1st use of the device.
In the context of your organization, you may have IoT and/or IIoT deployed such as SmartTVs, Surveillance cameras, motion sensors, and other IoT devices and networks deployed. But you may also have Shadow IoT in your building as well, such as wireless SD cards, wireless thumb drives, a recent HVAC upgrade that including new WiFi-enabled thermostats, IoT-enabled appliances in the employee kitchen, etc. Our recent threat report outlines many of these risks that are key to ensuring the security stance of your organization and company’s network.
- Discover all of your IoT Assets – both known and unknown (Shadow IoT)
- Assess the security posture of those devices.
- This includes their wireless connectivity to the WLAN, IoT hub (Z-Wave, Zigbee, etc.), and between one another (Machine-to-Machine) to ensure these devices are employing encryption and authentication controls.
- The same goes for Shadow IoT, as these devices are an extension of your network, whether connected to the network or autonomous.
- Monitor for risks and threats that could lead to data exfiltration or a breach. Examples of this include:
- Wireless printers connected to the wired network, yet the wireless configuration remains unconfigured and still in “SETUP” mode
- Newly deployed facilities controls such as wireless surveillance cameras or new IoT-enabled thermostats
- Wireless SD cards and wireless thumb drives used with employee laptops that allow out-of-band wireless access to the storage device
- Protect against IoT attacks with Air Isolation and Deceptive Networking
- Deceptive networking can provide low hanging fruit to an attacker, and when lured into the deceptive network one can gain intel on the adversary as well as an early warning alert of an adversary nearby
- Air Isolation can allow wireless connections to be terminated over the air, either automated or manually, to know the adversary off a wireless network
Regarding the new bill, Bruce Schneier stated it best: “It probably doesn’t go far enough — but that’s no reason not to pass it.” We need to start somewhere and this is a good first step in the right direction that directs manufacturers to take responsibility with including fundamental security controls in the devices they’re selling to consumers and companies. Getting there will be a herculean task as the IoT market is incredibly fragmented across manufacturers and the supply chain globally. In addition, with the plethora of operating systems, protocols, and frequencies used by IoT devices; protecting devices across this broad wireless threat landscape is no easy task.
The best approach is to begin fortifying your company’s IoT strategy by addressing both IoT and Shadow IoT risks through discovery. 95% of IoT is wireless, therefore visibility can begin with our AirShield sensor that provides visibility into all of your IoT and IIoT assets, something that simply is not fully visible from your wired network or WLAN infrastructure. This broader view with AirShield will give you a far more comprehensive view into all of your IoT, including Shadow IoT. The following is a link outlines threats we see systemically across our entire customer-base https://loch.io/iot-cloud-security-report-2017/.
For more insights, checkout our presentation at RSA on IoT Data Exfiltration
And remember, you can’t protect what you can’t see…