The security of the Internet of Things is sure to be one of the hottest topics in cyberspace this year, and with good reason: the potential for disaster is great, with millions becoming dependent on connected devices that are riddled with vulnerabilities.
A parallel could be drawn between this and personal computing back in the 1990s, when security became a critical issue. Back then, most software was full of vulnerabilities too, and the best thing companies could do was to try and keep them secret. Updates were rare, and even when they were pushed out, few actually installed them. This problem was eventually solved by the advent of automatic updates that made the process of installing patches much easier, but there’s no such simple solution for the Internet of Things.
The situation with IoT is far worse, because this time around it’s far more complex. It’s not just PCs, tablets and smartphones, but just about any kind of device you could conceive of that’s being hooked up to the internet, and the companies manufacturing these lack both the capability and the incentive to safeguard them.
Few people know about the inherent weaknesses of connected devices better than Marc Rogers, head of security for DEF CON and Principal Security researcher at Lookout, who told SiliconANGLE that the Internet of Things is wide open for abuse.
“Right now small, embedded things typically have relatively poor security. Look at the four big attacks that have hit the IoT over the year,” said Rogers. “First there was the Carna Botnet. At its peak, 420,000 ‘things,’ such as routers, modems, printers were compromised. Then TRENDnet’sconnected cameras were hacked, with feeds from those cameras published online, forcing the FTC to make its first ever IoT judgement. Last month we we saw the Linux.Darlloz – PoC IoT worm found in the wild by Symantec, while most recently Proofpoint discovered a Botnet of 100,000 compromised systems including connected things such as TVs, routers and even a fridge.”
Does anyone care?
“They all used the same vulnerability,” says Rogers of last year’s four big attacks. “In all of these cases the attackers were able to compromise these things because the manufacturers left default accounts with published passwords on these ‘connected things’ to help users with their first time configuration.”
Rogers told SiliconANGLE that few consumers are aware that this is a problem, so hardly anyone realizes that these default accounts need to be locked. “As a result most consumers just connect their new thing and switch it on, leaving it exposed to anyone who knows which default account to use and what the published password is,” he said. “Part of the problem here is that there are no security standards for the IoT, so oftentimes, manufacturers who may come from an industry that has never had to worry about internet threats are completely unaware that they need to take these precautionary steps.”
It should also be noted that the software used in most embedded systems is old, even in the most modern devices. A recent survey of home routers found that the majority of them are built using software components that are four to five years older than the actual device. This software may or may not have been patched recently, but neither the chip maker or the device manufacturer has any real incentive to do so – they’re more concerned with designing newer chips and devices than with safeguarding the old ones. This is a serious problem, as research shows it’s far easier to spot new vulnerabilities in older, unpatched software, than in more recent software.
Even if companies do get around to patching vulnerabilities in their software, this mostly a waste of time. Few people actually apply these patches as everything must be done manually, and they rarely receive alerts. This means that the vast majority of IoT devices – anything that isn’t a PC, tablet or smartphone – are left unpatched and increasingly vulnerable from the moment they’re shipped out of the factory.
Security will become more of an issue as the Internet of Things becomes more mainstream. The number of embedded systems in our homes and on our bodies is rapidly growing, but the vast majority of these systems are unpatchable, or at best, poorly maintained.
“What I discovered at CES is that things are really starting to pick up speed,” said Rogers. “Companies are focusing on creating as many diverse new connected things as possible. While they are thinking about traditional security problems – for example car manufactures have built a ton of new safety features into their connected cars – there doesn’t appear to be much thought on how to protect the connected things from Internet threats.”
While potential security nightmares with PCs have been staved off, it’s going to be much harder to protect IoT devices because time is running out. Almost everything is, or soon will be, online, but few of these devices are secured. Malware, viruses and other threats are able to spread far faster than ever before. Even if manufacturers do begin to take security much more seriously – which is unlikely – will they be able to secure the Internet of Things before disaster strikes?