New APP threat: Decompiling IoT apps, looking for "secrets", MiTM attacks on all communications

[sdog-mitre]

On behalf of Prashanth Thandavamurthy of Arxan Technologies, Inc.

New Threat

Threat Category: Application: Vulnerable Application

Threat: Decompiling IoT apps, looking for “secrets”, MiTM attacks on all communications

Threat Origin: Hacking IoT Devices

https://www.iotvillage.org/slides_DC23/IoT11-slides.pdf

Exploit Example: None

CVE Example: None

Possible Countermeasures:

1. Follow secure coding guidelines for IoT apps
2. Protect apps from reverse-engineering and code tampering/modification attacks
3. Use cryptographic key protection solution such as Whitebox Cryptography to ensure - a. Cryptographic keys/secrets are not discovered at any time, and are not present in static form or in runtime memory b. Data is protected at rest, in transit and in-use
4. Leverage vulnerability/penetration testing and ensure that known risks – including those identified in the OWASP mobile top 10 list, in particular, are addressed

References: None

[sdog-nist]

We feel the more general case of the threat you describe is already covered by APP-10: Poorly implemented cryptography in mobile apps. This includes issues such as hard-coding cryptographic keys (including in obfuscated form, such as via white-box cryptography) and the use of weak or untested cryptographic algorithms to protect sensitive data or other secrets.

In the scope statement of NISTIR 8144, we specifically exclude devices defined as Internet of Things (IoT). Note, however, that while not presented with IoT in mind, threats to communication over Wi-Fi, Bluetooth, and NFC may be applicable to communication with an IoT device.