VDOO Connected Trust Ltd. Comments on NIST IR 8267
The National Institute of Standards and Technology (NIST) recently released a draft of their "Security Review of Consumer Home Internet of Things (IoT) Products" report, which is currently open for public comment. In this post, we will review the report, its approach, and its contribution to IoT cybersecurity, highlighting several points which should be of interest to everyone in this market. We will also discuss a few gaps and omissions and recommend additional research that builds upon this initial foundation. VDOO will also submit an official response to NIST outlining these gaps.
Overall, this is a very welcome effort by NIST. The report, which addresses only the manufacturer’s side, is likely to prove highly useful for various players in the security industry. It does little to directly help consumers themselves, so we will also address some of the methods VDOO proposes to improve the situation when it comes to consumers.
"Consumer Home IoT Products" Report Overview
NIST, the United States National Institute of Standards and Technology, is well known in the security industry as an authoritative and prolific issuer of security standards. NIST has already influenced the IoT market by helping secure its ecosystem through relevant standards that cover cryptography, security protocols and modules, as well as other related fields such as identity management and information storage.
NIST has come to recognize that IoT should be addressed as a distinct sector with its own security needs, and it is now beginning to issue standards and reports aimed at this field specifically.
The NIST IR 8267 report is not meant to be a security standard, although it does include several points that can be used directly as security requirements. Instead, with this report, NIST is acting as a security testing laboratory which is a different part of its overall role.
For the purposes of this report, NIST selected three or more Smart Home products in several categories, including light bulbs, security lights, security cameras, doorbells, plugs, thermostats, and televisions. The sample devices were chosen based on their wide availability, easy installation (suitable for a home user), and varying price points. NIST were specifically looking to base this report on a representative sample, instead of a comprehensive one.
For each device, the NIST laboratory examined publicly available information from the internet and performed a hands-on technical inspection. The technical part mostly consisted of sniffing and proxying network communications, USB, and Bluetooth, with some attention given to the physical interfaces and removable storage.
Unfortunately, the NIST methodology included only limited access to internal storage, and they did not obtain or analyze the devices' firmware using any of the common methods (such as dumping it from the device, intercepting software updates on the wire, or obtaining a firmware image from the vendor's support website). Therefore, many potential flaws in the devices' internals, including outdated and vulnerable software components, misconfigurations and architectural issues, remain hidden from the public view.
As a security firm dealing with firmware analysis and looking to contribute additional analysis to the report, VDOO could have replicated NIST’s efforts on a sample of the products they had evaluated. But, as expected, NIST only provided a summary for each category without listing the vendors or device models they analyzed.
The report itself starts by providing explanations regarding its approach and methodology. It then goes into detail regarding the findings in each product category, and presents an overall summary. A section near the end which lists some security considerations for IoT manufacturers is highly recommended reading for any IoT vendor. Experienced security engineers and architects should note that they are unlikely to find new material here since the findings correspond to common security requirements included in any standard, such as those issued by ENISA or NIST themselves.
A more interesting point here is how these well-known requirements are translated to the actual state of cybersecurity in the field. The NIST report shows that while vendors are largely aware of overall IoT security requirements, there are still severe gaps in each and every one of the product categories.
Interesting Insights into the State of the IoT Cybersecurity Market
The security issues appearing in this report are common and well-known in the IoT sector. For example, the examined products allowed short and simplistic passwords, were missing TLS protections for communication (or were using older versions and algorithms which can be cracked), and had redundant features enabled (including open network ports) that could be abused by attackers but cannot be turned off by consumers.
While software updates were supported by most products, the update mechanisms themselves had significant security gaps that could leave the device vulnerable to hijacking by network attackers (for example, one device could accept software updates without verifying any cryptographic signatures).
The report also addressed less common security features, such as certificate pinning, which is often overlooked, even though it prevents most man-in-the-middle attacks. This is an especially relevant scenario in smart home environments, where an attacker might interfere with the network communications between the device and its management app in the cloud or on a mobile device.
Interestingly, the report makes note of security logging. While many of the smart home devices are capable of logging application events (for instance, a smart doorbell reports a motion detection event), none of them expose their internal logs (such as remote access logs recorded by the operating system) in any way that can be accessed by consumers. This means that any internal event like a security-relevant failure or even a tampering attempt will remain concealed from the device's owner.
When it comes to data protection, the question of whether internal data is encrypted or erased upon ownership change was mostly left open. The devices themselves don't provide any such indication and, as mentioned before, the laboratory did not examine any device internals.
In general, privacy aspects were only briefly touched on in the report. It's interesting to see that even though most devices contacted 4-12 domains as part of their everyday communications (including domains associated with data analytics, sometimes in cleartext), NIST did not examine their contents beyond checking for information that could identify the user. It would therefore be very useful to conduct a more in-depth examination of the privacy impact of common IoT devices, especially when we consider that privacy is a growing concern among consumers.
The report provides additional interesting insights into the practical state of security in the product categories it covered. For example, thermostats had insecure USB port connections, but deployed authentication on their network APIs. We speculate that interoperability with common devices, such as voice assistants, has led to the development of similar security measures on these devices' network interfaces.
Each device class tends to have similar security properties when it comes to onboarding, communicating, deleting devices from an app and handling updates. Some patterns were repeated - for example, Wi-Fi devices tend to open an unauthenticated Wi-Fi access point for the new owner to use when they first connect from a mobile app, before they provide their home Wi-Fi router’s SSID and password for a more permanent connection. This lets the device be claimed by anyone who first connects to it, in a reasonable security tradeoff for the home environment.
What Are the Next Steps for the IoT Market Players?
The report clearly shows that significant security gaps persist in the IoT consumer market segment, which is to be expected because the basic market drivers have not changed. Manufacturers are aware of security requirements and the potential damage to their services and reputations, but these issues are still far behind in terms of priorities compared to time-to-market, functionality and cost considerations.
We cannot reasonably expect consumers to evaluate the security level of each IoT product they plan to purchase when even government-sponsored laboratories and security vendors have to spend significant efforts to reach these conclusions. What could help consumers is a labeling scheme, under which vendors undergo independent third-party evaluations in order to receive clear and reliable quality certifications for the security and privacy aspects of their IoT products.
Beyond adopting the considerations presented in the NIST IR 8267 report, manufacturers should rely on the many applicable standards that can help them implement a continuous security methodology with dedicated personnel and external reviews as part of the overall product development process. NIST and other regulatory and industry bodies have been helpful in providing security guidance to anyone who is interested in following it, and they should continue to issue and improve guidance aimed specifically at the IoT market so as to better deal with its characteristic problems.
IoT product security reviews, such as those performed as part of NIST IR 8267, are highly beneficial, but cover only a small sampling of the products currently available on the market. Another shortcoming is that their examination methods are comparatively shallow, covering only the device's network interactions. Deeper examination, including firmware extraction and full software component examination, is too laborious to be undertaken for a large selection of devices.
This is exactly where automation can help since automated security analysis products, such as VDOO Vision, can perform in-depth component and architecture analysis of an IoT product in a matter of minutes. They can also produce a mapping from existing standards, including NIST IoT cybersecurity standards such as NIST IR 8259, making it easier for manufacturers to ensure that they are fully compliant.
Bottom-line, a large part of the consumer IoT manufacturing ecosystem is still struggling to consistently apply even high-level best practice security controls across product categories. This leaves consumers with little or no way to tell whether the products they purchased are secure.
To solve this issue, IoT manufacturers need to leverage automated tools to quickly align their products with the existing security best practices and identify any deeper technical weaknesses that could expose vulnerabilities. An additional key step forward would involve regulators helping steer the market towards voluntary labeling. This way, consumers can simply and easily include product security in their purchase considerations, and the whole ecosystem would benefit from improved cybersecurity.
We applaud NIST for conducting this research and recommend that they continue with more in-depth testing of consumer IoT products, and undertake similar research efforts across other IoT domains.
Share this post