Security has been a huge concern with Internet of Things devices, with connected devices turning up in botnets and having rather concerning security vulnerabilities. Terry Dunlap, founder and CEO of Tactical Network Solutions, helps businesses and developers ensure their systems are built securely. He was kind enough to share some of his thoughts and advice for securing the IoT.

Terry Dunlap and an overlay of the Mirai botnet and a Linux password screen

Terry Dunlap, a man who definitely knows a thing or two about security!

Right now, Terry defines security in the IoT as “dismal”. Not the best situation to have with devices that are in some of the most sensitive parts of your home (often with very crucial roles such as locking your door or securely watching your home!).

“In fact, there is no security within IoT at this stage. The vast majority of IoT devices have not been built with security in mind” — Terry Dunlap

When it comes to security, Terry definitely knows his stuff. His company, Tactical Network Solutions, are former US National Security Agency cyber operators. They specialise in reverse engineering firmware to find security vulnerabilities. They teach their Fortune 500 clients how a state-sponsored attacker can target and exploit their devices, with the hope that the clients take the knowledge back to their development teams and implement more secure coding practices “to thwart people like us and other foreign adversaries”. When it comes to security, those who are exploiting these vulnerabilities know more about them than anyone right? Terry and his team are those people — “Many of our clients are in the intelligence community and military. So we teach them how to weaponize these vulnerabilities.

Terry points to examples such as the Mirai botnet, in which a whole range of infected connected devices (CCTV cameras, DVRs and routers) have been repeatedly used for malicious purposes. One of the worst of these was the attack on DNS provider Dyn which took down sites worldwide including Amazon, Airbnb, GitHub, Heroku, Netflix, PayPal, Pinterest, Tumblr, Twitter and more. On the attack, Terry says, “That is THE worst attack we’ve seen to date. And it was so easily preventable.” Just read how easy these attacks would have been to prevent:

“Mirai then identifies vulnerable IoT devices using a table of more than 60 common factory default usernames and passwords, and logs into them to infect them with the Mirai malware.” — Wikipedia

All it took would have been changing the default username and password on each device when setting it up. That’s all. As Terry puts it, “Read that again… default usernames and passwords. That’s not even a coding mistake! That is lazy people making a choice. A choice not to change the default usernames and passwords on their devices.”

A map of Mirai botnet devices

The locations of uncovered Mirai botnet devices so far

While the failing of services like Heroku and other hosts can have wide-reaching and potentially devastating consequences, the interruption of medical equipment is even more concerning.

“The FDA confirmed that St. Jude Medical’s implantable cardiac devices have vulnerabilities that could allow a hacker to access a device. Once in, they could deplete the battery or administer incorrect pacing or shocks, the FDA said on Monday.” — CNN Tech

The St. Jude Medical implantable pacemakers and defibrillators are arguably some of the most critical systems you’ll come across — they are used to “monitor and control patients’ heart functions and prevent heart attacks”. These are the devices which Terry points to as examples of IoT devices that were not built at all with security at the forefront of their design. This needs to change.

What should developers do?

Terry’s advice comes down to the following:

Use secure coding practices

One of the most important suggestions from Terry is — “learn to code security from the start”. He suggests even just Googling the phrase “secure coding practices” and reading through those links. There’s valuable information there and it’s an easy way to get started getting your head around it all. One of the first results, he notes, is from CERN on the top 10 secure coding practices. Those practices look like so:

  1. Validate input
  2. Heed compiler warnings
  3. Architect and design for security policies
  4. Keep it simple
  5. Default deny
  6. Adhere to the principle of least privilege
  7. Sanitise data sent to other systems
  8. Practice defence in depth
  9. Use effective quality assurance techniques
  10. Adopt a secure coding standard

Feel free to check out the CERN post for detail on what each of those practices involves in more detail.

Use source code auditing tools

Companies like Veracode or Synopsys provide source code auditing tools to ensure your code is clean and secure before you compile it all up.

Use automated reverse engineering tools

Terry points out that source code auditing tools “only get you so far”:

“[Source code auditing tools] make sure YOUR code is clean and secure. But when you compile your clean code with 3rd party libraries (open source or otherwise) and/or vendor provided device drivers, you end up with a compiled firmware image with potential vulnerabilities introduced by things you have no control over!” — Terry Dunlap

In order to be truly certain that your compiled firmware image is secure, tools like Tactical Network Solutions’ Centrifuge allow you to examine the security of your compiled firmware images. That’s a really valuable capability to have in the battle to truly secure our connected devices! Terry says that you can get trained and learn to perform the analysis yourself, or you can contract that service to someone like Tactical Network Solutions. There are options there. However, there is a valid point for outsourcing the final part of this:

“Having an unbiased 3rd party like us examine it will remove any internal conflicts of interest or internal pressures of going to market. As Ben Franklin once said, “An ounce of prevention is worth a pound of cure.” Just ask St Jude Medical!” — Terry Dunlap

A screenshot from Centrifuge

Sample output of Centrifuge after a threat is detected

Nobody is doing it perfectly securely

When I asked what the best IoT device out there is that has done security well, Terry was pretty adamant that we don’t have that perfect example yet:

“None, in my opinion. As of today, they can all be hacked and will likely be hacked. It’s a matter of time. And the attack vectors are as simple as using default usernames and passwords — as we’ve seen with Mirai — or as complex as exploiting a buffer overflow in the web interface of the device using a wireless signal like 802.11, Bluetooth, or Zigbee.” — Terry Dunlap

It’s time that developers out there really start pushing to break this trend of insecurity. At the very least, those common attack vectors like default usernames and passwords aren’t acceptable in this era of connectivity. Please, if you’re a developer and you aren’t certain about how to secure your applications and devices — follow Terry’s advice above. The most critical thing he wants you all to know is a simple one:

“Begin your development by incorporating security from the beginning and not as an afterthought.” — Terry Dunlap

Thank you to Terry for taking the time to share some of their tips and advice around security and the Internet of Things! You can check out more about their tools and training services over on the Tactical Network Solutions website.

Thanks for reading! Dev Diner is a new hub for developers keen to keep up with emerging tech.
Know others who might want to read it too? Please like and share this post with them!

Would you like to republish this article in your own publication?
Contact Dev Diner to request official republication of this article.

Leave a Reply

Your email address will not be published. Required fields are marked *

Want more?