This will not come as a newsflash, but IoT (Internet of things) is growing. It has been growing at an explosive rate the last couple of years, and it is not showing any signs of slowing down. Because of this, what is also not slowing down, are attacks against IoT. The first half of 2019, Kaspersky detected 12 million attacks originating from around 69,000 unique IP Addresses. This leaves me wondering, how the end of 2020 will look like. Humanity’s thirst for simplicity and automation is here to stay. We just have to make sure it is secured.
The creation of the Internet
If we look back at the creation of the Internet, as we know it, it was not built with security in mind. No one could predict the current cyber threat landscape that was unfolding and becoming what we see today. The rest of our technologies were stacked on top, so the foundation cannot be changed without breaking or altering other technologies. Breaking this down, the security issues we are facing are mostly inherited and can still be attacked the same way today as 10 years ago. All of this because we did not have security in mind. This mishap is what we in Security strive to mitigate by having security and testing as a part of the entire process. Now with that line of thinking, let us take our thoughts back to IoT and our current predicament.
The IoT we use today was inherited from the industrial sector where automation have been used for over four decades. Here, automation and semi-automation are king. Thinking security, in combination with industrial, would dethrone that king and make him the court jester. You might have heard that there is a lack of security in the industrial sector. A good example of this is the infamous Stuxnet, which was discovered 10 years ago and was a real eye opener. If we fast forward to where we are now, IoT is everywhere: Smart Light bulbs, door locks, garage openers, AC and even toasters. Everything seems to be connected. Comparing Stuxnet to the sophisticated attacks, we have today, would be like comparing the old 15” Black-And-White TV to a top of the line OLED with 4k resolution. Stuxnet today is considered something from the stone age, and that is how fast cyber-attacks and their complexity change. And the attacks we see today are based on some fundamental issues that manufacturers have neglected.
What are the pitfalls of IoT, we need to address?
Somewhat based on the OWASP TOP 10 Internet of Things, the following would hold true. Though it is not a top10 list, but more of a summary of four main pillars where IoT fails today.
Product End of Life
This happens too fast, and where the vendor can state “End of life” and have zero to no obligation on patching or maintaining the product.
A real-life example of this happened to me when buying a new TV. After a year, I wanted to look at the security of it. During my testing, I quickly discovered a vulnerability allowing me to execute code on the TV itself. This allowed me to compromise the entire TV. As any good researcher would do, I contacted the manufacturer and told them about the vulnerability. They said that there will only be two more patches that have already been in the works and ready to be deployed. Then, it is the end of life for this product. This TV was only four years into its life cycle. This entire mentality of End of Life needs to change. What is needed, is a minimum patch life cycle. That if the consumer purchases the product, they can expect updates until year 20XX.
Insecure Default Settings
There is nothing more wonderful than simplicity. In some cases, this comes at a great cost: The Lack of security.
While simplicity and automation are convenient, it requires services to be exposed, and protocols to interact, consequently increasing the attack surface. And yes, just to be absolutely clear, there are solutions and products out there that have been tested and have good security and works just like magic. But here, we focus on the majority of these solutions do not.
As an example, we have the Username and Password, which is in most cases set to the default Username admin and Password admin. Some devices also expose a web interface. In a worst-case scenario, it will talk Universal Plug and Play (uPnP) with your router, asking to expose these services to the Internet. This is where the situation goes wrong, default Usernames plus exposing it on the Internet, that is how the Mirai Botnet was operating. By logging in to a multitude of IoT devices, which had default passwords, it was able to break the Internet by telling all of these devices to try to ‘contact’ a certain site or service. That was around 500,000 devices. All with a common goal. Connect to a service or protocol at a specific location.
Back in 1999 and early 2000, a hot topic around the block was a term used when a Firewall broke down. It could have one of two states. Fail Close or Fail Open. Basically, if it stops working, OPEN up everything, so everything is working. And the opposite Fail Close, where it shut down but also blocked everything. By delivering an already somewhat closed product to the client, then during the installation process guiding them through what they want, forcing them to change credentials. As well as telling them the risk imposed by not doing so is a must. Few devices do this today, but we can see this slowly changing. What needs to be done, is to minimize mistakes and have it locked down for a non-technical user, but still have the functionality and abilities as advertised.
Hard-coded credentials
We have seen big players on both IoT and Networking using Hard-coded credentials in mass produced equipment’s in the past. The result; disastrous consequences for companies, not to mention the users and the manufacturer themselves. As a developer, it can be frustrating not to have access to the product you are working on. It is understandable that you add a temporary user account, or Hard-code something that can make your everyday life at work easier.
However, I cannot stress this enough. It is very important that this is removed prior to mass production. It is important that these credentials are for your development, not incorporated as a part of the device itself. Moreover, not used by services or specific functions and calls when the application is running. If you are doing this, you are committing Harakiri (Chinese form of suicide), not only to yourself, but by doing so, inflicting massive reputation and brand damage to the company you are working for. A clear quality assurance and process needs to be in place to minimize the risk of this happening.
Communication, Storage and Sensitive Data
We have had leaks in products ranging from kids toys to cars, door locks, and home alarm systems. Even the medical field is not safe from wrongful storage and sensitive data in the “big things” IoT sphere. In the wrong hands, all this information can be used as warfare. Sold and resold. Emails will be used online in order to try to guess the passwords, unless these passwords are stored in clear-text on the IoT Solution that was hacked. Communication protocols also need to be secure enough to stop someone from stealing authentication, or vital information during transmission.
And I know that ‘secure enough’ is not a norm of measurement, but secure enough in the sense so it provides no known vulnerabilities in the communications protocol. Secure enough that it stores data as secure as possible. Secure enough that it does not compromise the user experience, because it is vital not to scare the clients away or stop them from doing the work they need to do. It is all a well-choreographed dance, where both parties should work in unison with each other.
Where are we today?
Today, there is no standard or a branding like you would see in Europe, with the CE mark. That is what we in Security are striving for. A specific standard the consumer can look at and be certain that someone took extra good care of security. This might bump the cost up by 1-5 dollar per unit, but what is the cost of getting hacked? Until we get a proven standard, that is mandatory. We can only hope that some IoT brands take security more seriously and consider the following recommendations:
What can corporations do?
Do you know how the HVAC was installed? Have you had a third party install the smart door sensors? Surveillance cameras? Even if you have automated lighting, it was most likely installed by a third party. To add more questions to this barrage, was security a part of the contract, when you signed the agreement?
For most corporations the honest answer to these questions are “No”. And that is nothing to be ashamed of. The majority of corporations would assume that security is a part of the installation. Regrettably in a multitude of cases it is not. And most of the time, this will cost extra.
Why not send an email to cyber@bdo.dk and let us help you find out, if the IoT devices in your network pose a risk to you and your corporation? Our team of experts are always ready to guide you and your company.