Embedded Security for Embedded Systems

Internet of Things (IoT) devices are quickly becoming the gateway of choice for attackers looking to gain easy entry to corporate networks. IoT has taken the problems of device security and shadow IT to the next level of operational complexity then heaped on additional frustrations, starting with the fact that connected devices are often not designed with security in mind. Attackers can take advantage of this “low-hanging fruit,” as evidenced by the Mirai botnet, an attack via a connect casino aquarium that resulted in stolen data[1], exploited vulnerabilities in baby monitors[2], insecure home thermostats[3], and myriad other proof of concept hacks by security researchers.

While (fortunately) most IoT hacks to date have been conducted in test environments, the potential for real-world attacks with real-life implications is enormous. This is why the security community has been abuzz with demand for change. Simply put, IoT devices have idiosyncrasies that cannot be managed with traditional on-network or endpoint security solutions, and researchers like Natali Tshuva, CEO and Co-founder of Sternum, an Israel-based IoT security provider, are jumping in to ensure these devices are protected.

Tshuva was only 19 years old when she graduated from college with a computer science degree. She was picked to join the elite Israeli Intelligence Corps unit, Unit 8200, where she honed her skills in cyber security and embedded development, then took her experience to a product vendor to conduct research and exploitation techniques on mobile platforms. But this wasn’t the entirety of Tshuva’s career aspirations, she told me during a recent discussion. “I had always thought I would work in the medical field,” she said, “but after learning about the insecurity of embedded devices and remote care, I wanted to merge the two. Everyone knew medical devices were vulnerable, but the solution for securing them had to be unique. I knew we couldn’t use network controls or put agents on individual devices. We had to start with the low-level technology—at the core.”

Hardening low-level tech

Sternum was founded in mid-2018 with the idea that the team would use their knowledge of reverse engineering and binary code analysis—hardening at the code level—to prevent cyber attacks against vulnerable IoT devices.

Stepping back for a minute, we must consider how supply chain vulnerabilities and exposures contribute to IoT device risks. To start, device components are manufactured all over the world and, in some cases, in countries known to employ nation-state-level adversaries. In less extreme circumstances, vulnerabilities in firmware or the third-party libraries on which they’re built could result in unnecessary exposure of hundreds of thousands of devices. From there, the list of problems with IoT grows: no built-in protection, high diversity of device types across 100+ operating systems, varying protocols, no isolation between processes, patching issues, and more. Tshuva and her team understood their solution had to counter these obstacles.

“We start with embedded integrity verification, EIV,” she said. Sternum’s EIV analyzes the device’s binary code and embeds protection within the code, including 3rd party libraries and closed-source code. EIV can be applied across any operating system, including Linux, and enables manufacturers to update their existing devices’ firmware protection.

If you’re at all like me, you’re now thinking: Wait, the manufacturer updates the devices?

Yes, following an iOS device model, this approach allows for centralized and automated patch management. The concern here is whether manufacturers, which have not been attentive to security in the past, will take steps to update devices. Given the privacy and security regulations that have and are coming to pass, manufacturers are now incentivized to show best-effort cyber security; in some cases, they are required to demonstrate it. Legislation aside, updating/patching remains a sticky wicket for every organization. If, however, the process is easy to implement and doesn’t impact operations in an appreciable way, manufacturers are likely to take the bait, if only to keep themselves out of legal hot water. As such, integration with established processes was a “must have” feature of the Sternum platform.

Device integrity and behavior monitoring

If the above feels like a nod to DevOps, it’s because it is: Sternum is implemented via a single click through the IDE or CI/CD. Once installed, the EIV sits on the device, provides insight to data, and maps all components in use. RIEMS, Sternum’s Real-Time Event Monitoring System, then monitors operation of the OS, memory usage, CPU usage, if the device uses encryption/decryption, how much data is being accessed/sent, if a device is communicating with a new/unknown IP address, and more. RIEMS also continuously scans for and alerts on known CVEs. This method of integrity and behavior monitoring identifies manipulations caused by an exploit (versus a specific vulnerability), resulting in vulnerability-agnostic device protection.

No security technology would be complete without a security alerting capability. The dashboard displays network events, cryptographic events, OS-related events, i.e., what’s happening in real time, and gives administrators control over prevention and response policies. If the idea of logging into yet another dashboard or receiving alerts from yet another system is unsavory, Sternum integrates with most SIEMs.

“Sternum’s prevention is related to the techniques of exploitation,” Tshuva told me. “Every device will have vulnerabilities so you can’t focus there; when an attacker attempts an exploit, EIV deterministically prevents attacks from happening, and RIEMS provides the visibility.” By focusing on the identification of various potential flaws on the device, Sternum appears to have developed a solution that raises IoT devices from “low-hanging fruit” to something significantly trickier to exploit. It doesn’t “bake security in” the way security practitioners might envision, but in a way it does—by embedding security control on devices once a manufacturer or managed security provider has chosen to implement the solution.

Deterministic prevention

With the abundance of IoT device security tools on the market, it can be hard to differentiate, but Sternum takes a different approach. Their technology sits in the critical path of supply chain issues, which is compelling. By focusing on low-level code vulnerabilities and device manipulations, the platform is positioned to prevent attacks before they proliferate, regardless of device or OS type. Additionally, Sternum provides companies with advanced monitoring capabilities from within their connected devices, regardless of how distributed they may be. If this piques your interest, give the team at Sternum a call, then let us know your assessment.