Do We Need A Federal IoT Security Framework To Force Common Sense Security?5 min read
The Internet of Things (IoT) is the latest brochure buzzword that everyone is jumping on board with. IoT this and IoT that, if it runs on a batter let’s slap a Wi-Fi antenna on it and get it on the Internet. From kid’s toys & home security to Vodka bottles, IoT is everywhere. As humans do we rush it, compete to the max to get a product out there as fast as possible and the trade off is sloppy design on the little details. In the current world of Agile, DevOps, IoT, etc… security is slipping farther back in the priorities because it ‘slows things down’, ‘harder to support’, and other whines and excuses companies and teams give to explain why they don’t focus on it.
Every day I go through hundreds of news stories, most skimming the headlines looking for things to read later, and I have noticed an increasing pattern of one topic. IoT devices that have been discovered to have poor security design putting the owners at risk. Risk of their home networks being compromised, privacy violated and personal information stolen. Most research is showing that these devices are not designed with security practices in mind, simple things that are fixed with updates, but simple things that should have been implemented in the first place.
It’s really common sense to use some of the security principles but when it comes to the concept of the Internet of Things they are looked at differently than other products. Unfortunately we are at a point in the industry and as a society as a whole that unless there is a forced instruction (or law) to tell us to do the right thing, people will take the easiest route not the right route. Being a security consultant this is beyond frustrating to see this day in and day out. There is a moral responsibility to not offer a product that knowingly has flaws that could put a consumer at risk.
Here are the most recent examples –
- Researches find flaws in the Motorola Focus 73 IP Camera.
- Fisher-Price Internet Enabled Teddy Bear discovered to have a vulnerability.
- The list goes on…
Both of these stories and almost all the other devices, cars and appliances to have been found to have security flaws all share the common reason. Bad, sloppy design. Mostly it comes down to the developers not implementing secure communication between the components exposing them to hackers that allows internal access. Installing certificates, signing the firmware and using secure communications solves these problems and that’s what the fixes are when these flaws are found. Those updates are only effective to those knowing about the flaw and have a technical aptitude to update the firmware on their kid’s toys or cameras they bought and plugged in.
Here are some of the ways the makers of IoT are side stepping security in exchange for ‘easier’ code to deploy, resell and support.
- Bad or no authentication – As these devices are accessed, adding biometrics, storing information the authentication mechanisms for the users are lacking or non-existent and interal components are using very basic passwords, like ‘1234’, allowing hackers to brute force and easily guess passwords. When you mass produce a device once those built in passwords are discovered, every single device is now hacked. Most IoT devices are not even capable of supporting multi-factor authentication.
- End-to-End encryption – In the IP camera situation when you hook up the camera to your Wi-Fi you may have a security code on your network but the camera will transmit and store that in clear text, unencrypted around for a hacker to snag and read. Just because your network and computers are using encryption means that you are protected from any device you connect into to it. End to end encryption protects the entire chain. Some devices will blindly connect to a network with the same name as your network without verifying. Think about that when you hook up your wi-fi enabled thermostat to your house.
- Lack of regular updates – IoT devices are mini-computers. Like your PC, tablets, phones, video game systems, you are familiar with the regular updates that occur. These are to close security gaps found, fix bugs and improve the performance of those devices. IoT devices are not in that category leaving the device open to discoveries and manufacturers not addressing them as they would a PC or phone.
- Insecure web interfaces – Many IoT devices have web interfaces to manage and interact. Those web interfaces can be filled with cross-site scripting flaws, SQL injection holes and other security gaps that a hacker can easily exploit to gain access to the device and network it sits on.
- Buggy, sloppy software – IoT is about features and speed to market. This is the core problem with IoT and the lack of security focus. Who cares if there are holes? The cool feature works perfectly. Add on the prior flaw of lack of updates and the problem compounds.
- Bad hardware – The software has to work with the physical components and like the software the hardware is as inexpensive as it can be and fill with just as many holes and flaws as the software. Most of the vulnerabilities in IoT are not new concepts, they have been around for years and known to hackers as first line attack vectors. It’s only a matter of time before hackers figure out how to use internet connected refrigerators and washing machines as man in the middle network siphons. Compromise the device before it leaves the factory and you can infect everywhere it’s sold.
Unfortunately it’s going to take the extreme eye opening event to bring change. Until then it’s going to be consumer driven demand, which doesn’t exist, to slow the IoT down to get security in their mindset. I predict the event will have to be a very popular device shipping out with malware pre-installed undetected. There have been routers that have had this problem before but wait until it’s the Smart TV or Fridge that brings down a bank.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.
Follow Me On Twitter