NIST: IoT Trust Concerns, now available

Re: https://firmwaresecurity.com/2018/09/19/nist-internet-of-things-iot-trust-concerns/

This draft white paper identifies seventeen technical trust-related issues that may negatively impact the adoption of IoT products and services. The paper offers recommendations for mitigating or reducing the effects of these concerns while also suggesting additional areas of research regarding the subject of “IoT trust.” This document is intended for a general information technology audience, including managers, supervisors, technical staff, and those involved in IoT policy decisions, governance, and procurement. Feedback from reviewers is requested on the seventeen technical concerns that are presented, as well as suggestions for other potential technical concerns that may be missing from the document.

https://csrc.nist.gov/news/2018/IoT-trust-concerns-draft-white-paper-now-available
https://csrc.nist.gov/publications/detail/white-paper/2018/10/17/iot-trust-concerns/draft

https://csrc.nist.gov/CSRC/media/Publications/white-paper/2018/10/17/iot-trust-concerns/draft/documents/iot-trust-concerns-draft.pdf

see-also: https://www.nist.gov/topics/internet-things-iot

NIST: Internet of Things (IoT) Trust Concerns

https://csrc.nist.gov/publications/detail/nistir/8222/draft

https://csrc.nist.gov/publications/detail/nistir/8222/draft

Internet of Things (IoT) Trust Concerns

Date Published: September 2018
Withdrawn: September 18, 2018

Planning Note (9/18/2018):
Draft NISTIR 8222 has been temporarily withdrawn to synchronize with other pending documents on this topic, and to ensure time for stakeholders to review and comment. Once the draft document has been re-posted, the comment period will be extended.

The Internet of Things (IoT) refers to systems that involve computation, sensing, communication, and actuation (as presented in NIST Special Publication (SP) 800-183). IoT involves the connection between humans, non-human physical objects, and cyber objects, enabling monitoring, automation, and decision making. The connection is complex and inherits a core set of trust concerns, most of which have no current resolution This publication identifies 17 technical trust-related concerns for individuals and organizations before and after IoT adoption. The set of concerns discussed here is necessarily incomplete given this rapidly changing industry, however this publication should still leave readers with a broader understanding of the topic. This set was derived from the six trustworthiness elements in NIST SP 800-183. And when possible, this publication outlines recommendations for how to mitigate or reduce the effects of these IoT concerns. It also recommends new areas of IoT research and study. This publication is intended for a general information technology audience including managers, supervisors, technical staff, and those involved in IoT policy decisions, governance, and procurement.

NIST Considerations for Managing IoT Cybersecurity and Privacy Risks Workshop, video uploaded

https://www.nist.gov/news-events/events/2018/07/considerations-managing-iot-cybersecurity-and-privacy-risks-workshop

https://www.nist.gov/sites/default/files/documents/2018/07/11/iot_risk_workshop_agenda.pdf

 

NIST’s Cybersecurity for IoT Program supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. By collaborating with stakeholders across government, industry, international bodies and academia, the program aims to cultivate trust and foster an environment that enables innovation on a global scale. This workshop will help the program through the development of the Cybersecurity for IoT Program and Privacy Engineering Program’s publication on an introduction to managing IoT cybersecurity and privacy risk for federal systems. This will include work to date identifying typical differences in cybersecurity and privacy risk for IoT systems versus traditional IT systems, considerations for selecting and using technical controls to mitigate IoT cybersecurity and privacy risk, and basic cybersecurity and privacy controls for manufacturers to consider providing in their IoT products. A pre-read document has been posted to help guide conversation.

FBI: Cyber Actors Use IoT Devices as Proxies for Malicious Cyber Activities

Reboot your IoT Devices regularly!

https://www.ic3.gov/media/2018/180802.aspx

https://www.ic3.gov/media/2017/171017-1.aspx

“Reboot devices regularly, as most malware is stored in memory and removed upon a device reboot. It is important to do this regularly as many actors compete for the same pool of devices and use automated scripts to identify vulnerabilities and infect devices.”

https://www.us-cert.gov/ncas/tips/ST17-001

https://www.us-cert.gov/ncas/current-activity/2018/08/02/FBI-Releases-Article-Securing-Internet-Things

https://www.us-cert.gov/ncas/tips/ST17-001

 

 

Microsoft announces the public preview of Windows 10 IoT Core Services

https://blogs.windows.com/windowsexperience/2018/07/18/microsoft-announces-the-public-preview-of-windows-iot-core-services-today/

https://docs.microsoft.com/en-gb/windows/iot-core/commercialize-your-device/iotcoreservicesoverview

IEEE: 6 Reasons Why IoT Security Is Terrible

The Internet of Things bears little resemblance to traditional IT systems—and that makes it harder to protect
By Stacey Higginbotham

Connecting physical infrastructure to the Internet makes systems vulnerable to new security threats. What keeps executives awake at night varies by industry, but cybersecurity problems are worsening everywhere. Security officers in manufacturing worry about employees inserting infected USB drives into machines, while hospital administrators fear that malware will wipe out an unpatched MRI machine, or that a hacker will direct an infusion pump to administer a lethal dose of medicine. Josh Corman, chief security officer at PTC, a computer software firm based in Massachusetts, has codified six reasons why security for the Internet of Things (IoT) is different from—and more difficult to tackle than—traditional IT security.[…]

https://spectrum.ieee.org/telecom/security/6-reasons-why-iot-security-is-terrible

Expliot: IoT Exploitation Framework (pronounced – expl-aa-yo-tee)

Expliot (Pronounced – expl-aa-yo-tee)

Internet Of Things Exploitation Framework

Expliot is a framework for security testing IoT and IoT infrastructure. It provides a set of plugins (test cases) and can be extended easily to create new plugins. The name expliot is a pun on exploit and explains the purpose of the framework i.e. IoT exploitation. It is developed in python3[…]

https://gitlab.com/expliot_framework/expliot

 

list of IoT/embedded OS firmware tools

I mostly focus on Platform Firmware, UEFI, ACPI, etc. I usually don’t focus too much on IoT/embedded OS firmware, even though I blog about them. But there’s a lot of tools for the latter, and I’ve not yet added a section for them in Awesome Firmware Security[1]. And I have 2 friends who need such a list. Below is first pass at searching old blog posts for tools. Will refine and add to Awesome Firmware Security later. Please leave a Comment to point out any other major tools of this category that I’ve missed.

https://firmwaresecurity.com/2015/08/07/new-firmware-tool-angr/
https://firmwaresecurity.com/2015/09/29/firmware-re/
https://firmwaresecurity.com/2015/11/13/firmware-re-2/
https://firmwaresecurity.com/2016/02/04/fmk-qemu-firmware-analysis-video-tutorial/
https://firmwaresecurity.com/2016/02/18/firmwalker-and-firmdump/
https://firmwaresecurity.com/2016/02/28/firmadyne-automated-analysis-of-linux-embedded-firmware/
https://firmwaresecurity.com/2016/04/25/routersploit/
https://firmwaresecurity.com/2016/08/25/firminator/ Hmm, it looks like the domain firminator.io is no longer valid.
https://firmwaresecurity.com/2016/09/16/senrios-iot-firmware-security-checklist/
https://firmwaresecurity.com/2017/02/12/firmwalker/
https://firmwaresecurity.com/2017/04/08/tactical-network-solutions-unveils-firmware-evaluation-services/
https://firmwaresecurity.com/2017/04/24/fie/
https://firmwaresecurity.com/2017/08/08/insignary-launches-truthisinthebinary-com-service-for-oems/
https://firmwaresecurity.com/2017/09/03/attifys-firmware-analysis-toolkit-and-attifyos-vm/
https://firmwaresecurity.com/2017/10/30/refirm-labs-iot-firmware-security-startup/
https://firmwaresecurity.com/2017/11/15/refirm-labs-gets-1-5mil-in-funding-launches-centrifuge-platform/
https://firmwaresecurity.com/2017/12/09/trommel-analyzes-embedded-devices-for-vulnerabilities/
https://firmwaresecurity.com/2018/02/12/fact-firmware-analysis-and-comparison-tool/

[1] https://github.com/PreOS-Security/awesome-firmware-security/blob/master/README.md

DMTF Redfish and PCIMG form alliance for Industrial IoT standards

DMTF and PICMG Form Alliance

DMTF and the PCI Industrial Computer Manufacturer Group (PICMG) have formed an alliance to help ensure the two organizations’ standards are coordinated and aligned in the Industrial Internet of Things (IIoT) domain.

https://www.dmtf.org/sites/default/files/PICMG_Work_Register_v1.0.pdf

https://www.picmg.org/https://dmtf.org/

Expect to see Redfish listed as 10th entry here shortly, I am guessing:

https://www.picmg.org/openstandards/

 

SOF Project and Project ACRN

https://www.phoronix.com/scan.php?page=news_item&px=Sound-Open-Firmware

https://01.org/blogs/2018/introducing-acrn-and-sound-open-firmware

https://www.sofproject.org/

SOFProject: Sound Open Firmware is an open source audio DSP firmware and SDK that provides audio firmware infrastructure and development tools for developers who are interested in audio or signal processing on modern DSPs

ACRN:  a flexible, lightweight reference hypervisor, built with real-time and safety-criticality in mind, optimized to streamline embedded development through an open source platform

https://projectacrn.org/

IOTA crypto issues

http://iota.org/
https://github.com/IOTAledger
https://en.wikipedia.org/wiki/IOTA_(cryptocurrency)
https://blog.iota.org/official-statement-regarding-the-mit-dci-email-leaks-ea3cacd6699a
https://blog.iota.org/iota-foundation-hires-cybercrypt-615d2df79001

“IOTA is a public distributed ledger and data transfer layer that allows transactional settlement for the Internet of Things. IOTA utilizes the Tangle, a data structure based on a Directed Acyclic Graph (DAG).”

https://spectrum.ieee.org/tech-talk/computing/networks/cryptographers-urge-users-and-researchers-to-abandon-iota-after-leaked-emails

https://github.com/mit-dci/tangled-curl/blob/master/vuln-iota.md

View story at Medium.com

IETF draft-irtf-t2trg-iot-seccons: State-of-the-Art and Challenges for the IoT Security

State-of-the-Art and Challenges for the Internet of Things Security

The Internet of Things (IoT) concept refers to the usage of standard Internet protocols to allow for human-to-thing and thing-to-thing communication. The security needs for IoT systems are well-recognized and many standardization steps to provide security have been taken, for example, the specification of Constrained Application Protocol (CoAP) secured with Datagram Transport Layer Security (DTLS). However, security challenges still exist, not only because there are some use cases that lack a suitable solution, but also because many IoT devices and systems have been designed and deployed with very limited security capabilities. In this document, we first discuss the various stages in the lifecycle of a thing. Next, we document the security threats to a thing and the challenges that one might face to protect against these threats. Lastly, we discuss the next steps needed to facilitate the deployment of secure IoT systems. This document can be used by IoT standards specifications as a reference for details about security considerations applying to the specified protocol.

https://tools.ietf.org/html/draft-irtf-t2trg-iot-seccons-10

US-CERT ST17-001: Securing the IoT

Security Tip (ST17-001):  Securing the Internet of Things
The Internet of Things is becoming an important part of everyday life. Being aware of the associated risks is a key part of keeping your information and devices secure. The Internet of Things refers to any object or device that sends and receives data automatically through the Internet. This rapidly expanding set of “things” includes tags (also known as labels or chips that automatically track objects), sensors, and devices that interact with people and share information machine to machine.[…]

https://www.us-cert.gov/ncas/tips/ST17-001

Attify’s Firmware Analysis Toolkit and AttifyOS VM

Attify has a Firmware Analysis Toolkit (FAT). Apparently they include a pre-built version of it in their AttifyOS VM, and use it in their IoT training:

Firmware Analysis Toolkit: FAT is a toolkit built in order to help security researchers analyze and identify vulnerabilities in IoT and embedded device firmware. This is built in order to use for the “Offensive IoT Exploitation” training conducted by Attify. As of now, it is simply a script to automate Firmadyne which is a tool used for firmware emulation. In case of any issues with the actual emulation, please post your issues in the firmadyne issues.

Attify OS – Distro for pentesting IoT devices: Instead of spending time installing, configuring and setting up various tools required for IoT pentesting, here is a pre-made distro for you containing the tools that would come handy during any Internet of Things Security Assessment or Penetration testing.

From training site:
Firmware analysis: IoT devices and embedded systems run on firmware, which often hold a lot of secrets and sensitive information. This module will help you analyze and extract firmware, thus helping you identify vulnerabilities in the firmware for IoT devices. We will also look at firmware emulation using FAT, a custom tool built by Attify with which you can emulate firmware and perform all sorts of “non-hardware” based attacks. The tool is fully scriptable and hence can be modified and used according to your preference. You also get access to the API, which will allow you to use the tool for your own further research.

https://github.com/attify/firmware-analysis-toolkit
http://tinyurl.com/attifyos
https://www.attify.com/
http://offensiveiotexploitation.com/
https://github.com/adi0x90/attifyos (unsure if this official or not)

 

NXP: designing IoT devices with secure boot

NXP has a webinar for IoT makers, talking about secure booting. ‘Webinar’ scared me, but there’s no registration required. 🙂

Watch this on-demand presentation to learn how to:
* Manage the life cycle of an IoT edge node from development to deployment.
* Leverage hardware and software offerings available with the Kinetis MCU portfolio that can help you protect against attacks.
* Ease the burden of secure IoT edge node development using new processors and architectures from ARM.

https://community.arm.com/processors/trustzone-for-armv8-m/b/blog/posts/designing-secure-iot-devices-starts-with-a-secure-boot

http://www.nxp.com/video/designing-secure-iot-devices-starts-with-a-secure-boot:DESIGNING-SECURE-IOT-DEVICES

slides: https://www.nxp.com/docs/en/supporting-information/Designing-Secure-IoT-Devices-Starts-with-a-Secure-Boot.pdf

http://www.nxp.com/docs/en/supporting-information/Designing-Secure-IoT-Devices-Starts-with-a-Secure-Boot.pdf