Thursday, December 16, 2021

Apache Log4j and IoT

Yes, this is yet another blog article on the vulnerability in the Apache Log4j Java-based logging framework, which was first disclosed (CVE-2021-44228) in Dec 9, 2021. Many brave souls spent their weekend patching their servers and other computers to version 2.15.0. And then, a new vulnerability was found in its replacement (CVE-2021-45046), which requires an upgrade to 2.16.0.

And then 2.16.0 did not solve CVE-2021-45105 so we are now (Dec 19) on 2.17.0.

There are right now many great articles by brilliant people on how the attack takes place, what you can do to detect whether your (Apple, Linux, Windows) systems are affected, and how to prevent it. Therefore, this article will do the unthinkable and instead focus on the security and privacy impact on Internet of Things (IoT) devices.

The Problem

According to IoT Analytics, the global number of IoT devices should be around 12.3 billion. That is a lot of coffee machines, fridges, Nest thermostats and cameras, Amazon Ring, smart televisions, insulin pumps, and talking toasters. And some of them are voice operated thanks to Alexa, Cortana, and Siri. How many of them have their firmware/OS updated once deployed? Is that trigger by the user, run on a schedule in the device, or pushed from the mothership to the appliance? How many of them can have their firmware/OS updated to begin with? And, so we can keep this on topic, how many of them use log4j?

Even without this new vulnerability, IoT devices are not known for their initial security settings or capability to be upgraded to remain secure. Nest is actually one of the better ones, but attacks to it have been documented, including simply hacking into the users' accounts to identify the patterns and find the best times to rob their houses (ideally when you are away for a few hours).

Some claim the strong point of most of the IoT devices is they are connected using WiFi, as if that makes it more secure than being connected using ethernet or fibre. In other words such a device "is completely a wireless device that has a low tendency for vulnerabilities." That assumes the wireless network is impervious to attacks; the reality is not the case. First it does not require the attacker to be physically in the location; just being in the parking lot suffices. Second, it gives the upper edge for patient criminals. Finally, someone can break into the website used to manage these devices and push some malicious payload which can help scan the target network/traffic in search of vulnerable devices. The log4j one is but another vulnerability in their arsenal.

Privacy Impact

The kill chain here is business as usual:

  • Get a foothold through an IoT device
  • Upload shellcode and/or packages to this device
  • Use device to can the network to learn the way of the land and to locate more potential targets.
  • Rinse and repeat until finding useful data, be that in the form of files and passwords or just enabling microphones and cameras.

The attacker who is there just for the joy of breaking in will then post captured pictures and videos, and send messages back to the IoT device owners as shown in the previous video. The more malicious attacker will harvest as much personal data -- account info for other services, medical info, videos and sound recordings -- as possible that not only compromises the current victim but also future ones known by current target.

"So, where's the privacy impact?" you may rightfully ask. When our criminal friend successfully exploited the vulnerability, he committed a security breach. Now, when he then stole medical records, credit card info, account information, and even monitored the house in the last paragraph, he commited a privacy breach; and that is where the money is.

Let's revisit the video I linked earlier. The Merriam-Webster dictionary defines privacy the quality or state of being apart from company or observation. That attacker can view and listen to everything that family does in their home, so per definition this family's privacy is compromised.

Let's now look at it from a business standpoint: the fines imposed by GDPR for exposing personal data from a person (GDPR calls that a Natural Person) is up to 20 million Euros or 4% of the annual global revenue (table stolen from a previous article). I am not saying it will be always that much, but the data protection authority will not be pleased if this was due to devices that were designed so they cannot be updated.

But don't take my word for it. We already mentioned how serious the GDPR is about data breaches. It is now alone; the NIST is also concerned about the IoT security, and created a program to help governments, industry, academia, and consumers become aware of the issue and minimize its impact.

Useful resources