By Alexander Duffy, Security Solutions Architect, emt Distribution

In September last year, the ABC Investigations journalism unit published an in-depth report
looking into the use in Australia of surveillance cameras manufactured by Chinese companies, Hikvision and Dahua, with security ramifications for any organisation installing Internet-connected devices.

Security researchers assert that vulnerabilities in Hikvision and Dahua cameras leave them open to malicious actors looking to syphon off video, audio and other data. Both companies have also been accused of spying on behalf of the Chinese Government and have been banned from U.S. government use.

According to Terry Dunlap, Co-founder of ReFirm Labs, governments are taking the right step in evaluating whether Chinese companies like Hikvision are an acceptable risk as suppliers.

“Chinese firms have a long history of embedding backdoors in their equipment,” said Dunlap. “And it’s not happening by accident – in 2013, we found purpose-built backdoors in Huawei equipment. In 2017, we saw the same embedding technique in Dahua security cameras, which the U.S. Congress then banned in 2018.

“All telecom gear coming from China that is placed into critical infrastructure, for example, needs to undergo a thorough security vetting from top layer applications all the way down to the firmware level where we see backdoor implants. Companies need to think twice about purchasing Chinese-made equipment if they don’t have vetting and monitoring capabilities in place to detect such backdoors and implants.”

ABC Investigations found the Chinese cameras above the entrances to the Australian Government Solicitor headquarters in Canberra and an office block used by the Department of Home Affairs and Attorney-General, AUSTRAC, and the Office of National Assessments. Another camera – removed once the Department Of Defence became aware of it – was found at the RAAF Base Edinburgh in South Australia.

Surveillance cameras and telecommunications equipment are just some of the Internet-connected devices subject to cyber attack. There are thousands of other kinds of vulnerable devices described by the term ‘Internet of Things’, and they number in the millions if not billions.

While most organisations have taken increased measures in recent years to strengthen the security of their information systems, many overlook device security. Not surprisingly, vulnerabilities in IoT devices are often the easiest targets for threat actors  and often represent the initial point of entry into organisations’ networks.

In a breach featured in a webinar by Joseph Carson, Chief Security Scientist at Thycotic, an attack by Somalian pirates on a secure database detailing shipping movements was initiated by exploiting wireless lights that had been incorrectly configured, giving hackers network access.

Unfortunately, the security measures most organisations currently have in place don’t effectively protect IoT devices. Current security measures don’t effectively protect firmware, and fail to proactively address vulnerabilities before it’s too late.

In a 2018 report, research firm Gartner predicted that until 2020, the biggest inhibitor to growth for IoT security will come from a lack of prioritisation and implementation of security best practices and tools in IoT initiative planning. “In IoT initiatives, organisations often don’t have control over the source and nature of the software and hardware being utilised by smart connected devices,” said Ruggero Contu, research director at Gartner.

As cyber intrusions become more commonplace, CSOs and CISOs have to look towards more innovative solutions to protect their organisations. Among the challenges they face is allowing business units to meet the demand for IoT devices with the confidence that they do not pose a security risk.

The introduction of cyber security tools into Australia and New Zealand for vetting, validation and monitoring of organisations’ firmware security has now closed this security gap for enterprises, government agencies, operators of critical infrastructure, and other organisations.

With these tools, organisations reliant on IoT devices can vet firmware images for vulnerabilities in around 30 minutes, without requiring source code, giving them confidence in the choices they make. Without them, they could be learning about the vulnerabilities they have introduced to their networks, or their customers, from the media.

About the author
Alexander Duffy is Security Solutions Architect for emt Distribution, the Australia and New Zealand representative for ReFirm Labs, which provides the industry’s first IoT and firmware security solutions that proactively vet, validate and continuously monitor IoT devices for hidden threats.