Keysight Technologies has delivered a new Internet of Things (IoT) Security Assessment software solution that enables IoT chip and device manufacturers, as well as organizations deploying IoT devices, to perform comprehensive, automated cybersecurity assessments.
Increasing numbers of connected IoT devices enable hackers to leverage cybersecurity vulnerabilities for a range of attacks including malware, ransomware and exfiltration of data. According to Statista, the total installed base of IoT connected devices worldwide is projected to grow to 30.9 billion units by 2025 from 13.8 billion units expected in 2021.
“IoT device vulnerabilities are especially dangerous as they can facilitate sensitive data breaches and lead to physical danger, such as industrial equipment malfunction, medical device defects, or a home security system breach,” wrote Merritt Maxim, vice president, research director, and Elsa Pikulik, researcher, Forrester, in the State of IoT Security Report 2021. “In 2020, IoT devices were the second most common vector for an external breach and technology leaders rank security issues as a top concern plaguing or hindering IoT deployments.”
IoT security vulnerabilities – BrakTooth discovery
Recently, researchers at Singapore University of Technology and Design (SUTD) discovered a group of vulnerabilities, they named BrakTooth, in commercial Bluetooth chipsets that impact billions of end-user devices. The SUTD research was funded with a grant from Keysight. The SUTD published results were leveraged into improvements in Keysight’s IoT Security Assessment software.
BrakTooth captures fundamental attack vectors against devices using Bluetooth Classic Basic Rate/Enhanced Data Rate (BR/EDR) and is likely to affect Bluetooth chipsets beyond those tested by the SUTD team. “It is hard to accurately gauge the scope of BrakTooth affected chipsets,” commented Sudipta Chattopadhyay, assistant professor, SUTD. “We advise all Bluetooth product manufacturers to conduct appropriate risk assessments, especially if their product may include a vulnerable chipset. We are thankful to Keysight for generously supporting our research and the opportunity to collaborate with the experienced Keysight security team.”
The vulnerabilities, which include 20 common vulnerabilities and exposures (CVEs), as well as four awaiting CVE assignments, are found in Bluetooth communication chipsets used in System-on-Chip (SoC) boards. These pose risks that include remote code execution, crashes and deadlocks. The SUTD team responsibly disclosed the findings to the affected vendors, providing a means to reproduce the findings and time to remediate vulnerabilities.
“Research activities like these at SUTD are critical to improving cybersecurity in the connected world. If the good guys don’t improve it, the cyber criminals will take advantage of vulnerabilities for nefarious purposes,” said Steve McGregory, senior director of Keysight’s security research and development team. “While investment into research is needed and helpful, software and chipset manufacturers are responsible for delivering secure products using rigorous security testing.”
Keysight’s IoT Security Assessment software
Keysight’s IoT Security Assessment software leverages more than 20 years of experience in network security testing to reveal security vulnerabilities across any network technology. The software offers comprehensive, automated testing to rapidly cover a large matrix of known and unknown vulnerabilities.
IoT security assessments include novel cybersecurity attack tools and techniques for wireless interfaces such as Wi-Fi, Bluetooth, and Bluetooth Low Energy (BLE) to test known vulnerabilities, as well as to discover new vulnerabilities.
Development organizations can easily integrate Keysight’s API-driven solution into their development pipeline with a single API for control and reporting.
Organizations deploying IoT devices can leverage the software to validate IoT devices before they are delivered to end users and as new vulnerabilities become a concern. Ongoing research from Keysight’s Application and Threat Intelligence Research Center provides updates to the latest protocol fuzzing and attack techniques.