Cyber attacks on IoT applications are on the rise:The article "Cyber resilience for IoT applications" shows that communication applications in the IoT environment are not exactly secure and that there is obviously a considerable need for improvement. We reported on the collapse of the KA-SAT satellite network (Eutelsat / Viasat) as a result of a cyberattack and the approximately 6,000 Enercon wind turbines that could no longer be reached.

At almost the same time, German cashless payment service providers, together with the US terminal manufacturer Verifone, provided another example that shows why we need to take care of cyber resilience in order to avoid incidents with even greater consequences. Since May 24, countless retailers and even some large retail chains have been unable to accept credit or debit cards because Verifone H5000 terminals unexpectedly failed due to an alleged "software error". They now either have to be replaced or brought back to life on site by a technician with a software update. There are certain parallels: In both the KA-SAT and H5000 cases, "unforeseen events" rendered the firmware stored in the flash of an embedded system unusable. How long it will take for all affected Verifone H5000 users to be able to offer cashless payments to their customers again was not yet known, at least in mid-June 2022. Also identical is the fact that in the KA-SAT and Verifone incidents, in addition to the manufacturer of a communication module, numerous other companies are involved as operators of a more complex IoT application as well as various supervisory authorities, which are not exactly conspicuous for their proactive educational work.

Investigating the causes

Image 1: The Verifone H5000 payment terminal was tested by the BSI according to Common Criteria (CC). CC certification is actually intended to prevent the case that has now occurred. A gap analysis would be helpful to find out why the causes of the H5000 failure could not be identified during the BSI verification and validation work and whether the depth of testing according to EAL POI is sufficient.

© BSI

With regard to the Verifone H5000 payment terminals, the exact cause of the outage is not yet known. According to the German Federal Office for Information Security (BSI), however, there are no concrete indications of a cyber attack in this case. There is speculation on the internet that an expired security certificate for remote access authorization to the central servers could be the cause of the outage, which also happens from time to time with industrial IoT applications. Since the financial service providers Payone and Concardis, as operators of the affected Verifone terminals in Germany, are assigned to the so-called critical infrastructure, other government organizations in addition to the BSI are also dealing with the process, such as the Bundesbank and the Federal Financial Supervisory Authority (BaFin).

Further details of the KA-SAT attack have since been published. The attackers had apparently studied the Viasat Surfbeam2 modems in great detail and discovered how a malicious program code can be executed via the TR-069 service interface in order to overwrite the Surfbeam2 firmware in Flash with arbitrary content and thus permanently disable the devices.

Successful cyberattacks on modems and routers in connection with TR-069 vulnerabilities are not new. As a "sophisticated remote management protocol" for customer-owned devices, TR-069 not only supports a full firmware update, but also offers remote code execution (XML-RPC) capabilities that have been widely abused by skilled attackers. Although the TR-069 communication between the modem and the KA-SAT Network Operation Center (NOC) is protected by a VPN, the attackers have obviously found a weak point here too.

It is now also clear that the KA-SAT attack was primarily intended to bring down the satellite-based Internet in Ukraine. The 6,000 wind turbines also affected in Germany were probably not the target. However, as the Enercon turbine remote controls use the same modems as the predominantly private KA-SAT Internet customers and presumably some Ukrainian authorities, the turbine failure must be classified as an unintentional spillover effect. However, the question of why the Federal Network Agency and BSI do not prevent the use of satellite connections with components from consumer electronics in critical infrastructure is still unanswered.

Function-by-Design

When developing IoT products and solutions, the focus is primarily on the desired functions. They are usually recorded in a document or database before the start of development work or at the start of a project and verified at the end using a prototype. Development and unit costs as well as time-to-market also play a very important role. There are also approval aspects, such as CE and UL certifications and the necessary radio approvals, plus other standards and specifications that a communication product must meet. Before marketing, validation is certainly also carried out to check whether the desired usage objectives can be achieved with the development result or whether the intended use cases can be realized.

Cybersecurity only plays a minor role in most development projects and IoT projects. In many cases, people are satisfied with the fact that the connections via public networks are TLS-secured and that the basic IT protection goals of confidentiality, integrity and availability are met by a TLS protocol - this is also true for two TLS endpoints in terms of confidentiality and integrity, but not in terms of availability. It is often overlooked that TLS connections are not invulnerable, that the TLS code is not error-free and that there is no end-to-end security across media breaks.

It is not known what else the Enercon engineers tested in addition to the communication functionality when evaluating the KA-SAT satellite connection with the Surfbeam2 modems and what risk analyses were carried out. Since Surfbeam2 satellite modems can also be ordered from Amazon and therefore a potential cyber attacker can examine the technology of such a gateway very closely with regard to vulnerabilities, such as the TR-069 service interface and the TCP port 7547 used for this, and develop attack scenarios, it was presumably not recognized as a risk.

The cyber security of the Verifone H5000 is somewhat different. Due to its application, this module has a very comprehensive Common Criteria security approval from the BSI (Fig. 1). However, manufacturers and operators should not assume that nothing can go wrong. Despite the approval test, there may be faulty program code that was not detected during the code analysis. The expiration date of a security certificate and other possible attack vectors also continue to represent existing operational security risks with a corresponding probability of occurrence. However, it can be assumed that the parties involved focused primarily on use case evaluations due to the BSI certification prior to the first H5000 deployment.

Possible suggestions for improvement