Eyal Manor and Oded Vanunu of Check Point speak to asmag.com about how manufacturers and users can implement security principles in their IoT products.
Eyal Manor, Head of IoT, Threat Prevention, and Security Management Product Management at Check Point, and Oded Vanunu, Chief Technologist for WEB 3.0 and Head of Product Vulnerability Research at the company, speak to asmag.com about how manufacturers and users can implement security principles in their IoT products.
Q: What do you see as the biggest gap in IoT cyber security management?
Manor: Organizations rely on edge devices to deliver connectivity. These are devices like switches, routers, remote access devices, etc. however in the last 18 months we discovered that many of them have exploits that allow attackers gain access to the network. And this is across all vendors: cisco, Fortinet, palo alto, checkpoint all were compromised.
The problem is that we are dealing with masses of devices (for example printers, ip cameras) that can be used as penetration points.
Usually these are relatively sophisticated attacks that are mostly used by government actors. However, there is always spillover from state level actor attackers into the criminal world. A government intelligence agency will find the undocumented breach and use it, sometime for a short attack, and sometime for a long time, and this is where the most value for the attacker is being gained. But once it is discovered, the tool becomes commercial and criminals start using it. And once it is out there, a huge number of scammers and criminal groups immediately try to make money from it.
The biggest gap I see in IoT Cyber management is the lack of sense of urgency, the priority and understanding that IoT vulnerability is a problem. Companies know how many users they have, how many laptops they have, but they don’t know how many routers they have, how many edge devices, which passwords they use etc. the tools to secure these devices exist, but there is lack of awareness and priority across most organizations to tackle this problem. Even companies that recognize the importance, sometime delay remedy the problem with operational excuses like “it is hard to change passwords, patch, discover all the devices” etc.
We need to put the same level of awareness and attention to Iot and mobile devices. Its one of the huge attack vectors.
Fortunately, regulation is pushing awareness, GDPR is a prime example, once the regulator enforces vendors to make changes, this is a good incentive. In the USA the Biden administration started regulation (U.S. Cyber Trust Mark) that deals with IoT – who you buy from, what is inside etc.
Q: What is the Check Point approach?
Manor: We want to provide security for IoT that is seamless and simple. We understand the difficulty in mapping all the devices in the organization. What we are doing is leveraging the footprint of the existing network security appliances, we learn the network, identify the devices, and what they are expected to deliver. If there is something out of the ordinary, we block it. We are trying to bridge the gap between the inability of the organization to map the devices and figure out what is going on. Need to build inventory of what devices you have, identify the exposure, and the hardest problem is to decide what is right and wrong when you analyze the traffic. Take an appliance like a Smart Screen or Smart TV. Is it ok when it connects to the internet? The answer depends on What is the traffic trying to do.
Q : What emerging IoT security challenges should industry prepare for?
Manor: from the attacker point of view, they need to invest less energy to get maximum impact. Once Iot devices are exposed to the internet, they become an easy attack surface. Ai is probably helping attackers to identify exposure faster and manage the attack faster. The devices are designed without security in mind, due to economic considerations, and then anybody that has dedication and passion to put a few days of work, can analyze the device, and execute an attack if there are no security guardrails.
Interviewee: Oded Vanunu, Chief Technologist, WEB 3.0 & Head of Product Vulnerability Research
Oded has been in Checkpoint for the last 22 years. He serves as chief technologist, head of vulnerability research, and focuses on the offensive side of cyber security, investigating, hunting, and uncovering cybercrime activities. In his role, he identified and released hundreds of vulnerabilities to the industry and the infosec ecosystem. He is also the author of a book about hacking in crypto and blockchain and the CTO of a new firewall for a blockchain product that is now being developed.
In our interview, we discussed how manufacturers and users can implement security principles in their IoT products and the role and importance of regulations.
Q: IoT devices’ abundance combined with the complexity of modern-day environments makes them a growing attack vector. If you are a CISO, what is the first thing on your agenda?
Vanunu: Let’s try to tackle and understand the problem. First of all, we need to understand how attackers think and exploit these devices. Each IoT device has two aspects: the hardware and the software.
The hardware includes all the chipsets and hardware processes, and each one has its own relevant software on top of it, its own firmware. When a manufacturer releases this device to the market, if an attacker gets hold of such a device, they can reverse-engineer it and look for vulnerabilities in the software that will allow them to penetrate and execute code on the device.
In my research at Checkpoint, I uncovered breaches in Amazon Alexa that allowed me to upload malicious skills to the device and control it. We discovered vulnerabilities in the LG smart home ecosystem and DJI drones (accessing user SaaS accounts – pictures and locations). The risk is that once a smart home device is connected to the network, it is considered a trusted device. If a hacker gains access to it, they can eventually infiltrate and attack the entire network.
IoT devices are more vulnerable for two main reasons: First, their sheer number—there are billions of them. IoT home devices (like cameras or smart home devices) are the most common and, therefore, the most prone to attacks. OT devices, by nature, are more specific and require a more targeted and “tailor-made” approach from the attacker, usually seen with state-backed attacks.
The second reason is that IoT providers do not design their products with cybersecurity in mind. They focus on cost control and speed to market, which opens the door for supply chain attacks. Since the hardware has so many moving parts, CISOs and information security teams must ensure that all hardware and software are aligned and up to date. They need to maintain data integrity across software and hardware components and ensure that manufacturers implement secure configurations that are verified to prevent tampering. Checkpoint offers a solution for IoT products that integrates security at the hardware level.
Q: What role do regulations or standards play in ensuring IoT security?
Vanunu: The key to tackling this problem is ensuring the integrity of IoT devices at the manufacturing stage, before they are released to the market. Regulation is needed, and its governance should be the responsibility of governments or cybersecurity agencies. These bodies can help manufacturers ensure that their products are cryptographically signed and tamper-proof before being deployed. Ideally, regulations should also mandate that IoT devices be regularly updated to maintain security over time.
Q: What are the key principles for IoT cybersecurity?
Vanunu: Since IoT devices communicate with the rest of the network, security should follow a layered approach to limit access. At the hardware level, security measures should be embedded by the IoT vendor. At the software level, there should be a network-based security solution that monitors for malicious connections. I don’t see Zero Trust happening in IoT because most manufacturers lack the skills, knowledge, and budget to implement it. Checkpoint is filling this gap by assuming that users won’t update their devices and instead focusing on protecting against network attacks proactively.
The third layer is access control—who can see and control the device, both physically and logically. IoT devices should not be isolated but should be integrated into a company’s overall security controls, as they are part of the critical infrastructure.
Q: What strategies do you recommend for implementing IoT security measures? How can companies secure legacy IoT devices that can't be easily updated or replaced?
Vanunu: The key problem with IoT devices is that no one is updating them, and many manufacturers are not prioritizing cybersecurity. Hundreds of vulnerabilities are discovered every day. However, from a user perspective, simply being aware of the device and controlling access can enhance security significantly.
Users should never expose devices to the outside world, maintain controlled access, enable two-factor authentication, and change default passwords. These simple steps can prevent many potential attacks.
Product Adopted:Other