There is no denying that Amazon Web Services (AWS) is a popular choice among companies these days. Businesses like to store their data and run their operations through AWS because of the convenience and performance that its cloud-based storage and services provide.
But the AWS IoT platform is not without risk. Researchers have identified vulnerabilities that could be compromised, potentially resulting in data breaches.
In researching IoT platforms, ZLabs found vulnerabilities in the AWS secure connectivity models and the FreeRTOS TCP/IP stack. AWS’ FreeRTOS provides an IoT platform for microcontrollers by bundling the FreeRTOS kernel with the FreeRTOS TCP/IP stack.
In a blog post for Zimperium on how FreeRTOS TCP/IP stack vulnerabilities put a wide range of devices at risk of compromise, ZLabs writes, “These vulnerabilities allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it, thus completely compromising it.”
Knowing and addressing risks in the following areas also could help you maintain security and compliance if your organization—whether a retail, banking, healthcare or software as a service company—uses the AWS IoT platform.
Four remote code execution bugs (CVE-2018-16522, CVE-2018-16525, CVE-2018-16526, CVE-2018-16528)
Seven information leak vulnerabilities (CVE-2018-16524, CVE-2018-16527, CVE-2018-16599, CVE-2018-16600, CVE-2018-16601, CVE-2018-16602, CVE-2018-16603)
One denial of service flaw (CVE-2018-16523)
An unspecified flaw (CVE-2018-16598) that impacts FreeRTOS V10.0.1, AWS FreeRTOS V1.3.1, and its below versions.
ZLabs has worked with Amazon to provide patches for the vulnerabilities, deploying them for AWS FreeRTOS versions 1.3.2 and onwards. The companies have also collaborated on the creation of patches for the same vulnerabilities in OpenRTOS, the commercial version of FreeRTOS, which is maintained by WITTENSTEIN high integrity systems (WHIS). But risks remain.
Mitigating Risks in the AWS IoT Platform
Avail yourself of a suite of best practices to keep ahead of any vulnerabilities. A comprehensive security review such as a SOC 2 audit can help your organization protect and comply by confirming that you handle customer data properly. Aimed at companies that store sensitive information for other organizations, SOC 2 reports detail the controls of the systems used to process data and the security and privacy of that data. A SOC 2 report is officially known as a “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.”
A readiness assessment should precede the report to increase effectiveness. Following the assessment with a Type 1 report and then finishing with a Type 2 audit is optimal.
When it comes to protecting your customers’ data, a SOC 2 report can help you satisfy contractual requirements and reduce regulatory compliance efforts. It also can assist you in mitigating risk and increasing trust by improving your service organization’s internal control environment.
Adopt a Zero Trust Policy
If you have IoT in your environment, assume that there are flaws in your IoT platforms and adopt a zero trust model that includes measures such as the following.
Proper log management
Encryption for data-in-flight
Encryption for data-at-rest
Proper centralized key management
Zero trust is a model for more effective security, according to a Mary K. Pratt, a contributing writer for CSO. It requires organizations to consider threats internally as well as externally.
Pratt writes, “The Zero Trust model of information security basically kicks to the curb the old castle-and-moat mentality that had organizations focused on defending their perimeters while assuming everything already inside didn’t pose a threat and therefore was cleared for access.”
Though AWS security can be strong, poor configurations have led to data breaches, according to an assessment of AWS vulnerabilities and the attacker’s perspective by Benjamin Caudill at Rhino Security Labs. The penetration testing and security assessment firm recommends that you create identity access management (IAM) users for each service and limit access to what each user requires.
In a blog post on Threat Stack about what you need to know about the top 7 AWS security issues, citing research from the 2018 Verizon Data Breach Investigations Report, Pete Cheslock wrote that most security incidents arise from compromised credentials: “Credentials are a goldmine for attackers for one very important reason: They are the keys to the kingdom, granting access to a vast amount of data by exploiting a single data source.”
Cheslock suggests that you take the following steps to protect your credentials.
Enable multi-factor authentication (MFA)
Watch for anomalous logins
Implement a logging service at the host level.
Rotate credentials with a secrets management system
In sharing its discovery of the vulnerabilities in the AWS IoT platform, ZLabs noted its widespread usage in industries as varied as healthcare, aerospace, and automotive. But it also cautioned that the interconnectivity of components makes them particularly attractive targets for cyberattacks.
Protect your data and maintain compliance by addressing vulnerabilities proactively.