Integrating IoTVAS API with Qualys Cloud Platform for IoT/connected device discovery and vulnerability assessment
We demonstrate the integration of IoTVAS and Qualys Cloud Platform that is a market leading continuous security and compliance monitoring platform for enterprises. This platform is designed to automate auditing and compliance check of IT assets and mobile endpoints. However, accurate asset discovery and risk assessment of purpose built IoT or connected devices such as IP cameras, network connected printers and OT devices, becomes a challenge. In this post, we demonstrate an example of such an issue and use IoTVAS API to write a connector application that accurately discovers devices in the network and pushes detailed device profile and firmware level vulnerabilities into Qualys cloud platform where they can be easily searched and managed.
Scanning an OT and an IoT device with Qualys
The following figures show device detection and vulnerability scan results of a Phoenix Contact AXC F-2152 PLC and an AXIS A1001 physical access control devices. The scan was performed with the latest scanner and signature versions of Qualys virtual appliance.
Qualys was not able to determine device manufacturer, model name or device type. The PLC vulnerabilities suggests that it is running outdated software but without knowing the device type, model, manufacturer and current firmware version, it would be difficult for a user to figure out the exact mitigation efforts to remediate these vulnerabilities. Similarly, no such information was available for the building access control device. In the following section, we will use IoTVAS API to identify a detailed profile of each device including manufacturer, model name, firmware version, device type, outdated firmware and device end of life status. Furthermore, IoTVAS will provide known vulnerabilities (CVEs) associated with the device as well as vulnerabilities inside the firmware code of the device.
IoTVAS Connector for Qualys Cloud Platform
IoTVAS API only requires a set of network service responses and banners from the target connected device to identify it and provide detailed device profile, CVEs and firmware level vulnerabilities. We use a NMAP script to collect network services response from the target devices. Once IoTVAS gives us the device profile and vulnerabilities for a given network asset, we create “asset tags” that encode that information such as “Vendor: YYY”, “Model: XXX”, “CVE-XXX” and augment the asset using the Qualys Asset Management (AM) API. The source code of this connector and instructions for installation and running is published here.
IoTVAS and Qualys Integration Results
The following figures show the asset summary pages of the PLC and building access control devices after being probed with the IoTVAS connector. IoTVAS connector has tagged the devices with detailed device profile firmware risk summaries in four categories (network services, kernel, client tools and crypto libraries), associated CVE IDs (for device and 3rd party components inside the device firmware, identified by “FW: “ prefix) as well as the default user account names of the current firmware version.
With the help of these tags encoding device manufacturer, model name, firmware version and vulnerabilities, Qualys users can easily build custom dashboards to identify their IoT assets and manage their vulnerabilities. The following figure shows such a dashboard to track high risk IoT devices, devices with outdated firmware versions and discontinued devices. It also enables the user to identify devices with default account names and embedded crypto keys in the firmware, so that they can initiate responses to ensure these credentials are updated after device provisioning.
In the following video we demonstrate discovery and vulnerability identification of a PLC device with the IoTVAS connector for Qualys:
To get started with IoTVAS API, please register for an API key here. The API documentation page includes a swagger UI that allows you to evaluate IoTVAS endpoints right from your browser without writing any code.