IoT and Digital Forensics

With a high level of internet usage within the G7 which includes Canada, France, Germany, Italy, Japan and the United States, the United Kingdom is being ranked within the top few countries globally in levels of internet users (12th with almost 63 million users) and e-commerce. Cyber security is vital for the UK however, but the threat from various sources (criminals, hostile states etc.) continues to rise based as highlighted on reports from the National Crime Agency (2016-2017 & 2017-2018).  

The Internet of Things (IoT) and its associated threats continue to grow and the race to stop attacks has increased in intensity. Attacks are becoming more complex and more frequent. The top countries of origin are US, Russia, Germany and China, with the later overshadowing the rest in amount of attack traffic. The attack traffic recorded by F-Secure's global network of honeypots tripled from the last six months of 2018 to the first six months of 2019. The availability and ease of use of hacking tools has lowered the bar to entry for criminals and others to launch a multitude of attacks of variable sophistication and volume. Looking at the F-Secure 2019 H1 Threat Landscape report (Sept 2019), we can see that cyber attacks on IoT devices are now accelerating at an unprecedented rate with a surge of 300% in 2019, which is ‘Measured In Billions’. Countries to which the most attacks were directed were the US, Austria, Ukraine, UK, Netherlands and Italy.

In its simplest form an IoT device will have an IP address and will be communicating with other Internet based devices. However, the idea is that groups of these devices can form a rich, broad and diverse ecosystem that integrates other devices, people, communications and interfaces allowing sharing of data at different levels. Many IoT devices are the result of the convergence of cloud computing, mobile computing, embedded systems, big data, low-price hardware, and other technological advances. As more IoT devices are added to the Internet, IoT application has increased and ranges from sensors and smart meters to coffee machines and digital cameras. With access to the Internet, from a malicious perspective, additional opportunities open as the attack surface widens. Potential attacks include information modification, message reproduction, network failure, device failures, data filtering, device modification, etc.

Unfortunately, the push to introduce support for desired IoT enhancements and features on a plethora of existing and new devices, has pushed many manufacturers to rush development. As a result, authentication, encryption and device privacy are not always within the immediate priorities of IoT device manufacturers. Features such as remote device management can be very useful especially when the location of a device is not easily accessible but at the same time such a feature would be one of the first to be attacked. According to the F-Secure report, it is surprising to see that large share of attack traffic, 760 million events, was measured on the Telnet protocol (remote management protocol). At the same time, there are IoT devices offering remote access (always-on, undocumented Telnet service) with hard coded passwords set to “password” (CVE-2019-13473).

Digital forensics is the process of obtaining, analysing and using digital evidence in investigations or criminal proceedings in a repeatable and scientific way. As best security practice, ProCheckUp employs industry standard tools and techniques throughout the handling, processing, and assessing of any evidence provided or acquired.

Computers are meticulous keepers of time and they record times and dates for a multitude of events that take place on them. Digital forensics utilise this essential auditing feature to determine the origin of identified artefacts. Limitations in processing power and memory size as well as proprietary functionality can limit the amount of recorded information that is accessible and as such IoT devices may not provide analysts with sufficient access to the device’s resources in order to do the necessary analysis. In addition, sufficient auditing of equipment and safeguarding the location of a device might not always be possible.

A recent NIST publication (NISTIR 8228 June 2019) sheds light to a number of issues relating to the use of IoT devices within organisations. IoT devices interact with the physical world in ways conventional IT devices usually do not and cannot be accessed, managed, or monitored in the same ways conventional IT devices can. In addition, the availability, efficiency, and effectiveness of cyber security and privacy capabilities are often different for IoT devices than conventional IT devices. Every IoT device operates within a broader IoT environment where it interacts with other IoT and non-IoT devices, cloud-based services, people, and other components. An IoT device may not need some of the cyber security and privacy capabilities conventional IT devices rely on—an example is an IoT device without data storage capabilities not needing to protect data at rest. An IoT device may also need additional capabilities that most conventional IT devices do not use, especially if the IoT device enables new interactions with the physical world. Also, another example is that IoT devices may communicate directly with each other, such as through point-to-point wireless communication, instead of using a monitored infrastructure network.

Modern computer systems generally still follow the original Von Neumann architecture which defines a computer system as consisting of three main functional units: CPU, main memory, and secondary storage. All these hardware subsystems are connected via data buses with an operating system (OS) managing it all by bridging and interfacing as needed. Applications request resources and services from the OS via the system call interface and employ them to to accomplish specific tasks. Traditional static digital forensics analysis focusing on examining duplicate copies of disks for files which are deleted, history of web browsing, file fragments, network connections, opened files and user's login history are not always possible with IoT devices.

Here at ProCheckUp, we have performed a number of digital forensics cases involving IoT devices. What we have encountered was that often IoT devices would be used against the recommended operating guidelines and without considering the fact that their IoT capabilities do not make them necessarily the right device for the task. Due to various device and environment based restrictions, data that could be used as evidence during a Digital Investigation is not available. As such a traditional digital forensics approach cannot be employed when a crime is committed. The physical location and accessibility, the remote access restrictions, power and computing limitations means that often evidence has to be extracted from a group of devices, that the IoT device is communicating with, and then attempt to correlate so that they can be used for a computer forensic investigation. This adds time and effort to an investigation.

In conclusion, the deployment and use of IoT devices to provide additional features, connectivity and continuous integration on corporate network environments and should be done through a carefully thought-out plan. In the event of a computer forensics investigation, the limitations of IoT devices should be counterbalanced by the use of additional software and hardware that ensures that critical data that can be used as evidence is available. Organisations should be aware of their existing IoT usage and possible future usage and must understand how the characteristics of IoT affect managing cyber security and privacy risks, especially in terms of risk response—accepting, avoiding, mitigating, sharing, or transferring risk.