Intrusion detection software lowers Internet of Things (IoT) risk

Intrusion detection software (IDS) for the IoT: What’s the point of protecting your embedded devices if you can’t tell if they are under attack? Why intrusion detection software is essential for web-connected devices.

By Alan Grau June 24, 2015

IoT devices bring the promise of business optimization, remote patient monitoring, assistance in finding parking spaces, increased automation, and a host of other benefits, some not yet even conceived. But this vast proliferation of connected devices also creates an ever expanding attack surface for cyber attacks.

Many IoT devices are small and inexpensive, using low-cost hardware and software solutions that lack the computing power and memory to run the current existing security software operating in many of today’s information technology (IT) and home networks. Instead of using Microsoft Windows or Linux operating systems, embedded real-time operating systems (RTOS), such as FreeRTOS, OpenRTOS, and other small commercial RTOS, are gaining popularity in low-end IoT devices. While these solutions enable original equipment manufacturers (OEMs) to minimize product bill of materials, they do not provide pre-integrated security solutions to protect the devices from inevitable cyber attacks.

Those who argue that low-end devices will not be targeted by hackers because of the technical difficulties of launching attacks against proprietary systems or because of the obscurity of the devices are being shortsighted. Security by obscurity works only until someone makes a determined effort to discover vulnerabilities in a device. Even if hacking the device is technically difficult, once vulnerability is discovered by a sophisticated hacker, the attack can be automated and published on the Internet for anyone to use. Tools such as Shodan can be used to easily find embedded devices connected to the Internet. Because IoT devices are mass produced, and each unit is essentially identical, one vulnerability can be used to exploit hundreds, thousands, or even millions of devices. 

First layer of defense

Intrusion detection software (IDS) can be a first layer of defense. One of the most significant security problems for embedded devices today is the inability to know when a system is being attacked or to even know when it has been compromised. Most devices lack the logging and reporting capabilities used by enterprise security solutions to detect when a hacker is probing or has penetrated a network or device.

To see how an IDS solution can help protect IoT devices, consider a typical embedded device supporting an administrative interface available over hypertext transfer protocol (HTTP) or a telnet and using a username and password for access control.

A hacker discovering this device could use a script to perform a brute force attack, trying thousands of log-in attempts per hour until the script finds a user name and password that are accepted. Most embedded devices would simply process each password attempt as it was received. Each time password validation fails, the device simply drops the request and continues its normal processing. It is not aware that it is under attack and, therefore, cannot report the attack to a management system.

If a sufficiently strong password is encoded, the hacker may not succeed in compromising the device. Users are prone to choosing weak passwords leaving many devices susceptible to simple attacks such as this. Default account names such as "admin" or "root" can be easily guessed and reduce the security of these devices.

An IDS solution would be able to provide, at a minimum, event reports or alerts detailing the flood of login requests received by the device. A security administrator would see that a device that normally gets a few login attempts per hour or day is suddenly receiving thousands of login attempts and could take action to mitigate this attack.

At the bottom, click to the next page for more on the importance of early detection, role of embedded devices, use of IDS, and mitigation.

Early detection importance

Most cyber attacks don’t happen as portrayed on TV. Hackers don’t penetrate a network, discover the critical information they are seeking and execute a destructive cyber event with a few keystrokes or in a matter of minutes. A cyber attack begins with a hacker or hacking group probing a network, searching for vulnerabilities, or using social engineering attacks to gain initial access into the network. Once access is gained, they will use this access point for reconnaissance, exfiltration of data, and to penetrate deeper into the network.

Often, hackers will create new user accounts or make other changes that will ensure future access to the network in case their original access point is disabled. They may also install sniffers, data loggers, keystroke loggers, or other programs that allow them to gather information.

This cycle of probing, exploiting a vulnerability, gaining access, reconnaissance, and exfiltration of data may be repeated many times, sometimes over a period of many months or even years, before the break in is discovered or the hackers carry out any destructive activity. I have heard estimates of the average time from initial penetration to discovery of the attack ranging from six to nine months or more, depending upon the source.

Obviously, the earlier attacks are detected, the easier mitigation becomes and the greater the chance of limiting or preventing serious damage or loss of information.

Role of embedded devices

Most IoT devices are really just connected embedded devices, not complete PCs with sophisticated anti-virus or malware defenses. The recent data breach at retail store Target shows the importance of intrusion detection in embedded devices. The entry point into the network for the Target hackers was through an HVAC system; a connected embedded device. IDS on the HVAC system would have provided information that could have provided early detection and prevented, or at least limited, the impact of this attack.

A well-designed IDS system would have provided notification of all logins to the HVAC system, reports of significant increases in network use, and notifications of connections to and from previously unknown Internet Protocol (IP) addresses. Any of these activities should have then triggered a closer look at what was happening with the HVAC devices. 

IDS implementation

An IDS system for an embedded device can generate logs and alerts of critical events and forward this information to a security management system or a corporate security information and event management (SIEM) system for analysis and action.

The IDS capability can be implemented within the resource constrained environment of low-end RTOS-based IoT devices. The goal of this system is not to provide IP reputation scoring, threat signature matching, detailed event analysis, or any of the higher level functions of an enterprise IDS system or SIEM system. Rather they are designed to collect information and provide alerts and reports that can be used by management systems.

Most IoT devices will operate in a relatively static environment. The operations they perform, the amount of data they transmit and receive, and the other devices they communicate with, change infrequently. Significant changes in these basic behaviors are anomalies and may denote a cyber attack.

An embedded IDS system provides detection and reporting of a few critical conditions, along with summary information on device operation. This may include information such as:

  • Number of login attempts (successful and unsuccessful)
  • Notification of communication with new IP addresses
  • Bandwidth use reports
  • Detection of port probing attempts.

These capabilities can be added to an IoT device using an embedded firewall with IDS capabilities. An embedded firewall that supports configurable rules provides event reporting for IDS, filters incoming traffic, and provides virtual network segmentation, thereby limiting the ability for a hacker to launch a cyber attack against the device.

Meeting the needs of low-end IoT devices requires a solution such as a firewall, an embedded firewall, and an IDS solution designed for RTOS-based devices. A firewall that integrates into the IP stack of the embedded device and provides IDS and packet filtering for the device should protect it from attack.

Mitigation, limited damage

While IDS only represents part of the security solution for IoT devices, it is a critical and frequently overlooked part of a defense-in-depth security strategy. An embedded firewall/IDS solution protects IoT devices from attack and provides critical detection of a cyber attacks, allowing mitigation and limiting the damage.

Low-end IoT devices require a custom solution, designed to meet the memory and performance requirements of these resource-constrained environments. Microsoft Windows and Linux-based solutions are too big, power hungry, and slow to support low-end IoT devices, leaving engineers with the choice of building their own solutions or using a commercial solution such as firewalls.

– Alan Grau is president and co-founder of Icon Labs; edited by Eric R. Eissler, editor-in-chief, Oil & Gas Engineering,

Key concepts

  • Look at your system to determine what your vulnerable low-level devices are.
  • Protect these devices with self-engineered or commercial solutions.
  • Monitor log-in activity to determine if your system is under attack.

Consider this

Even the most insignificant connected device can be a gateway for a hacker to enter the entire network. 

ONLINE extra  

About Icon Labs; the author 

Icon Labs is a provider of security software for embedded devices. Grau is the architect of Icon Labs’ award winning Floodgate Firewall. He has 20 years of embedded software experience. Prior to founding Icon Labs he worked for AT&T Bell Labs and Motorola. Grau has an MS in computer science from Northwestern University.

Read related stories about IDS below.