An IoT device typically lacks the required built-in security to counter security threats. Common vulnerabilities and exposures allow cyber criminals to breach the device and use it as a foothold to launch sophisticated cyberattacks: IoT device vulnerabilities - Fortinet Cyberglossary

Fortinet's IoT solutions include FortiGuard Labs (Attack Surface Security Service) and the Fortinet Security Fabric, enhancing the oversight and regulation of IoT policies while providing deeper insights into device discovery.

The FortiGuard IoT Detection Service (Attack Surface Security Service), integrated into the FortiGate NGFW, delivers robust IoT security. It provides active IoT device detection, IoT IPS security controls, and IoT device virtual patching in a single service. And as part of the Fortinet Security Fabric, all IoT devices can be secured, centrally managed, and continuously security updates are delivered across the Security Fabric.

In order for FortiGate to detect IoT devices and its vulnerabilities, the configuration must meet the following specific requirements.

The FortiGate must have a valid IoT Detection Service license:

With an IoT service subscription (Attack Surface Security Service), FortiGate has the capacity to transmit device information to the FortiGuard collection server. When a new device is identified, FortiGate initiates queries to the FortiGuard service to retrieve additional information about the device. 

This enables FortiGate to download an IoT Detection package for the identification of unknown devices or to perform queries in FortiGuard through the IoT Query service for devices not recognized by the local Device Database (CIDB) or the IoT Detection DB (APDB).

Which means FortiGate will first try to detect the devices based on the information in the local device database (CIDB). If FortiGate is unable to detect the devices, then FortiGate queries the FortiGuard servers by sending the unknown device data to the FortiGuard servers and, in response, FortiGuard servers provide more information about the devices.

For that, FortiGate must:

• Be registered with FortiCare.
• Be connected to an anycast FortiGuard server.

FortiGate uses IoT device detection by analyzing the traffic generated by IoT devices, extracting metadata, and storing a list of devices locally. IoT devices generate data as they communicate over the network, enabling the identification of additional device details, such as the operating system running on the IoT device.

The IoT detection service requires an internet connection to consistently receive updates for the signature packages from FortiGuard.

The IoT device information includes the information source (src fortiguard).

diagnose user device list

hosts

  vd root/0  2e:67:2e:b0:10:e0  gen 6  req OHUSA/3e

    created 159s  gen 3  seen 6s  Wi-Fi  gen 2

    ip 10.100.10.2  src mac

    hardware vendor 'Samsung' src fortiguard id 1093  weight 230

    type 'Phone'  src fortiguard id 1093  weight 230

    family 'Galaxy'  src fortiguard id 1093  weight 230

    os 'Android'  src fortiguard id 1093  weight 230

    hardware version 'A'  src fortiguard id 1093  weight 230

    software version '13'  src fortiguard id 1093  weight 230

    host 'Bijay-Prakash-Ghising'  src dhcp

Device detection must be enabled on a LAN interface.

By default, when device detection is enabled, FortiGate performs passive scanning by analyzing incoming traffic. This enables FortiGate to identify devices and gather crucial information like MAC address, IP address, and the FortiGate interface through which the device is detected.

config system interface

    edit <intf>

        set device-identification enable

    next

end

Devices are indexed by their MAC addresses. FortiGate uses a first come, first served approach to determine the device identity. For example, if a device is detected by the HTTP user agent, FortiGate updates its device table with the detected MAC address and scanning stops as soon as the type has been determined for that MAC address. Identification methods include analyzing the HTTP user-Agent header, TCP fingerprint, and MAC address OUI techniques, among others.

diagnose user device list

hosts

  vd root/0  2e:67:2e:b0:10:e0  gen 126  req 0

    created 10534s  gen 98  seen 22s  Wi-Fi  gen 22

    ip 10.100.10.2  src mac

    hardware vendor 'Samsung'  src http  id 1093  weight 230

    type 'Phone'  src http  id 1093  weight 230

    family 'Galaxy'  src http  id 1093  weight 230

    os 'Android'  src http  id 1093  weight 230

    hardware version 'A'  src http  id 1093  weight 230

    software version '13'  src http  id 1093  weight 230

Device identification is only effective if FortiGate and the workstations (endpoints) are directly connected network segments, where traffic is sent directly to FortiGate, and there is no intermediate router or Layer 3 device between FortiGate and the workstations.

Apply an application control sensor in the firewall policy

To run an effective IoT vulnerability scan, it is imperative that traffic is initiated from the IoT devices and traverses through the application sensor applied in the firewall policy.

config firewall policy

    edit 0

        set srcintf "Connected_Intf"

        set dstintf "Outgoing_Intf"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set ssl-ssh-profile "certificate-inspection"

        set application-list "monitor"

        set logtraffic all

        set nat enabl

    next

end

For demonstration, the following example was set up with detection applied on a secure LAN edge architecture:

1. FortiAP SSID as a connected interface. Enable device detection in virtual SSID interface under 'WiFi & Switch Controller -> SSID'. 

2. Firewall Policy with an application control sensor to the internet-facing policy. 
   
   

Note:

Traffic must be initiated from the IoT device for the detection to work.

Results to view the IoT Vulnerabilities in GUI: 

View the vulnerable device from Security Fabric -> Asset Identity Center.

Results to view IoT asset vulnerabilities in CLI:

Since devices are indexed by their MAC addresses. We can view the list by filtering with the MAC address of the IoT device.

diagnose user-device-store device memory list | grep -B 5 -A 10 ‘2e:67:2e:b0:10:e0’

Record #2:

        device_info

                'ipv4_address' = '10.100.10.2'

                'mac' = '2e:67:2e:b0:10:e0'

                'hardware_vendor' = 'Samsung'

                'hardware_version' = 'A'

                'hardware_type' = 'Phone'

                'hardware_family' = 'Galaxy'

                'vdom' = 'root'

                'os_name' = 'Android'

                'os_version' = '13'

                'hostname' = 'Bijay-Prakash-Ghising'

                'last_seen' = '1703654358'

                'host_src' = 'dhcp'

                'iot_vuln_count' = '100'

                'total_vuln_count' = '100'

                'device_type' = 'IOT'

        interface_info

                'ipv4_address' = '10.100.10.2'

                'mac' = '2e:67:2e:b0:10:e0'

                'master_mac' = '2e:67:2e:b0:10:e0'

                'detected_interface' = 'BPG-WiFi'

                'last_seen' = '1703654358'

                'is_master_device' = 'true'

                'is_online' = 'true'

                'fortiap_id' = 'FP221E'

                'fortiap_ssid' = 'BPG-Wi-FI'

                'fortiap_name' = 'FP221E'

                'dhcp_lease_status' = 'leased'

                'dhcp_lease_expire' = '1704258770'

                'dhcp_lease_reserved' = 'false'

To debug the daemon in the CLI:

Disable the local device database to force all queries to go to FortiGuard.

diagnose cid sigs disable

Enable IoTD debugs:

diagnose debug application iotd -1

diagnose debug enable

Mitigate through FortiGate Virtual Patching 

The IoT Detection Service with a FortiGate NGFW enables an advanced security control called virtual patching. This strategy uses a FortiGuard Labs IoT IPS signature to block network traffic that matches the IPS signature, preventing an infection just as if an IoT vendor patch had been deployed. This allows unpatched IoT devices to be protected with an IPS rule until a device patch can be applied (when possible), thereby adding robust IoT security controls to the network.

In the dynamic landscape of IoT devices and an OT environment, FortiGate supports virtual patching in the following ways:

IPS:

The integrated IPS capability in FortiGate NGFWs offers deep packet inspection (DPI) to identify and block malicious traffic attempting to infiltrate the network. It uses signatures based on vulnerabilities or exploits that reference specific knwn vulnerabilities. As soon as the packet matches one of the signatures, the entire stream is blocked. 

IPS offers the ability to deploy a software patch in the form of IPS signature on a network that will protect that vulnerability from being exploited.

Apply an IPS sensor in the firewall policy that the IoT device traffic traverses. 

config firewall policy

    edit 0

        set name "IoT Scan"

        set srcintf "BPG-WiFi"

        set dstintf "wan1"

        set action accept

        set srcaddr "BPG-WiFi address"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set ssl-ssh-profile "certificate-inspection"

        set ips-sensor "IoT-IPS"

        set application-list "Application Senor"

        set nat enable

    next

end

Local-in Policy:

From v7.2, virtual patching can be applied to traffic destined to the FortiGate by applying IPS signatures to the local-in interface using local-in policies. 

For example, attacks generated towards GUI and SSH management access can be mitigated using IPS signatures pushed from FortiGuard, thereby virtually patching these vulnerabilities and protecting FortiGate itself:

Virtual Patching on the local in-management interface (7.2.4) - FortiGate documentation.

Optimize virtual patching on the local-in interface.

NAC Policy:

From v7.4.0, virtual patching for Operational Technology (OT) and Internet of Things (IoT) involves dynamically assigning VLANs based on device vulnerabilities. 

To implement this, a FortiGate (FGT) along with a FortiSwitch (FSW) is required. Additionally, the FSW equipment needs to be managed through Fortilink:

Support OT and IoT virtual patching on NAC policies - FortiGate documentation.

It is essential to have IoT and OT licenses, including the Attack Surface Security Rating Service and FortiGuard OT Security Service.

Virtual Patching Profile:

Additionally, for OT devices, a virtual patching profile can be applied to firewall policies in any direction, protecting traffic from or to the vulnerable OT devices. 

Virtual patching profiles can also be combined with virtual patching on NAC policies, so that vulnerable OT devices are first assigned to a protected VLAN, and then firewall policies associated with the VLAN will apply the virtual patching profile.

Virtual patching profile

It is essential to subscribe to the appropriate OT-related license (Operational Technology Security Service).

Moreover, IoT security begins with best practices to safeguard devices, and then the network environment.

(Key Recommendations) Best practices for IoT security include:

• IoT Endpoint Protection.
• IoT Gateway Security.
• Securing Cloud API.
• Developing a Secure Network.
• Up-to-date Data Encryption.
• Protected Data Storage.

For more info on IoT best practices:

IoT Security Best Practices - Fortinet Cyberglossary

In addition, Fortinet's IoT security solution, FortiNAC, offers enhanced visibility, control, and automated response to ensure security in the dynamic landscape of IoT devices.

In v7.4 and above, the 'FortiGuard IoT Detection Service' has been replaced with the 'FortiGuard Attack Surface Security Service'.

Thus, when verifying the licensing in FortiCare Asset Management, the activation and expiration dates for the 'FortiGuard Attack Surface Security Service' license should be considered.

IoT/OT on low-end FortiGate models with 2 GB RAM:

On low-end FortiGate models with 2 GB RAM, querying a large number of IoT/OT device vulnerabilities (Each device has a lot of vulnerability data) using /api/v2/monitor/user/device/query can lead to high memory usage, conserve mode, or process crashes. This behavior is related to a known issue (Mantis 1043189) and is resolved in v7.2.12, v7.4.8, and v7.6.3.

This behavior can lead to:

• Memory spikes of 500+ MB per request.
• The system is entering conserve mode.
• GUI slowness or even crashes of the httpsd process.
• IoT detection failing or freezing.