The number of cyber attacks focused on IoT devices is increasing, as well as the sophistication of the attackers’ techniques. The typical advice to cope with this trend is to install the latest patch, but that is usually a challenging task. Updating the device’s OS or firmware requires significant adaptations a device operator usually cannot allow since it requires unique expertise. Such adaptations, if done wrong, may lead to a data loss or other damages. As a result, there are many unpatched devices in the wild, exposed to various known and unknown threats.
Moreover, even a fully-patched device can still be exposed to attacks and exploits of zero-day vulnerabilities. To protect a device from potential exploits and attack attempts, whether the device is patched or not, there is a need for an on-device agent to provide runtime security. Such an agent can be effective only if generated as a result of accurate tailoring to the specific device attributes.
VDOO ERA™ - Embedded Runtime Agent enables the essential protection for embedded systems against known and unknown threats. This security layer provides the ultimate protection and raises the device security bar to a totally different level. Finally, a new era of secure IoT devices has arrived.
ERA™ is generated while taking into account the device’s resources such as CPU, storage, and memory. As opposed to IT security solutions, having one agent to protect all embedded devices is not possible. IoT devices were not designed to run traditional third-party endpoint security solutions that cannot be installed on all device types without harming their performance and functionality. Therefore, on-device runtime protection must be device-specific. Understanding this notion is what differentiates VDOO’s agent technology.
We built the agent based on vast research into embedded device threats, including the device components, hardware, OS, kernel, and software libraries. As part of it, we made the generation of each agent specific for each device. To allow that in a fast, scalable, and cost-effective manner, we also set the agent generation to be automatic, based on the analysis of the device firmware binary by VDOO’s Vision™ analysis platform. To date, ERA™ is the only auto-generated agent suitable for installation on IoT devices.
This approach makes ERA™ the most suitable security solution for any device, being focused on its specific attributes, the threats it is exposed to, and the resources it has. This ensures a minimal effect on the device performance or functionality while providing runtime protection capable of blocking the execution of various malware types, among them the most recent ones — DirtyCOW, Mirai, VPNFilter, Torii, and Chalubo.
Let’s Go Deeper - ERA™ Technical Side
The ERA™ protection policy is generated as a result of the Vision™ analysis process, yet the device manufacturer can adjust the agent’s granular protection policy according to the needs and preferences. For example, adjustable operation modes can be set to actively prevent attacks or just alert when they happen; locally stored logs can be sent to a Syslog/SIEM server or to an ELK Stack, according to the security team’s decision; and custom whitelists can be defined. The protection modules of ERA™ prevent various attack methods, among them:
- Exploitation of 0-day vulnerabilities to execute unauthorized code on the device
- Malicious modification, theft, and ransoming of user data, device configuration, and binaries
- Lateral movement into the device’s network for attacks on users, other devices, and network components
- Bricking of the device’s hardware and software
- Abuse of the device resources to perform massive DDoS attacks as part of a botnet, mine Blockchain, or crack passwords hashes
- Man-in-the-Middle network-based attacks throughout the device protocol stack
- Reverse engineering of the device security mechanisms and IP
The powerful protections ERA™ provides are effective against known and unknown threats. These protections can be adjusted by the device operator or administrator according to a chosen operation mode: “Prevent” for blocking an attempted attack and alert it to the log, and “Alert Only” for alerting on an attempted attack without preventing it. Soon the agent will have an additional "Learning” mode for allowing learning of the device behavior in order to suggest the most suitable protection policy automatically.
ERA™ can easily be added to any Linux-based IoT firmware and can be upgraded as part of a firmware update. Once a new ERA™ version is available, it will be integrated into the device firmware and distributed as a regular firmware update.
Currently, ERA™ supports all flavors of Linux and Android. FreeRTOS support is in the beta stage.
The agent is automatically tailored for each device model, therefore enabling a small footprint of CPU overhead <1% and storage overhead ~1MB. VDOO testing tools are being used at the end of the process to ensure the agent’s successful integration. To date, ERA™ is seamlessly running on multiple types of devices.
The on-device agent plays a major role in VDOO's end-to-end solution, which addresses the IoT security challenge by providing top-notch technology to support security integration into the different phases of the device cycle—pre-release and post-deployment.
VDOO was established in 2017 to pioneer embedded systems security, with an end-to-end solution of security automation, certification, and protection. The VDOO founders’ backgrounds include an endpoint cybersecurity startup acquired by Palo Alto Networks, as well as notable experience serving in the Israeli Intelligence Elite Unit. For additional information, please contact us at email@example.com or visit our website at vdoo.com.