Internet of Things (IoT) security: what is and what should never be

Internet of Things (IoT) security: what is and what should never be

The Internet has penetrated seemingly all technological advances today, resulting in Internet for ALL THE THINGS. What was once confined to a desktop and a phone jack is now networked and connected in multiple devices, from home heating and cooling systems like the Nest to AI companions such as Alexa. The devices can pass information through the web to anywhere in the world—server farms, company databases, your own phone. (Exception: that one dead zone in the corner of my living room. If the robots revolt, I’m huddling there.)

This collection of inter-networked devices is what marketing folks refer to as the Internet of Things (IoT). You can’t pass a REI vest-wearing Silicon Valley executive these days without hearing about it. Why? Because the more we send our devices online to do our bidding, the more businesses can monetize them. Why buy a regular fridge when you can spend more on one that tells you when you’re running out of milk?

Internet of Things

Unfortunately (and I’m sure you saw this coming), the more devices we connect to the Internet, the more we introduce the potential for cybercrime. Analyst firm Gartner says that by 2020, there will be more than 26 billion connected devicesexcluding PCs, tablets, and smartphones. Barring an unforeseen Day After Tomorrow–style global catastrophe, this technology is coming. So let’s talk about the inherent risks, shall we?

What’s happening with IoT cybercrime today?

Both individuals and companies using IoT are vulnerable to breach. But how vulnerable? Can criminals hack your toaster and get access to your entire network? Can they penetrate virtual meetings and procure a company’s proprietary data? Can they spy on your kids, take control of your Jeep, or brick critical medical devices?

So far, the reality has not been far from the hype. Two years ago, a smart refrigerator was hacked and began sending pornographic spam while making ice cubes. Baby monitors have been used to eavesdrop on and even speak to sleeping (or likely not sleeping) children. In October 2016, thousands of security cameras were hacked to create the largest-ever Distributed Denial of Service (DDoS) attack against Dyn, a provider of critical Domain Name System (DNS) services to companies like Twitter, Netflix, and CNN. And in March 2017, Wikileaks disclosed that the CIA has tools for hacking IoT devices, such as Samsung SmartTVs, to remotely record conversations in hotel or conference rooms. How long before those are commandeered for nefarious purposes?

Privacy is also a concern with IoT devices. How much do you want KitchenAid to know about your grocery-shopping habits? What if KitchenAid partners with Amazon and starts advertising to you about which blueberries are on sale this week? What if it automatically orders them for you?

At present, IoT attacks have been relatively scarce in frequency, likely owing to the fact that there isn’t yet huge market penetration for these devices. If just as many homes had Cortanas as have PCs, we’d be seeing plenty more action. With the rapid rise of IoT device popularity, it’s only a matter of time before cybercriminals focus their energy on taking advantage of the myriad of security and privacy loopholes.

Security and privacy issues on the horizon

According to Forrester’s 2018 predictions, IoT security gaps will only grow wider. Researchers believe IoT will likely integrate with the public cloud, introducing even more potential for attack through the accessing of, processing, stealing, and leaking of personal, networked data. In addition, more money-making IoT attacks are being explored, such as cryptocurrency mining or ransomware attacks on point-of-sale machines, medical equipment, or vehicles. Imagine being held up for ransom when trying to drive home from work. “If you want us to start your car, you’ll have to pay us $300.”

It’ll be like a real-life Monopoly game.

Privacy and data-sharing may become even more difficult to manage. For example, how do you best protect children’s data, which is highly regulated and protected according to the Children’s Online Privacy Protection Rule (COPPA), if you’re a maker of smart toys? There are rules about which personally identifiable information can and cannot be captured and transmitted for a reason—because that information can ultimately be intercepted.

Privacy concerns may also broaden to include how to protect personal data from intelligence gathering by domestic and foreign state actors. According to the Director of National Intelligence, Daniel Coats, in his May 2017 testimony at a Senate Select Committee on Intelligence hearing: “In the future, state and non-state actors will likely use IoT devices to support intelligence operations or domestic security or to access or attack targeted computer networks.”

In a nutshell, this could all go far south—fast.

So why are IoT defenses so weak?

Seeing as IoT technology is a runaway train, never going back, it’s important to take a look at what makes these devices so vulnerable. From a technical, infrastructure standpoint:

  • There’s poor or non-existent security built into the device itself. Unlike mobile phones, tablets, and desktop computers, little-to-no protections have been created for these operating systems. Why? Building security into a device can be costly, slow down development, and sometimes stand in the way of a device functioning at its ideal speed and capacity.
  • The device is directly exposed to the web because of poor network segmentation. It can act as a pivot to the internal network, opening up a backdoor to let criminals in.
  • There’s unneeded functionality left in based on generic, often Linux-derivative hardware and software development processes. Translation: Sometimes developers leave behind code or features developed in beta that are no longer relevant. Tsk, tsk. Even my kid picks up his mess when he’s done playing. (No he doesn’t. But HE SHOULD.)
  • Default credentials are often hard coded. That means you can plug in your device and go, without ever creating a unique username and password. Guess how often cyber scumbags type “1-2-3-4-5” and get the password right? (Even Dark Helmet knew not to put this kind of password on his luggage, nevermind his digital assistant.)

From a philosophical point of view, security has simply not been made an imperative in the development of these devices. The swift march of progress moves us along, and developers are now caught up in the tide. In order to reverse course, they’ll need to walk against the current and begin implementing security features—not just quickly but thoroughly—in order to fight off the incoming wave of attacks.

What are some solutions?

Everyone agrees this tech is happening. Many feel that’s a good thing. But no one seems to know enough or want enough to slow down and implement proper security measures. Seems like we should be getting somewhere with IoT security. Somehow we’re neither here nor there. (Okay, enough quoting Soul Asylum.)

Here’s what we think needs to be done to tighten up IoT security.

Government intervention

In order for developers to take security more seriously, action from the government might be required. Government officials can:

  • Work with the cybersecurity and intelligence communities to gather a series of protocols that would make IoT devices safer for consumers and businesses.
  • Develop a committee to review intelligence gathered and select and prioritize protocols in order to craft regulations.
  • Get it passed into law. (Easy peasy lemon squeezy)

Developer action

Developers need to bake security into the product, rather than tacking it on as an afterthought. They should:

  • Have a red team audit the devices prior to commercial release.
  • Force a credential change at the point of setup. (i.e., Devices will not work unless the default credentials are modified.)
  • Require https if there’s web access.
  • Remove unneeded functionality.

Thankfully, steps are already being taken, albeit slowly, in the right direction. In August 2017, Congress introduced the Internet of Things Cybersecurity Improvement Act, which seeks to require that any devices sold to the US government be patchable, not have any known security vulnerabilities, and allow users to change their default passwords. Note: sold to the US government. They’re not quite as concerned about the privacy and security of us civies.

And perhaps in response to blowback from social and traditional media, including one of our one posts on smart locks, Amazon is now previewing an IoT security service.

So will cybersecurity makers pick up the slack? Vendors such as Verizon, DigiCert, and Karamba Security have started working on solutions purpose-built for securing IoT devices and networks. But there’s a long way to go before standards are established. In all likelihood, a watershed breach incident (or several), will lead to more immediate action.

How to protect your IoT devices

 What can regular consumers and businesses do to protect themselves in the meantime? Here’s a start:

  • Evaluate if the devices you are bringing into your network really need to be smart. (Do you need a web-enabled toaster?) It’s better to treat IoT tech as hostile by default instead of inherently trusting it with all your personal info—or allowing it access onto your network. Speaking of…
  • Segment your network. If you do want IoT devices in your home or business, separate them from networks that contain sensitive information.
  • Change the default credentials. For the love of God, please come up with a difficult password to crack. And then store it in a password manager and forget about it.

The reason why IoT devices haven’t already short-circuited the world is because a lot of devices are built on different platforms, different operating systems, and use different programming languages (most of them proprietary). So developing malware attacks for every one of those devices is unrealistic. If businesses want to make IoT a profitable model, security WILL increase out of necessity. It’s just a matter of when. Until then…gird your loins.

ABOUT THE AUTHOR

Wendy Zamora

Editor-at-Large, Malwarebytes Labs

Wordsmith. Card-carrying journalist. Lover of meatballs.