Detection and security auditing of IoT/connected devices in corporate networks

These days, enterprises have a wide variety of wired and wireless devices being connected and disconnected in a network that is ever-changing. This has led to the current device discovery solutions being focused primarily on identifying and monitoring the most valuable information assets of organizations, such as data stored, processed, and transferred on servers, workstation PCs, laptops, and network firewalls, switches, and routers.

Iot 1024x617

The last four years have seen a shift in attack strategy, though, with cybercriminals increasingly turning their attention to purpose-built connected devices like network printers and video conferencing systems as access points, as well as routes for data exfiltration.

There are a number of key reasons why the current IT asset discovery methods are unable to identify these devices and provide reliable protection to them. One of these reasons is that proprietary protocols are generally used to manage and monitor them, thus, the asset discovery solution does not know about these devices. In addition, most connected devices are resource-constrained systems with proprietary operating systems in place that do not permit the installation of discovery agent software, thus, agent-based asset discovery is not feasible at this time.

Fortunately, Firmalyzer’s Internet of Things vulnerability assessment solution (IoTVAS in short) sheds a light on the tunnel and explains the way how these constraints can be bypassed. The company suggests that accurate identification of the connected device manufacturer, model name, device type, end of life status, firmware version, and release date of the firmware can help in providing relevant protection solutions.

In addition to that, Firmalyzer points to the importance of software components and libraries being listed in a real-time Firmware bill of materials (BOM) that does not require users to upload device firmware files.

The company’s IoTVAS detects vulnerabilities in the device’s 3rd party components, default credentials, crypto keys, and certificates that are undisclosed to the public.

IoTVAS can be a used bot, as a stand-alone IoT discovery and risk assessment tool, or in conjunction with other existing IT asset discovery, network port scanners, and IT vulnerability scanning tools via the IoTVAS REST APIs.

IoTVAS enables IoT discovery.

Revealing more about IoTVAS, the company explains that the solution uses network service banner fingerprints to identify devices. IoTVAS does not require the usage of the MAC address of the device to improve detection accuracy, unlike other device discovery solutions. Based on API requests and in-house research, new fingerprints are added to the IoTVAS fingerprint database on a regular basis.

With IoTVAS running in standalone mode, devices on the target network are probed to extract the aforementioned features. A REST API endpoint can be used to incorporate IoTVAS device discovery into current security systems.

An audit of IoT security with IoTVAS.

In the event that a device manufacturer, model, and firmware version have been found, IoTVAS goes farther than simply searching for CVEs linked with the device and firmware version. With the help of Firmalyzer’s proprietary risk knowledge base, IoTVAS can obtain a detailed risk analysis for the following categories of 3rd party components in the firmware: “network services” (UPnP server, web server, etc.), “crypto libraries” (OpenSSL, GnuTLS), “Linux OS kernel” and “client tools” (busybox, etc.).

Default credentials, crypto keys contained in device firmware, active and expired digital certificates, weak crypto keys and certificates, and default configuration issues are also provided by IoTVAS.

Security managers can identify high-risk connected devices in the network and begin mitigation actions before these devices are affected thanks to this in-depth information. IoT and embedded device BOM inventory can also be automated by eliminating the requirement for manual firmware downloads and binary analysis for various IoT devices installed in company networks through this method.

IoTVAS firmware risk assessment is also accessible via a REST API endpoint, just like the device discovery feature. Users who want to give this solution a try will need to signup for a trial API key to get started with the IoTVAS API. It’s possible to test IoTVAS endpoints without writing a single line of code using the API description page’s swagger user interface. Those who would like to see a live presentation of the IoTVAS SaaS or request a test account can contact Firmalyzer.

Over 50,000 fingerprints from more than 2,300 device manufacturers are in this database at the time of this writing. In order to generate fingerprints, IoTVAS makes use of the following network service responses and banners:

  • Optional MAC address of the device’s network interface
  • SysDescr OID string of the SNMP service
  • FTP service banner
  • Telnet service banner
  • Device hostname
  • Raw response of the device webserver (http and HTTPS services)
  • UPnP discovery response

For IoTVAS to recognize an IoT device, it would require at the very least one of the features listed above. Existing network port scanners and IT vulnerability scanners can be used to collect network service banners.

About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment