If you’re a developer of IoT devices, the events of last week should be frightening to you.
On March 29, 2024, a software supply chain attack targeting the Linux operating systems was discovered by accident by an engineer working for Microsoft. The attack was named CVE-2024-3094, and it was given a severity score of 10.0, the highest rating. The attack involved the insertion of malicious code into open-source software called xz Utils which is commonly bundled with Linux distributions. The malicious code was a sort of back door that would have allowed remote code execution on the server.
It was an extreme stroke of luck that the malicious code was found as quickly as it was. The headline in the New York Times said: “Did One Guy Just Stop a Huge Cyberattack?” The back door, once leveraged, could have had devastating consequences to individual companies or indeed the entire Internet.
What does xz Utils have to do with IoT?
The reason why this attack should concern IoT developers is that most of the software powering IoT devices is either open-source software or comes from third parties – just like xz Utils. Although IoT devices might seem simple, under the hood they are actually quite complex and involve a lot of third-party software. Typical components include:
- Cellular modems and communication modules
- Power management ICs
- Communications interfaces including USB, Wi-Fi, Bluetooth and NFC
- A GPS module
- A Microcontroller Unit (MCU) and application processor
- Operating systems such as Raspberry Pi OS, Android, FreeRTOS
- Device management software such as Eclipse hawkBit and RemoteIoT
- Many different libraries and frameworks such as OpenSSL
- Application code – which typically either includes or references open-source software
Each of these components can come from a different supplier or has some kind of heritage that brings with it some code that you didn’t write yourself. A study conducted by the Linux Foundation’s Collaborative Projects in 2018 found that, on average, open-source software makes up 70-90% of the code in a typical IoT device.
How big is the risk?
Probably bigger than you think. According to market research published by IBM, 12% of organizations who experienced a serious data breach identified a software supply chain attack as the source of the attack.
In the recent past, we have seen supply chain vulnerabilities affecting a wide variety of open-source components, for example:
- Log4j
- Urgent/11
- Ripple20
- CVE-2120-35394 that affected IoT devices that were running Realtek chipsets
- CVE-2021-28372 that affected IoT devices developed with the ThroughTek SDK.
Looking forward, there is no way to tell whether the team who planted the malicious code inside xz Utils have been squirreling other forms of malicious code into the software commonly used on IoT devices. If this is the case, one day you could wake up to find out that all of your IoT devices are useless, or they have been used to attack your infrastructure, either to exfiltrate data or to plant ransomware. What would that do to your business?
What can be done?
The first and most obvious thing that a developer can do to make IoT devices more secure is to monitor the software going onto the devices more carefully. Dependency scanners (also called software composition analysis) can be used to detect known vulnerabilities and malicious code in open-source software. Dependency scanners are highly recommended, but they are not a panacea. They were unable to detect most of the vulnerabilities listed above, nor the malicious code embedded in SolarWinds software, nor the recent malicious code embedded in xz Utils (although, to be fair, they were never designed to do that).
A second approach is to include a security agent on your IoT device. Agents can monitor and detect the device’s network traffic and behavior in an attempt to detect and prevent unauthorized activities or intrusion. In general, the downside of agents is the fact that they are resource-hungry. They require specific operating systems, significant battery power, and CPU cycles. That increases costs and affects time-to-market.
A third approach is to deploy security at the network level. Network monitors can provide comprehensive device visibility, early detection of anomalies that might signify security issues, and fine-grained control over traffic. Aeris’ newest security product, Aeris IoT Watchtower, lets you create Zero Trust security policies that will prevent compromised IoT devices from making unauthorized connections to your IT environment, thus limiting the potential impact on your organization. Aeris IoT Watchtower also prevents connections between your IoT devices and malicious Internet destinations, to block malware, command & control, botnet, and data exfiltration. This is the last line of defense in what is called the malware “kill chain”. While you can’t always prevent malicious software from creeping into your code, you can prevent its impact by blocking network activity.
Network-level approaches can be fast and easy to implement. They have zero impact on devices, consume no resources on the device, and work with both current and future devices. And, if you are a developer, there is literally nothing you need to do – no impact to your delivery schedule.
Of course, if you have enough time and money, you can use all three approaches at the same time. This is how normal computers are secured – using a layered approach.
One final note: If your IoT devices utilize cellular connectivity, the network security solution must have full access to the cellular network in order to fully monitor and control the IoT device connections. Network security products that you might have already deployed on your IT network won’t work because they are blind to the activity of cellular-connected IoT devices and can’t adequately control them.
