| Description | This article describes how to detect vulnerability on IoT devices and workaround to mitigate such threats. |
| Scope | FortiGate FortiGuard IoT Service, Virtual Patching. |
| Solution |
An IoT device typically lacks the required built-in security to counter security threats. Common vulnerabilities and exposures allow cyber criminals to breach the device and use it as a foothold to launch sophisticated cyberattacks. IoT device vulnerabilities - Fortinet Cyberglossary. Fortinet's IoT solutions include FortiGuard Labs (Attack Surface Security Service) and the Fortinet Security Fabric, enhancing the oversight and regulation of IoT policies while providing deeper insights into device discovery. The FortiGuard IoT Detection Service (Attack Surface Security Service), integrated into the FortiGate NGFW, delivers robust IoT security. It provides active IoT device detection, IoT IPS security controls, and IoT device virtual patching in a single service. And as part of the Fortinet Security Fabric, all IoT devices can be secured, centrally managed, and continuously security updates are delivered across the Security Fabric. In order for FortiGate to detect IoT devices and its vulnerabilities, the configuration must meet the following specific requirements. 1. The FortiGate must have a valid IoT Detection Service license. With an IoT service subscription (Attack Surface Security Service), FortiGate has the capacity to transmit device information to the FortiGuard collection server. When a new device is identified, FortiGate initiates queries to the FortiGuard service to retrieve additional information about the device. This enables FortiGate to download an IoT Detection package for the identification of unknown devices or to perform queries in FortiGuard through the IoT Query service for devices not recognized by the local Device Database (CIDB) or the IoT Detection DB (APDB). Which means FortiGate will first try to detect the devices based on the information in the local device database (CIDB). If FortiGate is unable to detect the devices, then FortiGate queries the FortiGuard servers by sending the unknown device data to the FortiGuard servers and, in response, FortiGuard servers provide more information about the devices. For that, FortiGate must:
FortiGate uses IoT device detection by analyzing the traffic generated by IoT devices, extracting metadata, and storing a list of devices locally. IoT devices generate data as they communicate over the network, enabling the identification of additional device details, such as the operating system running on the IoT device.
The IoT detection service requires an internet connection to consistently receive updates for the signature packages from FortiGuard. The IoT device information includes the information source (src fortiguard). diagnose user device list hosts vd root/0 2e:67:2e:b0:10:e0 gen 6 req OHUSA/3e created 159s gen 3 seen 6s Wi-Fi gen 2 ip 10.100.10.2 src mac hardware vendor 'Samsung' src fortiguard id 1093 weight 230 type 'Phone' src fortiguard id 1093 weight 230 family 'Galaxy' src fortiguard id 1093 weight 230 os 'Android' src fortiguard id 1093 weight 230 hardware version 'A' src fortiguard id 1093 weight 230 software version '13' src fortiguard id 1093 weight 230 host 'Bijay-Prakash-Ghising' src dhcp 2. Device detection must be enabled on a LAN interface.
By default, when device detection is enabled, FortiGate performs passive scanning by analyzing incoming traffic. This enables FortiGate to identify devices and gather crucial information like MAC address, IP address, and the FortiGate interface through which the device is detected. config system interface edit <intf> set device-identification enable next end Devices are indexed by their MAC addresses. FortiGate uses a first come, first served approach to determine the device identity. For example, if a device is detected by the HTTP user agent, FortiGate updates its device table with the detected MAC address and scanning stops as soon as the type has been determined for that MAC address. Identification methods include analyzing the HTTP user-Agent header, TCP fingerprint, and MAC address OUI techniques, among others. diagnose user device list hosts vd root/0 2e:67:2e:b0:10:e0 gen 126 req 0 created 10534s gen 98 seen 22s Wi-Fi gen 22 ip 10.100.10.2 src mac hardware vendor 'Samsung' src http id 1093 weight 230 type 'Phone' src http id 1093 weight 230 family 'Galaxy' src http id 1093 weight 230 os 'Android' src http id 1093 weight 230 hardware version 'A' src http id 1093 weight 230 software version '13' src http id 1093 weight 230 Device identification is only effective if FortiGate and the workstations (endpoints) are directly connected network segments, where traffic is sent directly to FortiGate, and there is no intermediate router or Layer 3 device between FortiGate and the workstations. 3. Apply application control sensor in the firewall policy To run an effective IoT vulnerability scan, it is imperative that traffic is initiated from the IoT devices and traverses through the application sensor applied in the firewall policy. config firewall policy edit 0 set srcintf "Connected_Intf" set dstintf "Outgoing_Intf" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set ssl-ssh-profile "certificate-inspection" set application-list "monitor" set logtraffic all set nat enabl next end For the purposes of demonstration, the following example was set up with detection applied on a secure LAN edge architecture:
Note: Traffic must be initiated from the IoT device for the detection to work. Results to view the IoT Vulnerabilities in GUI: View the vulnerable device from Security Fabric -> Asset Identity Center.
 Results to view IoT asset vulnerabilities in CLI: Since, devices are indexed by their MAC addresses. We can view the list by filtering with MAC address of IoT device. diagnose user-device-store device memory list | grep -B 5 -A 10 ‘2e:67:2e:b0:10:e0’ Record #2: device_info 'ipv4_address' = '10.100.10.2' 'mac' = '2e:67:2e:b0:10:e0' 'hardware_vendor' = 'Samsung' 'hardware_version' = 'A' 'hardware_type' = 'Phone' 'hardware_family' = 'Galaxy' 'vdom' = 'root' 'os_name' = 'Android' 'os_version' = '13' 'hostname' = 'Bijay-Prakash-Ghising' 'last_seen' = '1703654358' 'host_src' = 'dhcp' 'iot_vuln_count' = '100' 'total_vuln_count' = '100' 'device_type' = 'IOT' interface_info 'ipv4_address' = '10.100.10.2' 'mac' = '2e:67:2e:b0:10:e0' 'master_mac' = '2e:67:2e:b0:10:e0' 'detected_interface' = 'BPG-WiFi' 'last_seen' = '1703654358' 'is_master_device' = 'true' 'is_online' = 'true' 'fortiap_id' = 'FP221E' 'fortiap_ssid' = 'BPG-Wi-FI' 'fortiap_name' = 'FP221E' 'dhcp_lease_status' = 'leased' 'dhcp_lease_expire' = '1704258770' 'dhcp_lease_reserved' = 'false' To debug the daemon in the CLI: Disable the local device database in order to force all queries to go to FortiGuard. diagnose cid sigs disable Enable IoTD debugs: diagnose debug application iotd -1 diagnose debug enable 4. Mitigate through FortiGate Virtual Patching The IoT Detection Service with a FortiGate NGFW enables an advanced security control called virtual patching. This strategy uses a FortiGuard Labs IoT IPS signature to block network traffic that matches the IPS signature, preventing an infection just as if an IoT vendor patch had been deployed. This allows unpatched IoT devices to be protected with an IPS rule until a device patch can be applied (when possible), thereby adding robust IoT security controls to the network.
 In the dynamic landscape of IoT devices and an OT environment, FortiGate supports virtual patching in the following ways: 4.1. IPS The integrated IPS capability in FortiGate NGFWs offers deep packet inspection (DPI) to identify and block malicious traffic attempting to infiltrate the network. It uses signatures based on vulnerabilities or exploits that reference specific knwn vulnerabilities. As soon as the packet matches one of the signatures, the entire stream is blocked. IPS offers the ability to deploy a software patch in the form of IPS signature on a network that will protect that vulnerability from being exploited.
Apply an IPS sensor in the firewall policy that the IoT device traffic traverses. config firewall policy edit 0 set name "IoT Scan" set srcintf "BPG-WiFi" set dstintf "wan1" set action accept set srcaddr "BPG-WiFi address" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set ips-sensor "IoT-IPS" set application-list "Application Senor" set nat enable next end 4.2. Local-in Policy: From v7.2, virtual patching can be applied to traffic destined to the FortiGate by applying IPS signatures to the local-in interface using local-in policies. For example, attacks generated towards GUI and SSH management access can be mitigated using IPS signatures pushed from FortiGuard, thereby virtually patching these vulnerabilities and protecting FortiGate itself. Virtual Patching on the local in-management interface (7.2.4) - FortiGate documentation. 4.3. NAC Policy: From v7.4.0, virtual patching for Operational Technology (OT) and Internet of Things (IoT) involves dynamically assigning VLANs based on device vulnerabilities. To implement this, a FortiGate (FGT) along with a FortiSwitch (FSW) is required. Additionally, the FSW equipment needs to be managed through Fortilink. Support OT and IoT virtual patching on NAC policies - FortiGate documentation. It is essential to have IoT and OT licenses, including the Attack Surface Security Rating Service and FortiGuard OT Security Service. 4.4. Virtual Patching Profile
Additionally, for OT devices, a virtual patching profile can be applied to firewall policies in any direction, protecting traffic from or to the vulnerable OT devices. Virtual patching profiles can also be combined with virtual patching on NAC policies, so that vulnerable OT devices are first assigned to a protected VLAN, and then firewall policies associated with the VLAN will apply the virtual patching profile. It is essential to subscribe to the appropriate OT-related license (Operational Technology Security Service). Moreover, IoT security begins with best practices to safeguard devices, then the network environment.
(Key Recommendations) Best practices for IoT security include:
For more info on IoT best practises: IoT Security Best Practices - Fortinet Cyberglossary In addition, Fortinet's IoT security solution, FortiNAC offers enhanced visibility, control, and automated response to ensure security in the dynamic landscape of IoT devices.
This article was written by Bijay Prakash Ghising. |
