Integrating IoTVAS API with Rapid7 InsightVM for IoT/connected device discovery and vulnerability assessment
In a previous blog post, we outlined integration of IoTVAS API for IoT/connected device discovery and security risk assessment with the NMAP network port scanner. In this post, we demonstrate integration of IoTVAS with the Rapid7 InsightVM that is a popular IT vulnerability management (VM) solution and is designed to scan and manage vulnerabilities of common IT assets such as servers and common endpoints. However, when it comes to purpose-built IoT or connected devices such as IP cameras, network printers and physical security devices, this solution and similar VM tools are not able to correctly and accurately identify these devices and their vulnerabilities. We demonstrate an example of such an issue and use IoTVAS API to write an IoT/connected device discovery and vulnerability assessment script that pushes detailed device profile and firmware level vulnerabilities directly into the InsightVM dashboard where they can be easily searched and managed.
Scanning an IP Camera with InsightVM
The following figures shows device detection and vulnerability scan results of an AXIS 207 IP camera when scanned by InsightVM version
InsightVM device detection report only listed manufacturer name (AXIS). From an asset management view, the device maker, model and device type are the bare-minimum information that should be included in a device profile. There was only one vulnerability reported by InsightVM on this device which was not a device specific issue but an alert on presence of clear-text FTP service on the device. No information regarding the device end of life status or known vulnerabilities (CVEs) or firmware level issues were reported. Based on this information, the user would conclude that if the FTP server is disabled or not used, the device would pose a low risk. This is an inaccurate conclusion as it will be shown in the following section.
IoTVAS Connector for InsightVM
IoTVAS API only requires a set of network service responses and banners from the target connected device to identify it and provide detailed device profile, CVEs and firmware level vulnerabilities. We have two options to gather host service banners:
- Using service banners reported by the getAsset endpoint of InsightVM API; this method would allow us to leverage the port scanning data that has already been done by InsightVM instead of re-scanning targets ourselves. However, this will limit us to the network services that InsightVM probes by default (or based on the chosen scan template) and would result in some devices not being detected.
- Collecting network service responses ourselves using a simple NSE script; this method has been used successfully for IoTVAS and NMAP integration and provides best detection results.
We chose the second method and wrote a NSE script to gather network service responses from a target host. Once IoTVAS gives us the device profile and vulnerabilities for a given network asset, we create “asset tags” that encode that information such as “Vendor: YYY”, “Model: XXX”, “CVE-XXX” and augment the asset using the insightVM tags API. The source code of this connector and instructions for installing and running it is available here.
IoTVAS and InsightVM Integration Result
The following figure shows InsightVM asset information page for the IP camera after probing the device with the IoTVAS connector script that has augmented the asset with detailed device profile and vulnerabilities in the form of custom asset tags.
Now, the user can view device maker, model, type, firmware version, device end of life status and CVEs of 3rd party vulnerable components inside the firmware of this IP camera. More importantly, it is also possible to create dashboards using InsightVM query builder to track and manage vulnerable IoT/Connected devices based on asset tags that are added and updated by IoTVAS connector. This allows InsightVM users to bring IoT devices into their current IT vulnerability management platform without requiring to deploy and use a separate solution.
In the following video we demonstrate discovery and vulnerability identification of a networked building access control system with the IoTVAS connector for InsightVM:
To get started with IoTVAS API, please register for an API key here. The API documentation page includes a swagger UI that allows you to evaluate IoTVAS endpoints right from your browser without writing any code.