Protecting IoT components from being physically compromised
From the moment a computable device is born in the fab, it is automatically prone to being logically compromised with malicious firmware. Once the device is released from the fab and delivered to the client, it is exposed to additional situations in which it may undergo unauthorized logical modification. This may impair the device’s functionality or perform unplanned activity that creates a security breach.
The most basic attack scenario is also the most trivial and significant in the device's life cycle - a malicious team member inside the shop floor (a human agent), who has physical access to the component production process.
Unfortunately, some employees will perform criminal activity that will damage, disrupt or change the component behavior - and its effect will be immediate or just after a certain period of time (logic bomb).
This security exploit, also known as "evil maid attack" or "malicious insider," is enabled by physical accessibility and poor access privilege security management.
A demon called deception – compromising industrial control systems
The significance of the attack, its scope and the inability to stop it are also derived from provisioning the device on the production floor. For instance, there is a major difference between the capability to initialize thousands of components in bulk without intermediate control processes, and the ability to perform component initialization only in a limited and restrained manner.
Undoubtedly, securing national infrastructure systems is one of the hottest issues in 2018. The modern industrial world, which combines programmable controllers (PLC, ICS etc.) and cloud-based command and control systems (together commonly referred as the "Industry 4.0"), has attempted to integrate a security umbrella that will protect the operations of the factory's edge devices.
Modern PLCs are sophisticated network-connected computers that form the backbone of both small manufacturing plants and large strategic infrastructure sites. Disruption of these industrial devices can cause catastrophic events in an international scale, hence the importance to implement security solutions in front of a variety of attack vectors. The sole purpose is to prevent the intrusion of unauthorized (external or internal) actors and avoid disruption of critical control processes.
This is not a theory but rather a disturbing fact. In 2017, a group of researchers from Georgia Tech developed a worm named "LogicLocker" that caused several PLC models to transmit incorrect data to the systems they control and as a result led to harmful implications.
The common security methods of industrial networks are based mainly on the integration of dedicated network devices which are connected to the traffic artery at central junctions (usually next to network switches). This security method sniffs the data flow between the PLCs themselves, between the PLCs and the cloud (public or private) and between the user interface (HMI) and the cloud.
Relevant data for effective monitoring mainly includes requests for firmware updates and settings change instructions in the PLCs. When anomalies or a policy exception are detected, they can be stopped by blocking the suspicious packets and alerting the network administrators.
It seems that this should cover all the significant attack vectors, including those occurring by malicious Insiders, but there is still a weak point, and as we know, the chain is only as strong as its weakest link.
For example, if a malicious insider physically replaces a "clean" device with an infected one (i.e., one with malicious firmware), the monitoring systems will have difficulty or likely fail to detect the security breach, as suspicious network traffic has not passed in the network lines.
Even if new devices are automatically scanned in order to be authenticated as valid, it is fairly easy to forge a misleading valid result.
Generally speaking, the basis for maintaining a healthy operation of the industrial network is to continuously monitor its participating components. Therefore, when the device is manipulated when it is not physically connected to the network, it creates a vulnerability when that device is reconnected to the network.
The inside job – compromising personal edge devices
IT teams stringently regulate the industrial PLCs’ security environment, so security control processes are carried out regularly. But when we shift to home or personal edge devices, the envelope that is supposed to protect against security breaches is inherently prone to enforcement failures, especially when dealing with physical compromise.
The attack vectors on consumer’s edge devices may originate from supposedly innocent and safely-considered factors, because the end user doesn't expect the device will be breached or maliciously changed for illegal purposes when physically exposed to a trustworthy actor.
IoT consumer products - from wireless routers to smartphones and laptops – naturally change hands during their lifetimes either when sold or taken to the repair shop.
As for the latter, when the device is repaired, and electronic parts are replaced, a custom ROM could be installed in place of the original and stealth foreign apps may be inserted as well. In that point, hijacking the phone security is quite straight forward, when a malicious technician might perform an unauthorized change in the device in which he opens a backdoor, installs a root-privileged spyware or malware and plants various types of logical bombs.
Imagine a situation in which a vulnerable target, whether it is a businessman, a government member or a military official, innocently deposits his mobile device in a repair shop, and then a few days later he comes back and gets the device fully working, ostensibly. In practice, it has been physically compromised for wiretapping, without harming the natural functionality of the device.
While this single attack is considered as a "tailored" one - against a specific target (spear phishing-alike), a refurbishment process can be a fertile ground for large-scale malicious activity. This occurs when edge devices are re-marketed after passing a non-manufacturer renewal process and later sold under the same brand and model (but without a genuine insurance certificate). As with the industrial controllers mentioned before, this is poised for an attack.
A few months back a group of researchers from Ben-Gurion University of the Negev demonstrated how aftermarket parts for smartphones, such as replacement screens, may be used to attack a mobile device quite easily and inexpensively.
There are many scenarios in which a device can be breached by physical access, whether as an industrial programmable controller or an off-the-shelf home network router. The base attack is the same, as beneath the plastic shell there are similar electronic elements by which the defense strategy will succeed or fail.
Developing protection strategies for the physical memory components is one of the most important ways to protect these devices, as the memory holds the device’s logic. Still, it's only one side of the coin.
The other complementary side is to create a supportive management system that will allow or deny the logical access to the component through a powerful but flexible root of trust.