Internet of Things / Connected Device Discovery and Security Audit in Enterprise Networks

Corporate networks today are complex environments in which different types of wired and wireless devices are connected and disconnected. Existing device discovery solutions have primarily focused on identifying and monitoring servers, workstations, laptops, and infrastructure devices such as network firewalls, switches, and routers, because the most valuable information for organizations is stored, processed, and transmitted on these devices, making them essential targets for security breaches and intrusions.

However, a new trend has emerged over the past four years as attackers have targeted purpose-built connected devices such as network printers and video conferencing systems as an entry point and a route for data mining.

These devices cannot be correctly identified by existing IT asset discovery solutions for the following main reasons:

  • Proprietary protocols are often used to manage these unknown devices for the solution of asset discovery and monitoring.
  • Agent-based asset discovery is not possible because most connected devices are resource-limited systems with proprietary operating systems that do not allow agent discovery software to be installed on them.

Firmalyzer’s Internet of Things Vulnerability Assessment (IoTVAS) solution overcomes these limitations and provides:

  • Accurate identification of the connected device’s manufacturer, model name, device type, device end-of-life status, firmware version, and firmware release date
  • A real-time Firmware Bill of Materials report that lists the software components and libraries in each device’s firmware code without requiring the user to download the device’s firmware files.
  • Publicly identify unknown device vulnerabilities that include vulnerable third-party components, default credentials, encryption keys, certificates, and default configuration issues
  • Determine publicly known vulnerabilities (CVE) of the device

IoTVAS can function as a standalone solution for IoT risk detection and assessment or integrate with existing IT asset discovery, network port scanners and IT vulnerability scanning tools via the IoTVAS REST API.

Discover the Internet of Things with IoTVAS

IoTVAS identifies devices based on fingerprints derived from device network service banners. The MAC address of the device can also be used with this fingerprint to improve detection accuracy, but this is not a requirement for IoTVAS, unlike other device detection solutions. New device fingerprints are constantly added to the IoTVAS fingerprint database, based on incoming API request and internal searches.

As of this writing, this database contains over 50,000 fingerprints from over 2,300 hardware manufacturers. IoTVAS uses the following network service response and signage for fingerprinting:

  • String OID SysDescr for SNMP Service
  • OID SysObjectID string for SNMP . Service
  • FTP Service Logo
  • Telnet service banner
  • Device hostname
  • Initial response from the device web server (http and HTTPS services)
  • UPnP . discovery response
  • Optional MAC address of the device’s network interface

IoTVAS will need at least one of the above features to identify an IoT device. Network service banners can be collected by existing network port scanners or computer vulnerability scanners.

In standalone mode, IoTVAS uses a lightweight network service definition program that explores devices on the target network to extract the above features. IoTVAS device discovery capability can also be integrated with existing security tools through the REST API endpoint.

IoT Security Audit with IoTVAS

Once you determine the device manufacturer, model, and firmware version, IoTVAS goes beyond just finding the CVEs associated with the device and firmware version. Using Firmalyzer’s proprietary firmware risk knowledge base, IoTVAS retrieves firmware naming and a detailed risk analysis that includes vulnerable third-party components in the firmware under the following categories: “Network Services” (UPnP server, web server, etc.), “Cryptographic libraries” ( OpenSSL, GnuTLS, etc.), “Linux OS kernel”, “client tools” (Busybox, etc.).

IoTVAS also provides a list of default credentials, encryption keys embedded in device firmware, active and expired digital certificates, weak encryption keys and certificates, and default configuration issues. This detailed information allows security managers to proactively detect high-risk connected devices on a network and initiate mitigation efforts before these devices are compromised. It also automates the BOM inventory process for IoT and enterprise embedded devices by eliminating the need to manually download firmware and binary analysis of firmware for different IoT devices deployed in enterprise networks.

Similar to device discovery, IoTVAS firmware risk assessment can also be accessed through the REST API endpoint.

IoTVAS in action

The following figure shows the Xerox Network Printer Risk Assessment Report in IoTVAS SaaS Edition, including firmware naming and details of software component vulnerabilities.

AVvXsEhBwIGLkach0n3cF40c iyEY8m1CCX51MBTelMzjlNp98qoIjWlrc8xOdbW5pfLPWJ6XGpK80WnEewNbTuodplVxKH67K09ERCjoKIw0BFuvvvRVPJTBDkBUT8HP6AeJPZ4HPTbd8HPJTbUkLP7
Figure 1 – IoTVAS SaaS device risk detail page

The IoTVAS API enables IT security solution providers and SecOps teams to integrate IoTVAS discovery and IoT risk audit capabilities into their existing tools and offerings. For example, Firmalyzer has developed the IoTVAS Plug-in for NMAP Scanner that allows it to accurately detect and audit IoT devices while scanning a target network.

The following example shows how IoTVAS NSE scripts allow NMAP to accurately detect the manufacturer, model name, and firmware version of an enterprise printer, as well as known firmware risks. Firmware risk analysis reveals default ‘root’ and ‘postgres’ accounts and credentials for ‘intFTP’ account, list of expired certificates and certificates with weak fingerprint algorithm (MD5) and default SSH configuration allowing remote root login.

IoTVAS Plugin for NMAP
Figure 2 – IoTVAS plugin for NMAP

To start using the IoTVAS API, please register for a demo API key. The API documentation page includes an optional user interface that allows you to evaluate IoTVAS endpoints directly from your browser without writing any code

If you are interested in an IoTVAS SaaS demo or customization, feel free to contact Firmalyzer for a live demo or test account.

Leave a Reply

Your email address will not be published.