Each year there are more and more so called “smart” devices and gadgets are being connected to the internet. Growing number of Internet of Things (IoT) devices currnently means that organizations are facing additional new cybersecurity risks associated with IoT without realising it. Various consumer devices being connected to networks of organizations worldwide, networked devices such as surveillance cameras or even smart kettles are being utilized in modern offices too. One of the problems with this growth is that often quality of software which is embedded in IoT devices is low due to developers and end-users being unaware of potential security issues embedded devices and their firmware cause.

In order for an electronics device to become “smart” – a piece of software, called firmware is used to provide connectivity to the network, cloud and to deliver the functionality of the “smart” device to the consumer using it. The firmware needs to be running on some hardware – typically some variaton of System on a Chip (SoC), typically with low-end computational power as it is not required in an IoT device and less power means less energy use and cheaper to manufacture hardware. The software that provides key functionality is running on some embedded operating system inside the device – could be linux or some other type of embedded OS.

Therefore as the hardware might be a bit dated, so could be the OS behind it. Outdated software components contain security vulnerabilities that can be exploited by attackers for their own purposes – such as running an IoT botnet or eavesdropping on traffic going through the device itself. But let’s not forget that not only consumer, but also an industrial application of IoT devices exist – ICS systems, SCADA ecosystem devices, various embedded controllers – everything is connected to the internet and potentially can take part in a successful attack.

Also embedded devices are known to contain backdoor accounts, often masqueraded as “service” accounts, but can be used to bypass access controls on the device or are there just for a malicious purpose.

In this context Critical Security offers following IoT security services:

• Security audit of embedded consumer IoT devices
• Device control mobile application and cloud communication implementation security reviews
• Security analysis of ICS/SCADA systems
• Source code audit of embedded software and its components
• Security analysis of binary firmware images using automated and manual approaches
• Reverse engineering of software components

Additional information