Known Security Vulnerabilities Are a Hacker’s Guide to an IoT Breach

By Tae Jin (TJ) Kang

The Internet of Things is a powerful trend, but its growth could be hindered by unpatched open-source vulnerabilities.

While there is still more than another month left before the end of the year, we should consider 2017 a year of historic hacking. While incomplete, this year has been tainted with numerous hacking incidents, including WannaCry, Petya and Cloudbleed. Of course, the most significant hack of the year, to date, was the Equifax data breach, which exposed the personal data of nearly 148 million people.

The bad guys are really good at what they do. And they are winning.

While phishing schemes continue to catch unaware users, the truly disturbing hacks—and the costliest this year—are those that take advantage of known security vulnerabilities.

That's right. The IT teams and managed service providers (MSP) responsible for guarding the systems from hackers are failing to address what should, at first blush, be a fairly easy correction: namely, patching known security vulnerabilities.

The IoT Is a Potentially Much Larger Issue
The growth and proliferation rates of IoT devices—used by industry, consumers and governments—are significant. According to a 2017 Boston Consulting Group report, the market for IoT products and services is expected to reach $267 billion by 2020. The organization estimates that by that same year, half of IoT spending will be driven by the transportation and logistics, discrete manufacturing and utilities industries. Additionally, according to Gartner, there will be an estimated 20.4 billion IoT-connected components worldwide by 2020.

While tens of billions of dollars are spent annually to secure computing, telephony and banking networks, a PwC survey reports that less than 28 percent of polled companies have begun to deploy the added security needed to guard against the increased risk of cyber-attacks on IoT networks.

Known Security Vulnerabilities
More than 90 percent of the software written these days integrates open-source code. Such code is used in IoT firmware, operating systems, network platforms and applications. This trend will only continue to grow because, by leveraging open-source, developers can lower assembly costs and quickly add innovations, thereby saving months or years of originally required development time.

Whether software code is proprietary or open-source, it harbors security vulnerabilities. Supporters of open-source argue that the accessibility and transparency of the code allow the "good guys"—corporate quality-assurance teams, white-hat hackers or open-source project groups—to find bugs faster.

Critics contend that more attackers than defenders examine the code, resulting in a net effect of higher incidents of vulnerability exploits. Fortunately, the open-source community rallies to address vulnerability issues. Once open-source vulnerabilities are discovered, they are quickly and publicly catalogued and patched.

Why Hackers Love Known Open-Source Security Vulnerabilities
Because of its transparency, open-source code tends be better engineered than a comparable piece of proprietary code. And thanks to its superior quality and flexibility, open-source code is used more widely than its "closed code" counterpart. This means that a security vulnerability in a piece of open-source code is likely to be found across a multitude of applications and platforms. Consequently, OSS vulnerabilities become an easy and efficient target for hackers.

Additionally, known security vulnerabilities are essentially a roadmap for hackers to explore and exploit security issues within various connected systems—operating systems, Web platforms, Web applications and client applications, among many others. The accessibility of the OSS community provides hackers with ready-made lists of security vulnerabilities that they can exploit if IoT OEMs and their third-party development teams have not patched the software.

In fact, the unpatched security vulnerability is the inflection point at which government and corporate software distribution and security teams are most at odds with the bad-actor hackers. This begs an important question: If known security vulnerabilities are the easiest exploit for hackers, why is it a challenge for the OEMs, ISVs, MSPs, and IT and security teams to hinder their attacks?

They Hide in the Code
The known security vulnerabilities hide in the code used by organizations. Consequently, users do not know that within their code rest security threats, awaiting hacker attacks. So how are these known vulnerabilities able to hide in and pervade applications, platforms and devices that leverage open-source?

Newer versions of OSS components are available without security vulnerabilities. The challenge for OEMs and software-development teams is to accurately and effectively track all open-source software components in their internally developed and externally sourced code—a nearly impossible task.

Such difficulty is partly due to the software development and procurement model. It is also attributable to the fact that development teams often receive third-party software in binary format.

First Scan the Binary for Known Security Vulnerabilities, Then Look for Logic or Programming Errors
Static code analyzers deliver great value at different times in the development process. Whether they are examining source code or disassembled binary code, static code analyzers can help find common programing errors.

Nevertheless, scanning binary code for known security vulnerabilities has the greatest potential for reducing the vast majority of hacking incidents. For some time, development and quality-assurance teams have employed checksum and hash-based binary code scanners. While they have been reasonably effective, the tools have been constrained by limited databases of pre-compiled binaries of the most commonly used open-source components.

At present, development, security and software provisioning teams can leverage binary code scanners that use code fingerprinting. The tools extract "fingerprints" from a binary to be examined, and then compare them to the fingerprints collected from open-source components hosted in well-known, open-source repositories. Once a component and its version are identified through this fingerprint matching, development and security teams can easily find known security vulnerabilities associated with the component from vulnerability databases, such as NVD.

The IoT is a powerful trend. Yet its growth could be hindered by unpatched open-source security vulnerabilities, which offer hackers opportunities to easily impair brands and generate potentially significant corporate losses. By leveraging binary code scanners, OEMs and MSPs, as well as IT, development and security teams, can implement the optimal means to find and shut down IoT device and network security vulnerabilities, reducing the possibility of hacker attacks.

Tae Jin (TJ) Kang is a technology industry executive and entrepreneur. He is the president and CEO of Insignary. In addition to founding a number of successful technology startups, TJ has held senior management positions with several global technology leaders, including Korea Telecom and Samsung Electronics, among others.