Keysight Technologies has released a new Internet of Things (IoT) Security Assessment software solution that enables IoT chip and device manufacturers, as well as organizations deploying IoT devices, to perform comprehensive, automated cybersecurity assessments.
“IoT device vulnerabilities are especially dangerous as they can facilitate sensitive data breaches and lead to physical danger, such as industrial equipment malfunction, medical device defects, or a home security system breach,” wrote Merritt Maxim, Vice President, Research Director, and Elsa Pikulik, Researcher, Forrester, in the State of IoT Security Report 2021.1 “In 2020, IoT devices were the second most common vector for an external breach and technology leaders rank security issues as a top concern plaguing or hindering IoT deployments.”
Recently, researchers at the Singapore University of Technology and Design (SUTD) discovered a group of vulnerabilities, they named BrakTooth, in commercial Bluetooth chipsets that impact billions of end-user devices.
BrakTooth captures fundamental attack vectors against devices using Bluetooth Classic Basic Rate/Enhanced Data Rate (BR/EDR) and is likely to affect Bluetooth chipsets beyond those tested by the SUTD team. “It is hard to accurately gauge the scope of BrakTooth affected chipsets,” commented Sudipta Chattopadhyay, Assistant Professor, SUTD. “We advise all Bluetooth product manufacturers to conduct appropriate risk assessments, especially if their product may include a vulnerable chipset. We are thankful to Keysight for generously supporting our research and the opportunity to collaborate with the experienced Keysight security team.”
“Research activities like these at SUTD are critical to improving cybersecurity in the connected world. If the good guys don’t improve it, the cybercriminals will take advantage of vulnerabilities for nefarious purposes,” said Steve McGregory, Senior Director of Keysight security research and development team. “While investment into research is needed and helpful, software and chipset manufacturers are responsible for delivering secure products using rigorous security testing.”
The SUTD research was funded with a grant from Keysight. The SUTD published results were leveraged into improvements in Keysight IoT Security Assessment software.
The vulnerabilities, which include 20 common vulnerabilities and exposures (CVEs), as well as four awaiting CVE assignments, are found in Bluetooth communication chipsets used in System-on-Chip (SoC) boards. These pose risks that include remote code execution, crashes and deadlocks. The SUTD team responsibly disclosed the findings to the affected vendors, providing a means to reproduce the findings and time to remediate vulnerabilities.