The Problem with Internet of Things Security
New IoT devices intended to make life easier are popping up everywhere. Unfortunately, inadequate security can turn these into anything but a helping hand. Towards the end of 2016, portions of the internet remained unaccessible due to a denial of service attack against the Dyn DNS servers. After investigating, it was found to be a DDoS (Distributed Denial of Service) attack against Dyn from a range of IoT devices running botnet software designed to flood a given web service with traffic. These devices come from a variety of manufacturers and were compromised through the use of default user ids and passwords. In many cases, these included devices from little-known OEM manufacturers. However, these security issues can impact well-known companies too. One example is Sony. A set of previously undocumented user ids and passwords were found to impact over 80 different models of Sony IPELA IP security cameras. Security problems are not restricted to password issues alone. Both consumers and producers of these devices share responsibility in thwarting IoT hacks.
Scope of the problem:
Security issues aren’t just about launching denial of service attacks. They can be used to generate spam by emailing content to other devices. Content collected by these devices can be unknowingly sent to other parties as well. Imagine your printer sending the tax return document you just printed to another party. Devices can also monitor network traffic on your local network and send portions of that to a third party. Compromised IoT devices can also serve as proxies designed to anonymize traffic Impacted devices can range from routers to IP webcams, and even that TV streaming box you’re using to watch Netflix.
Responsibility for Consumers:
Unboxing that new IoT device always comes with some high anticipation and the desire to try it out right away. Many users ignore or skip steps in setting up devices. Often that setup process includes establishing a unique password for the device. Consumers need to remember that when setting up an IoT device they are essentially setting up another computer. These days, people certainly think a bit about installing anti-virus software and using a unique password when setting up a new laptop. Consumers are aware of the need to install security updates to their computer operating system as the vendor releases them. However, when plugging in that $50 wireless IP camera these cautions seem to fade away. The situation with IoT devices is not unlike PC security in the early days of consumer internet access, some 15 to 20 years ago.
In many cases, devices are loaded with a standard, default password when they ship from the factory. As such, legions of devices run with the same password. Malware such as the “Mirai” bot scan the network for devices and attempt to connect with them using known default user ids and passwords. These devices and related passwords are then recorded by a central server and used as compromised devices in subsequent attacks. The collected list of vulnerable devices may then be sold off to another party who will use the devices to engage in cybercrime activities.
Many consumers assume that their home networks are protected by the firewall functionality provided by their router. What they may be unaware of is that “holes” can be automatically opened in the firewall by IoT devices using UPnP and thus make those devices accessible to the internet. UPnP was designed to make devices easier to install, but unfortunately, it has a side-effect of weakening security as well. Default on most routers typically enables UPnP. Few consumers are aware of the risks, or the ability to turn UPnP off. Even the US Department of Homeland Security has issued a security tip encouraging users to disable UPnP.
Device manufacturers may also release periodic updates to the devices as well to improve functionality or tighten security. Often, these updates are never installed because the update process is too onerous for the consumer to complete or because the consumer is entirely unaware that the update exists.
At a minimum, consumers should follow these basic recommendations:
- Change passwords on devices when installing them
- Apply software updates when they become available. Some devices like the Chromecast, Amazon Fire TV, etc. update automatically.
- When selecting a new device try to select devices which receive updates automatically.
- Adjust network security settings to disable UPnP where possible.
Responsibility for Producers:
The producers of IoT devices have much work to do in improving device security. The default password issue certainly needs to be resolved. Each device should receive a unique default password at the time of manufacture, or the consumer should be required to set a password during the process of installing the device. This would go a long way in thwarting malware like Mirai, which attempts to harvest a list of devices using default credentials.
Other vulnerabilities have been identified as non-essential services are running on some devices. Many IoT devices are based on some variant of Linux and may be running services to support such as Telnet or SSH even when these are not essential to normal operation of the device. While these services were likely added to aid in the initial development and debugging of the device, they remain enabled following the completion of that process. These non-essential services are not typically exposed to the end user for configuration, so there is no way for a consumer to take action even if they are aware of their existence.
Relying on end-users to manually update devices is likely to result in the majority of devices still running with the software that was originally installed on them. We’ve certainly seen this in the past with browser updates on PCs. If security vulnerabilities are later discovered, these devices will remain vulnerable unless the consumer takes action. A better approach is to have the device be self-updating; much like how the Chromecast or Roku devices updates themselves. This is the only way to ensure that the vast majority of devices receive updates promptly.
Manufacturers should be more proactive by notifying users of devices that are running an outdated configuration and need to be updated. Additionally, consumers need better education on what they can reasonably expect for a device “support lifetime.” Each device has an anticipated lifetime over which updates can be expected. At the conclusion of this period, the consumers need to be informed that the device is no longer supported. Clearly, devices can’t be supported forever, but presently most manufacturers provide little information on what consumers can expect and how the device will function at the conclusion of the support period.
Reducing the “attack surface” of devices is also something that needs to be addressed by manufacturers. Presently, most IoT devices work independently from one another. Each establishes their own connection, process and inbound traffic to and from, the internet as well. Instead, a hub and spoke approach could be employed wherein the IoT devices do not directly connect to the internet at all, but rather rely on an intermediary to carry out all internet traffic. Devices are then isolated from direct internet connections and place the responsibility of security onto the “hub” device. Then the burden is reduced when trying to close security loopholes across the many devices that might exist in the home. A hub approach such as this would require cooperation between IoT vendors, but given increased government interest in internet security, device manufacturers may find themselves pressured to collaborate in solving security issues.
Security software and hardware vendors see an opportunity as well. At CES 2017, Symantec announced the Norton Core WiFi router. As security threats move beyond the PC and the realm of traditional antivirus and anti malware software, the development of a hardware solution that can protect other devices on the network is a logical progression. Norton Core performs deep packet inspection on incoming traffic as well as monitoring traffic between devices already on the network. If suspicious activity is detected, it can quarantine the affected device and send a push notification to a cell phone warning of the problem, similar to how the Mirai botnet attempts numerous default passwords. The Core router will cost $279 when it is released and will require a $10/month subscription fee after the first year of use. This type of cost will reduce the appeal to some consumers, but as we’ve seen in antivirus and malware solutions, competing products will likely enter the marketplace shortly and drive down costs further.
The IoT industry is still in a fledgling period where expectations are beginning to form. The consumers of IoT devices are still in the honeymoon period, and the producers of such devices have the opportunity to make a lasting first impression. Device vulnerabilities can seriously undermine consumer confidence in a device vendor, and potentially the whole concept of internet connected devices. Behavior such as the Chinese government threatening legal action against those questioning the security of devices is a great way to alienate customers and illustrates how far off some companies, and government leaders, are from addressing these issues with IoT. While much of this article has focused on consumer-related IoT devices, the same risks apply to businesses who use IoT devices. When deployed over internal networks, these devices can add further risk to a company’s infrastructure.
In the meantime, while we wait for the IoT business to get its act together we’ll need to expect further network disruptions until the industry aligns and takes this issue seriously. For now, you’ll have to excuse me; I have to unplug my toaster again, so it stops sending out spam.