NISTIR 8200: Cybersecurity Standardization for the IoT

The Interagency International Cybersecurity Standardization Working Group (IICS WG) was established in December 2015 by the National Security Council’s Cyber Interagency Policy Committee. Its purpose is to coordinate on major issues in international cybersecurity standardization and thereby enhance U.S. federal agency participation in the process. Effective U.S. Government participation involves coordinating across the federal government and working with the U.S. private sector. The U.S. relies more heavily on the private sector for standards development than do many other countries. Companies and industry groups, academic institutions, professional societies, consumer groups, and other interested parties are major contributors to this process. Further, the many Standards Developing Organizations (SDOs) which provide the infrastructure for the standards development are overwhelmingly private sector organizations. On April 25, 2017, the IICS WG established an Internet of Things (IoT) Task Group to determine the current state of international cybersecurity standards development for IoT. This report is intended for use by the working group member agencies to assist them in their standards planning and to help coordinate U.S. Government participation in international cybersecurity standardization for IoT. Other organizations may also find this document useful in their planning.

https://csrc.nist.gov/publications/detail/nistir/8200/final

https://csrc.nist.gov/News/2018/NIST-Publishes-Interagency-Report-(NISTIR)-8200

Phantom Device Attack: Uncovering the Security Implications of the Interactions among Devices, IoT Cloud, and Mobile Apps

(Submitted on 8 Nov 2018)

Smart home connects tens of home devices into the Internet, running a smart algorithm in the cloud that sends remote commands to the devices. While bringing unprecedented convenience, accessibility, and efficiency, it also introduces safety hazards to users. Prior research studied smart home security from various aspects. However, we found that the complexity of the interactions among the participating entities (device, IoT cloud, and mobile app) has not yet been systematically investigated. In this work, we conducted an in-depth analysis to four widely used smart home solutions. Combining firmware reverse-engineering, network traffic interception, and black-box testing, we distill the general state transitions representing the complex interactions among the three entities. Based on the state machine, we reveal several vulnerabilities that lead to unexpected state transitions. While these minor security flaws appear to be irrelevant, we show that combining them in a surprising way poses serious security or privacy hazards to smart home users. To this end, five concrete attacks are constructed and illustrated. We also discuss the implications of the disclosed attacks in the context of business competition. Finally, we propose some general design suggestions for building a more secure smart home solution.

https://arxiv.org/abs/1811.03241

custom_nvram: Shared Library to intercept nvram get/set/match calls for emulating libnvram.so used by many IoT firmware software

https://github.com/therealsaumil/custom_nvram

NIST: IoT Trust Concerns, now available

Re: https://firmwaresecurity.com/2018/09/19/nist-internet-of-things-iot-trust-concerns/

This draft white paper identifies seventeen technical trust-related issues that may negatively impact the adoption of IoT products and services. The paper offers recommendations for mitigating or reducing the effects of these concerns while also suggesting additional areas of research regarding the subject of “IoT trust.” This document is intended for a general information technology audience, including managers, supervisors, technical staff, and those involved in IoT policy decisions, governance, and procurement. Feedback from reviewers is requested on the seventeen technical concerns that are presented, as well as suggestions for other potential technical concerns that may be missing from the document.

https://csrc.nist.gov/news/2018/IoT-trust-concerns-draft-white-paper-now-available
https://csrc.nist.gov/publications/detail/white-paper/2018/10/17/iot-trust-concerns/draft

https://csrc.nist.gov/CSRC/media/Publications/white-paper/2018/10/17/iot-trust-concerns/draft/documents/iot-trust-concerns-draft.pdf

see-also: https://www.nist.gov/topics/internet-things-iot

NIST: Internet of Things (IoT) Trust Concerns

https://csrc.nist.gov/publications/detail/nistir/8222/draft

https://csrc.nist.gov/publications/detail/nistir/8222/draft

Internet of Things (IoT) Trust Concerns

Date Published: September 2018
Withdrawn: September 18, 2018

Planning Note (9/18/2018):
Draft NISTIR 8222 has been temporarily withdrawn to synchronize with other pending documents on this topic, and to ensure time for stakeholders to review and comment. Once the draft document has been re-posted, the comment period will be extended.

The Internet of Things (IoT) refers to systems that involve computation, sensing, communication, and actuation (as presented in NIST Special Publication (SP) 800-183). IoT involves the connection between humans, non-human physical objects, and cyber objects, enabling monitoring, automation, and decision making. The connection is complex and inherits a core set of trust concerns, most of which have no current resolution This publication identifies 17 technical trust-related concerns for individuals and organizations before and after IoT adoption. The set of concerns discussed here is necessarily incomplete given this rapidly changing industry, however this publication should still leave readers with a broader understanding of the topic. This set was derived from the six trustworthiness elements in NIST SP 800-183. And when possible, this publication outlines recommendations for how to mitigate or reduce the effects of these IoT concerns. It also recommends new areas of IoT research and study. This publication is intended for a general information technology audience including managers, supervisors, technical staff, and those involved in IoT policy decisions, governance, and procurement.

NIST Considerations for Managing IoT Cybersecurity and Privacy Risks Workshop, video uploaded

https://www.nist.gov/news-events/events/2018/07/considerations-managing-iot-cybersecurity-and-privacy-risks-workshop

https://www.nist.gov/sites/default/files/documents/2018/07/11/iot_risk_workshop_agenda.pdf

 

NIST’s Cybersecurity for IoT Program supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. By collaborating with stakeholders across government, industry, international bodies and academia, the program aims to cultivate trust and foster an environment that enables innovation on a global scale. This workshop will help the program through the development of the Cybersecurity for IoT Program and Privacy Engineering Program’s publication on an introduction to managing IoT cybersecurity and privacy risk for federal systems. This will include work to date identifying typical differences in cybersecurity and privacy risk for IoT systems versus traditional IT systems, considerations for selecting and using technical controls to mitigate IoT cybersecurity and privacy risk, and basic cybersecurity and privacy controls for manufacturers to consider providing in their IoT products. A pre-read document has been posted to help guide conversation.

FBI: Cyber Actors Use IoT Devices as Proxies for Malicious Cyber Activities

Reboot your IoT Devices regularly!

https://www.ic3.gov/media/2018/180802.aspx

https://www.ic3.gov/media/2017/171017-1.aspx

“Reboot devices regularly, as most malware is stored in memory and removed upon a device reboot. It is important to do this regularly as many actors compete for the same pool of devices and use automated scripts to identify vulnerabilities and infect devices.”

https://www.us-cert.gov/ncas/tips/ST17-001

https://www.us-cert.gov/ncas/current-activity/2018/08/02/FBI-Releases-Article-Securing-Internet-Things

https://www.us-cert.gov/ncas/tips/ST17-001

 

 

Microsoft announces the public preview of Windows 10 IoT Core Services

https://blogs.windows.com/windowsexperience/2018/07/18/microsoft-announces-the-public-preview-of-windows-iot-core-services-today/

https://docs.microsoft.com/en-gb/windows/iot-core/commercialize-your-device/iotcoreservicesoverview

IEEE: 6 Reasons Why IoT Security Is Terrible

The Internet of Things bears little resemblance to traditional IT systems—and that makes it harder to protect
By Stacey Higginbotham

Connecting physical infrastructure to the Internet makes systems vulnerable to new security threats. What keeps executives awake at night varies by industry, but cybersecurity problems are worsening everywhere. Security officers in manufacturing worry about employees inserting infected USB drives into machines, while hospital administrators fear that malware will wipe out an unpatched MRI machine, or that a hacker will direct an infusion pump to administer a lethal dose of medicine. Josh Corman, chief security officer at PTC, a computer software firm based in Massachusetts, has codified six reasons why security for the Internet of Things (IoT) is different from—and more difficult to tackle than—traditional IT security.[…]

https://spectrum.ieee.org/telecom/security/6-reasons-why-iot-security-is-terrible

Expliot: IoT Exploitation Framework (pronounced – expl-aa-yo-tee)

Expliot (Pronounced – expl-aa-yo-tee)

Internet Of Things Exploitation Framework

Expliot is a framework for security testing IoT and IoT infrastructure. It provides a set of plugins (test cases) and can be extended easily to create new plugins. The name expliot is a pun on exploit and explains the purpose of the framework i.e. IoT exploitation. It is developed in python3[…]

https://gitlab.com/expliot_framework/expliot

 

list of IoT/embedded OS firmware tools

I mostly focus on Platform Firmware, UEFI, ACPI, etc. I usually don’t focus too much on IoT/embedded OS firmware, even though I blog about them. But there’s a lot of tools for the latter, and I’ve not yet added a section for them in Awesome Firmware Security[1]. And I have 2 friends who need such a list. Below is first pass at searching old blog posts for tools. Will refine and add to Awesome Firmware Security later. Please leave a Comment to point out any other major tools of this category that I’ve missed.

https://firmwaresecurity.com/2015/08/07/new-firmware-tool-angr/
https://firmwaresecurity.com/2015/09/29/firmware-re/
https://firmwaresecurity.com/2015/11/13/firmware-re-2/
https://firmwaresecurity.com/2016/02/04/fmk-qemu-firmware-analysis-video-tutorial/
https://firmwaresecurity.com/2016/02/18/firmwalker-and-firmdump/
https://firmwaresecurity.com/2016/02/28/firmadyne-automated-analysis-of-linux-embedded-firmware/
https://firmwaresecurity.com/2016/04/25/routersploit/
https://firmwaresecurity.com/2016/08/25/firminator/ Hmm, it looks like the domain firminator.io is no longer valid.
https://firmwaresecurity.com/2016/09/16/senrios-iot-firmware-security-checklist/
https://firmwaresecurity.com/2017/02/12/firmwalker/
https://firmwaresecurity.com/2017/04/08/tactical-network-solutions-unveils-firmware-evaluation-services/
https://firmwaresecurity.com/2017/04/24/fie/
https://firmwaresecurity.com/2017/08/08/insignary-launches-truthisinthebinary-com-service-for-oems/
https://firmwaresecurity.com/2017/09/03/attifys-firmware-analysis-toolkit-and-attifyos-vm/
https://firmwaresecurity.com/2017/10/30/refirm-labs-iot-firmware-security-startup/
https://firmwaresecurity.com/2017/11/15/refirm-labs-gets-1-5mil-in-funding-launches-centrifuge-platform/
https://firmwaresecurity.com/2017/12/09/trommel-analyzes-embedded-devices-for-vulnerabilities/
https://firmwaresecurity.com/2018/02/12/fact-firmware-analysis-and-comparison-tool/

[1] https://github.com/PreOS-Security/awesome-firmware-security/blob/master/README.md

DMTF Redfish and PCIMG form alliance for Industrial IoT standards

DMTF and PICMG Form Alliance

DMTF and the PCI Industrial Computer Manufacturer Group (PICMG) have formed an alliance to help ensure the two organizations’ standards are coordinated and aligned in the Industrial Internet of Things (IIoT) domain.

https://www.dmtf.org/sites/default/files/PICMG_Work_Register_v1.0.pdf

https://www.picmg.org/https://dmtf.org/

Expect to see Redfish listed as 10th entry here shortly, I am guessing:

https://www.picmg.org/openstandards/

 

SOF Project and Project ACRN

https://www.phoronix.com/scan.php?page=news_item&px=Sound-Open-Firmware

https://01.org/blogs/2018/introducing-acrn-and-sound-open-firmware

https://www.sofproject.org/

SOFProject: Sound Open Firmware is an open source audio DSP firmware and SDK that provides audio firmware infrastructure and development tools for developers who are interested in audio or signal processing on modern DSPs

ACRN:  a flexible, lightweight reference hypervisor, built with real-time and safety-criticality in mind, optimized to streamline embedded development through an open source platform

https://projectacrn.org/

IOTA crypto issues

http://iota.org/
https://github.com/IOTAledger
https://en.wikipedia.org/wiki/IOTA_(cryptocurrency)
https://blog.iota.org/official-statement-regarding-the-mit-dci-email-leaks-ea3cacd6699a
https://blog.iota.org/iota-foundation-hires-cybercrypt-615d2df79001

“IOTA is a public distributed ledger and data transfer layer that allows transactional settlement for the Internet of Things. IOTA utilizes the Tangle, a data structure based on a Directed Acyclic Graph (DAG).”

https://spectrum.ieee.org/tech-talk/computing/networks/cryptographers-urge-users-and-researchers-to-abandon-iota-after-leaked-emails

https://github.com/mit-dci/tangled-curl/blob/master/vuln-iota.md

View story at Medium.com

IETF draft-irtf-t2trg-iot-seccons: State-of-the-Art and Challenges for the IoT Security

State-of-the-Art and Challenges for the Internet of Things Security

The Internet of Things (IoT) concept refers to the usage of standard Internet protocols to allow for human-to-thing and thing-to-thing communication. The security needs for IoT systems are well-recognized and many standardization steps to provide security have been taken, for example, the specification of Constrained Application Protocol (CoAP) secured with Datagram Transport Layer Security (DTLS). However, security challenges still exist, not only because there are some use cases that lack a suitable solution, but also because many IoT devices and systems have been designed and deployed with very limited security capabilities. In this document, we first discuss the various stages in the lifecycle of a thing. Next, we document the security threats to a thing and the challenges that one might face to protect against these threats. Lastly, we discuss the next steps needed to facilitate the deployment of secure IoT systems. This document can be used by IoT standards specifications as a reference for details about security considerations applying to the specified protocol.

https://tools.ietf.org/html/draft-irtf-t2trg-iot-seccons-10

US-CERT ST17-001: Securing the IoT

Security Tip (ST17-001):  Securing the Internet of Things
The Internet of Things is becoming an important part of everyday life. Being aware of the associated risks is a key part of keeping your information and devices secure. The Internet of Things refers to any object or device that sends and receives data automatically through the Internet. This rapidly expanding set of “things” includes tags (also known as labels or chips that automatically track objects), sensors, and devices that interact with people and share information machine to machine.[…]

https://www.us-cert.gov/ncas/tips/ST17-001