Forensic Analysis and Security

Forensic Analysis and Security

As IoT gains momentum among consumers, you need to know what the implications are for government security

Connected or smart devices in or on buildings, vehicles, and even people include software, mobile apps, sensors, and network connectivity used to collect and exchange data. They are also all part of the Internet of Things (IoT). The point: to remotely monitor and manipulate these devices, as well as evaluate trends in their use.

IoT devices include medical equipment, such as heart monitoring implants and biochip transponders; wearables, such as the Apple Watch and FitBit; building automation, such as lighting and thermostats; vehicle infotainment and assistance systems, as well as driverless vehicles; and appliances including ovens, refrigerators, washers and dryers.

When it comes to securing government facilities, operations, and personnel, IoT presents a considerable challenge, not just from individuals who use it for everyday life and work, but also internally, as more contractors and agencies implement it for business and facilities operations.

The Risks of IoT in Government Facilities

“Shadow IT” and rogue devices, whether connected to a network port or to a facility’s Wi-Fi, have been a risk for the better part of a generation. Many are designed to make work more convenient; some are intentionally malicious. To that end, most corporate security experts are familiar with unauthorized access points such as an employee’s device used as a personal wireless access point, or ad hoc peer-to-peer connections.

Finding them as part of a robust intrusion detection protocol is no longer as easy as performing a port scan or interrogating a router for hardware addresses. With IoT devices in the mix, “rogue” takes on a whole new meaning. Their presence may not originate with employees, and because the sensors and data sources used to connect devices may themselves be “rogue.”

A vulnerable, unpatched thermostat, refrigerator or dishwasher in the staff kitchen, or smoke detector in an otherwise hardened building, could become part of a global botnet like Mirai, and be used to attack other systems, even other governments.

Any device that uses voice commands to operate must, as TripWire’s Leslie Sloan wrote in 2016, always be listening “and sending that captured data back to its controlling server.” People discussing sensitive data related to government operations must take extra care around these devices. Finally, personal wearable devices such as fitness bands or even surgical implants may interact in unintended ways with facility networks.

Securing—and Investigating— the Network

A “simple IoT architecture,” Shawn Wasserman wrote in 2016, “includes devices within a firewall, wireless devices outside the firewall and having those devices connecting into the IoT platform. Then, all of this will be used in an application that will use the data from the devices to perform a function. All these systems, applications, and development tools used to make the system must be made secure.

“The issue is that because all of these different systems are under the control of various organizations on the vendor, customer, and public levels, it can be confusing to establish who is really responsible for all of this IoT security.” In addition, IoT comes into play when employees or contractors work from home.

Reflecting that “network administrators need to know exactly what is in the environment, or the network—including when an adversary has switched out one device for another,” government R&D nonprofit MITRE issued a challenge in late 2016 to build “a unique identifier or fingerprint to enable administrators to enumerate the IoT devices while passively observing the network.” (A Georgia-based team won.)

Such proactive measures, however, must be backed up by strong investigative processes when a reactive, post-breach stance is needed. In other words, IT security staffs need to know how to obtain forensic data from IoT devices, as they would for any suspect mobile device or laptop.

Where Can Forensic Data Come From?

Where IoT data is stored isn’t as simple as imagining a FitBit, Nest, or Echo Dot as if it were a computer or smartphone. The amount of data stored on these devices may be comparable to a vehicle or aircraft digital or event data recorder, storing only a limited amount of history. For example, the Amazon Echo and Echo Dot only store less than the last 60 seconds of recorded sound in their local storage buffers.

The bulk of telemetry and other usage data is instead likely to be accessible from a paired, “controller” smartphone, or from the user’s account in the cloud. In addition, services such as OnStar, available with GM Fleet connected vehicles, can generate data with forensic value associated with automated collision response, stolen vehicle assistance, Wi-Fi hotspots, and turn-by-turn directions among other services.

OnStar Wi-Fi hotspots and direction guidance can provide location related information, including destinations, while time stamps provide time-related context as well as putting the user in a location at a particular time. Timing also comes into play with remote commands. Time- and location-related “patterns of life” in a work context can show both expected and unexpected travel activities.

The proliferation of IoT devices, needless to say, demands continued research— a cooperative effort, wrote Wasserman, on the part of security and engineering experts together. Researchers need to examine more closely whether and how much data is stored on devices, including becoming trained and equipped to remove memory chips if needed to collect the data via JTAG or chip-off processes.

Investigators also need the software to recover data from the cloud, bearing in mind that it’s another data source for a corporate investigation as encryption on smartphones and computers becomes more prevalent.

Finally, careful coordination with human resources and legal teams is important when it comes to the impact of personal employee devices on a government network. Most employees understand that they have less of an expectation of privacy while at work, using work resources—whether a device or a network— to complete tasks.

However, when it comes to wearable devices like FitBit, employers may need to tread more carefully. Employees’ personal health information (PHI) including heart rate, physical activity, and sleep patterns are accessible from their devices. The data has proven useful in criminal cases, including rape and homicide allegations, but may be of less value in internal investigations.

IoT can be valuable for individuals, businesses, and governments alike, but its risks must be carefully understood and proactively managed. This includes knowing how to conduct investigations on the devices, the cloud servers that store their data, and the smartphones that control them—for both research and investigative purposes.

This article originally appeared in the May 2018 issue of Security Today.

Featured

  • Allegion, Comfort Technologies Implement Mobile Credentials at the Artisan Apartment Homes in Florida

    Artisan Apartment Homes, a luxury apartment complex in Dunedin, Florida, recently transitioned from mechanical keys to electronic locks and centralized system software with support from Allegion US, a leading provider of security solutions, technology and services, and Florida-based Comfort Technologies, which specializes in deploying multifamily access control, IoT devices and software management solutions. Read Now

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events
  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

New Products

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.