Last month we got another reminder that too many IoT devices lack proper security. English security services firm Pen Test Partners demonstrated that Silicon Labs’ Z-Wave protocol can be hacked through a downgrade exploit they call Z-Shave. Bleeping Computer describes the exploit as such:
“The attack ... relies on tricking two smart devices that are pairing into thinking one of them does not support the newer S-Wave S2 security features, forcing both to use the older S0 security standard. The problem, as security researchers from Pen Test Partners have explained this week, is that all S0 traffic is secured by default with an encryption key of “0000000000000000.”
This is potentially a huge problem because of the traction Silicon Labs semiconductors, many of which use the Z-Wave protocol, have among IoT device makers. After all, Z-Wave is like a turbocharged Bluetooth. Instead of losing connection after, say, 20 feet, Z-Wave can pair devices that are over 300 feet (100 meters) apart. According to Bleeping Computer, over 100 million IoT devices currently use Z-Wave, so this isn’t a hypothetical problem that we’re talking about.
This exploit shows yet another example of what can happen when machines don’t properly identify themselves before they share encrypted communications. It also shows how easy it is to lose track of how important it is to secure machine identities at both sides of such an interaction. It’s too late to realize the impact of these machine identities only after we have experienced an impactful event like this one.
Jing Xie, senior threat intelligence analyst at Venafi, explains IoT compromises can cause severe consequences to businesses and society, especially given that IoT ecosystems tend to be deployed at a massive scale. “The scale and all-connected nature of these machines sets a good stage for magnifying the damage,” she says.
Xie says that the Z-Shave exploit in itself won’t bring about “the end of the world,” although she points out that “this is true of all vulnerabilities until they are exploited and cause damage.” And Xie understands why Silicon Labs would want to present their side of the story in a way that downplays exposure, given that attackers have only a brief time window to carry out this type of attack.
Nevertheless, Xie says it’s undeniable that basic security considerations were lacking in the design and implementation that come with a hardcoded encryption key:
“The opportunistic mentality at play here is unacceptable. It reflects the belief that because no severe harm was done during this exploit, users will be just as lucky next time. When confronted with hard evidence, it'd be wiser to own the fault and take an effort to learn the lesson and do better in the future.”
And these exploits can potentially create worse IoT-based exploits in the enterprise world than those seen in that of the consumer:
“As more and more enterprises embrace IoT technologies in their infrastructure and applications, their businesses' IoT dependency deepens. Without the forethought of built-in security, they would not be able to escape the fate of being the primary target of bad guys. Therefore, IoT security must be taken seriously by everyone from now on. We need to anticipate attacks as opposed to being reactive to them.”
Virtually all security breaches, whether human- or machine-based, involve a fake identity, Xie continues. The Z-Shave hack shows that “these IoT devices cannot efficiently build a trust relationship among themselves.”
Xie goes on to say:
“Lying at the core of this issue is the fact that these IoT devices cannot efficiently build a trust relationship amongst themselves. A trust relationship is the foundation of authentic and secure activities in our society, physical and cyber. The decades of digitalization of the world has brought us more sophisticated and modern machine identities such as X509 certificates, which have been underpinning our current encrypted web and sustaining the automated machine-to-machine authentication. It is imperative for the IoT paradigm to parallel efforts to secure modern machine identities. Machine identity protection, therefore, should be brought to the forefront of security prioritization.”
No doubt you’re reading this blog (and the Venafi blog in general) because you’re concerned about protecting machine identities. This concern only grows when you consider the challenges of locating and monitoring IoT machine identities, given that IoT devices seem to be multiplying like tribbles. And you probably realize that you cannot depend on device makers themselves to keep your organization safe.
If you need this type of capability (and what enterprise doesn’t?), Venafi can help. Our platform protects encrypted communication and automatically blacklists rogue certificates and communications. So, contact us at [email protected], and together let’s avoid another close Z-Shave.