Securing IoT: Closing the Gateway into the Company Network

Mr. Morgenstern, you recently took your new platform AV-ATLAS IoT live. 

Correct, the new module for real-time assessment of the IoT threat situation enriches our Threat Intelligence Platform AV-ATLAS. In addition to recording the general threat situation caused by malware, so far ATLAS has kept an eye on the dangers to which users of individual operating systems, in particular, are exposed. That means that previously on ATLAS, you could find analysis data and evaluations of the threat situation of Windows, Android, MacOS, and Linux systems. And since our systems have naturally been recording and analyzing the threat posed by IoT-based malware for years, the integration of the IoT module was in the end a logical step to make our IoT data collection visible and usable for end users and product manufacturers. Within the scope of our testing and certification, we have long been making a contribution to the security of IoT and smart home products. Now, with the availability of security-relevant data, a further component has been added.

How does ATLAS IoT work and what results do you get?

The collection of IoT data rests essentially on two pillars. On the one hand, we use IoT-relevant HoneyPot systems to collect real-time data about attacks on unprotected or poorly-protected systems. Among other things, we can learn about which servers the attacks are started from, and with what intensity and duration they are being carried out. However, we also record the login data that is used, the commands that are executed during an attack, and the files and malware that are uploaded through these systems. As a second pillar – and this is certainly our unique selling point – we can analyze malware used for attacks via our detection systems – systems that have long since proven themselves in the testing of security products. This creates a very accurate situation report of an attack.  

Such information can be utilized by users to optimize their IoT products, and in this way improve their security. This is why we offer this information on AV-ATLAS free of charge. We also offer manufacturers – for a fee – feeds of much more comprehensive material – such as detailed information about identified malware, along with many other types of information – for optimizing devices and services. This allows IoT manufacturers to adapt their products and the web services and apps that are connected to them accordingly, and to seal them off against current and future attacks. Just visit AV-ATLAS and see what it’s like!

Why is it important for AV-TEST to check the security of things on the Internet?

I think by now almost every consumer has at least one IoT device in their household, whether they are directly aware of this or not. You almost need to do research to buy a television that doesn’t have an Internet connection and “smart features”. Fitness trackers are just as common, vacuum cleaning robots and surveillance cameras are found in more and more private households, and don't even get me started on voice assistants like Alexa, Google Home, and Apple’s Home Pod. But also more and more everyday things – toothbrushes, children’s toys, and all the rest – suddenly need to be “smart”. Naturally, the manufacturers of such products come from all kinds of sectors, just not from the IT industry. And as a result, the understanding of the security needed for things that are connected to the Internet is usually correspondingly low.

However, IoT devices are also gaining ground in industrial manufacturing and other critical economic sectors, such as healthcare. This development cannot be turned back, and to be honest, it does basically make sense. But large unprotected production areas are also an excellent target. Existing production areas can, for example through digital sabotage, determine the success or failure of companies. However, the misuse of computing power for the illegal “mining” of digital currencies at the expense of others’ IT infrastructure is also increasing, as shown both by last year’s data as set out in our latest security report, as well as by the most recent ATLAS analyses.

In the recent past, we have also seen frequent online attacks on hospitals. Sabotage, extortion, and other offenses can often be carried out with greater force in the digital space – conveniently from a distance and (from the perspective of the criminals) at best anonymously. In the future, more and more of this is to be expected, and companies would do well to arm themselves as well as possible, but also to develop concepts for dealing with IoT attacks, and to drill the reaction to such dangers with their employees, just like you do fire drills. With AV-ATLAS, we want to create awareness of this, and our data of course also helps to defend against such attacks.

What are the concrete dangers for consumers and companies if they neglect IoT security?

A prime example comes from the attacks by the IoT malware Mirai, which began in September 2016 with hundreds of thousands of hijacked IP cameras. In addition to the possibility of abusing such devices for executing attacks over the Internet – for example, by attackers combining them into large botnets and using their concentrated computing power to attack websites or other infrastructure connected to the Internet – poorly protected IoT devices are also excellent for collecting data. In addition, in the current situation, many employees of large companies are currently working from home. Often, company hardware is used that is not infrequently located in the same Wi-Fi network as insecure IoT devices. In the current situation, even an attack on a private household can lead via detours into company networks.

For home users, insecure IoT and smart home devices can also cause other inconveniences. With insecure IP cameras, the example is obvious: Users can not only be spied on and listened to when they are at home. In fact, attackers can also find out when they are not at home. And the IP address makes it easy to identify the location of the camera to the nearest meter using services such as Google Maps. But significantly worse was the case last year of a smartwatch for children. These were actually designed to show the parents the position of their child at any time. Due to a server vulnerability, however, the position data of thousands of children was available online for everyone, including potential criminals. We were able to warn the manufacturer accordingly and to obtain a market recall until this vulnerability was closed. Another problem is the storage, forwarding, and sale of user data. This data, obtained from a range of providers, is often collated to form comprehensive profiles. This may sound harmless at first, but in the hands of an insurer or a bank, blood pressure readings from the fitness tracker may ultimately determine whether or not a customer gets a contract or a loan. You see, there are some reasons not to neglect the security of IoT.

How do you assess the current efforts on the part of the state (e.g. in Germany) to secure IoT devices?

Until recently, the protection of IoT devices was essentially ignored by governments. It was only with the Mirai attacks that I mentioned earlier – such as large-scale attacks on routers, for example – that institutions such as the Federal Office for Information Security (BSI) took up this issue. This annoys me all the more, given that we had already drawn the attention of authorities to the problem years earlier in the relevant committees. As part of our certification program for IoT security, which we started seven years ago, and even in the research years before that, we were constantly dealing with this topic in the relevant offices. Now, in July of 2020 – so, years later – ETSI EN 303 645 has emerged as a guideline for a minimum-security standard. However, as consultants, we were neither brought on board to develop this policy nor were we informed about its development. In general, we naturally support such a guideline. However, the way it came about and some of the stipulations made show that it would certainly not have been time misspent if they had taken the chance to gain advice from testing practice, to put it mildly. Therefore, we at AV-TEST, as a research and testing institute – as well as a long-standing certification body – do expect that the European standardization organisation ETSI will consult us on the further development of the test specifications in the already announced EN 303 645.

What do you wish for the future – how should companies plan IoT security going forward?

In the course of our testing practice, we have seen many bad examples, but also some very good ones. In general, we would like to see manufacturers and providers of smart home, eHealth, and other IoT products take security by design and privacy by design into account right from the planning stage of products and services. Above all, we’d like to see end users taking it seriously, and making the security of such devices a decisive factor in their purchasing decision. Manufacturers who provide security updates over lengthy periods of time, who ensure secure encryption during data transport, and who protect the privacy of their users will of course need to charge higher prices than a manufacturer who offers cheap goods from China, does not care who produced the associated app, and also earns money from selling the user data produced on the device. Buyers need to recognize this difference and with their purchase decision support manufacturers who have their products tested and certified accordingly. In the long run, users will also save money in this way. After all, selling their data can become much more expensive for them in the long run. If we do not want minimum security to be prescribed by the state, it must become a selling point.

Maik Morgenstern has a diploma degree in Engineering and is a CEO and the Technical Director of AV-TEST GmbH. He manages the planning and implementation of new test scenarios, our technical innovations, and our continuous reaction to new threats.