Internet of Things
for hardware addresses. With IoT devices in the mix, “rogue” takes on a whole new mean- ing. Their presence may not originate with employees, and because the sensors and data sources used to connect devices may them- selves be “rogue.”
A vulnerable, unpatched thermostat, re- frigerator or dishwasher in the staff kitchen, or smoke detector in an otherwise hardened building, could become part of a global bot- net like Mirai, and be used to attack other systems, even other governments.
Any device that uses voice commands to operate must, as TripWire’s Leslie Sloan wrote in 2016, always be listening “and send- ing that captured data back to its control- ling server.” People discussing sensitive data related to government operations must take extra care around these devices. Finally, per- sonal wearable devices such as fitness bands or even surgical implants may interact in un- intended ways with facility networks.
Securing—and Investigating—
the Network
A “simple IoT architecture,” Shawn Wasser- man wrote in 2016, “includes devices within a firewall, wireless devices outside the fire- wall and having those devices connecting into the IoT platform. Then, all of this will be used in an application that will use the data from the devices to perform a function. All these systems, applications, and develop- ment tools used to make the system must be made secure.
“The issue is that because all of these different systems are under the control of various organizations on the vendor, cus- tomer, and public levels, it can be confusing to establish who is really responsible for all of this IoT security.” In addition, IoT comes into play when employees or contractors work from home.
Reflecting that “network administrators need to know exactly what is in the environ- ment, or the network—including when an adversary has switched out one device for another,” government R&D nonprofit MI- TRE issued a challenge in late 2016 to build “a unique identifier or fingerprint to enable administrators to enumerate the IoT devices while passively observing the network.” (A Georgia-based team won.)
Such proactive measures, however, must
be backed up by strong investigative pro- cesses when a reactive, post-breach stance is needed. In other words, IT security staffs need to know how to obtain forensic data from IoT devices, as they would for any sus- pect mobile device or laptop.
Where Can Forensic
Data Come From?
Where IoT data is stored isn’t as simple as imagining a FitBit, Nest, or Echo Dot as if it were a computer or smartphone. The amount of data stored on these devices may be com- parable to a vehicle or aircraft digital or event data recorder, storing only a limited amount of history. For example, the Amazon Echo and Echo Dot only store less than the last 60 seconds of recorded sound in their local stor- age buffers.
The bulk of telemetry and other usage data is instead likely to be accessible from a paired, “controller” smartphone, or from the user’s account in the cloud. In addition, ser- vices such as OnStar, available with GM Fleet connected vehicles, can generate data with forensic value associated with automated collision response, stolen vehicle assistance, Wi-Fi hotspots, and turn-by-turn directions among other services.
OnStar Wi-Fi hotspots and direction guidance can provide location related infor- mation, including destinations, while time stamps provide time-related context as well as putting the user in a location at a particu- lar time. Timing also comes into play with remote commands. Time- and location-re- lated “patterns of life” in a work context can show both expected and unexpected travel activities.
The proliferation of IoT devices, need- less to say, demands continued research— a cooperative effort, wrote Wasserman, on the part of security and engineering experts together. Researchers need to examine more closely whether and how much data is stored on devices, including becoming trained and equipped to remove memory chips if needed to collect the data via JTAG or chip-off processes.
Investigators also need the software to re- cover data from the cloud, bearing in mind that it’s another data source for a corporate investigation as encryption on smartphones and computers becomes more prevalent.
Finally, careful coordination with human resources and legal teams is important when it comes to the impact of personal employee devices on a government network. Most em- ployees understand that they have less of an expectation of privacy while at work, using work resources—whether a device or a net- work—to complete tasks.
However, when it comes to wearable devices like FitBit, employers may need to tread more carefully. Employees’ personal health information (PHI) including heart rate, physical activity, and sleep patterns are accessible from their devices. The data has proven useful in criminal cases, including rape and homicide allegations, but may be of less value in internal investigations.
IoT can be valuable for individuals, busi- nesses, and governments alike, but its risks must be carefully understood and proac- tively managed. This includes knowing how to conduct investigations on the devices, the cloud servers that store their data, and the smartphones that control them—for both re- search and investigative purposes.
Christa Miller is a content specialist at Magnet Forensics.
GS12
GOVERNMENT SECURITY MAY 2018
Denis Faraktinov/Shutterstock.com