They’re cheap, useful, and multiplying almost faster than can be counted. Internet of Things devices come in all shapes and sizes, but most of them share one characteristic. They’re being used insecurely.
The Internet of Things
The numbers are crazy. The Internet of Things (IoT) explosion just keeps growing. Actually, it’s more like an expanding galaxy than a single flash-in-the-pan explosion. In its Annual Internet Report, Cisco predicts that by the end of 2023 nearly two-thirds of the world’s population will have internet access. That’s 5.3 billion internet users.
Even if it was only one-for-one, that’d be a lot of connections. But most of us have more than one internet-connected device. Many of us have at least two: our smartphone and a computer. But then, owning a laptop and a desktop isn’t unusual. And tablets are commonplace. Obviously, the number of devices far outstrips the number of users.
Ericsson predicts that by 2025 there will be an astonishing 25 billion connected devices in the world. That averages out to less than five devices per user, but the estimates for 2021 say that the average internet user in the United States will have 11 internet-connected devices. Their counterpart in Western Europe will have nine, with fewer devices per user in other regions, bottoming out with one device per user in Africa. On average.
The majority of the new devices pushing these growth figures are IoT devices, of which there is a dizzying selection available. More types of connected or smart devices are being invented and marketed month by month. You can put the word smart in front of any of these: speakers, refrigerators, watches, fire alarms, door locks, bicycles, thermostats, baby monitors, medical sensors, fitness trackers, closed-circuit video cameras, doorbells—the list goes on and on.
And one interesting characteristic with IoT devices is that people will own duplicate items. It’s not that common for a person to have two laptops, and if they do they’re unlikely to be the same make and model. They might own a new one and hold onto the older model as an emergency stop-gap.
But with IoT devices it isn’t at all unusual to have smart speakers in several rooms of your home, or security cameras dotted around the house. Sets of devices tend to be the same make and model too. This is because they are likely to be purchased at the same time, or a first device is purchased and then more of the same are bought because the first one is such a success. That means all devices share the same set of firmware—and vulnerabilities.
The smart part of their name means they are internet-connected. It doesn’t mean they’re secure.
The Scale of the Problem
In 2017, Johannes B. Ullrich Ph.D, the Dean of Research at the SANS Technology Institute, conducted an experiment. He connected a cheap smart video surveillance camera to the internet, sat back, and monitored the connections to it.
Within two minutes an unknown, unauthorized someone had remotely connected to the device using the default ID and password. In total, in less than 2 days there were over 10,143 connections to the device from 1,254 different IP addresses. On average someone connected to the device every two minutes. That experiment was conducted in 2017—the situation will only have gotten worse.
Typically, compromised IoT devices are infected with a botnet malware. The more devices the botnet can infect, the larger the distributed computing platform it has created will be. This can be used to conduct Distributed Denial of Service (DDoS) attacks—the Mirai DDoS botnet is a famous example—or to mine for cryptocurrencies like the BASHLITE variant designed to mine on WeMo devices.
There have been plenty of news stories about threat actors compromising baby monitors or security cameras and watching sleeping children, or talking to toddlers, or telling victims that North Korea had launched ICBM’s at mainland America.
Apart from making you an unwitting accomplice in DDoS attacks, or scavenging your device’s CPU cycles to mine cryptocurrency, or spying on your household, threat actors can use an IoT device as an easy point of ingress to your network.
Unlike computers, these devices are typically always on, meaning they are always available for attack. Because the IoT devices are connected to your network by Wi-Fi, the threat actor doesn’t need to know your Wi-Fi access point’s authentication details. So once the device is compromised the threat actor can pivot to other devices within your network.
And this isn’t just an issue for domestic households. A 2018 Trustwave survey showed 64 per cent of organizations had deployed some level of IoT technology and another 20 percent of organizations planning to do so within the next 12 months (i.e. in 2019).
Why Are IoT Devices Insecure?
Not all IoT devices are created equal. Some have security baked in, They are designed and manufactured adhering to the security by design and default principles. That’s great. But all non-trivial software has flaws and these devices should be patched and regularly updated just like all network-attached devices.
Sometimes the manufacturer of these devices is able to patch remotely and silently. Sometimes it requires human intervention. A flaw in a third-party component used in IoT devices in the automotive, energy, medical, and telecom industries was found by IBM’s X-Force Red security team. The flawed device is used in three billion devices annually. IBM informed the manufacturer, Thales, who promptly released a patch.
And yet the bulk of the problem doesn’t lie in devices shipped by conscientious manufacturers. Whenever you get a lucrative, surging wave of new retail opportunities, such as that being experienced by IoT devices, everyone wants to jump on the bandwagon. Many IoT devices from small manufacturers have been rushed through product design with all focus being on speed to market and as little research and development cost as possible. Security—if it is even considered at all—is nothing more than an afterthought.
These low-end devices tend to reuse old software libraries and firmware builds even when these components have well-publicized vulnerabilities. There is frustration amongst security researchers at the lack of engagement from some manufacturers. Bugs and vulnerabilities are reported but security patches never get released for them.
Also, the cheaper devices are shipped out with default user ID and password credentials. And often these defaults are never changed by the purchasers. Malware often uses the default ID and password to access the device then changes the password to lock the owner out of the device. There have even been IoT devices released that don’t let you change the default password at all!
The situation has grown so bad that the government of the United Kingdom is developing a Code of Practice for Consumer IoT Security aimed to regulate the cyber security of consumer smart devices, similar to the State of California’s Information Privacy: Connected Devices.
Amongst the measure they hope to impose are:
- No default passwords: All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting. And a reboot must not restart the device in a defaulted or reset state. If it did, power outages would mean devices restarted insecurely.
- Reporting Vulnerabilities: Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner.
- Time Until End-Of-Life: Manufacturers of consumer IoT devices must explicitly state the minimum length of time that the device will receive security updates at the point of sale, either in-store or online.
Steps You Can Take
Here are some steps you can take to tighten the security on IoT devices.
- Before you buy the devices, research them. Can it use strong Wi-Fi encryption? Does it come from a manufacturer that will support the devices with security patches and updates? After a power-outage how does it restart?
- Set up a separate Wi-Fi network for them. Just like you have a guest Wi-Fi network so you can give internet access to visitors without having them connected to the corporate network, have a Wi-Fi network just for IoT devices. If they get compromised the threat actors don’t get onto your main network. Use this in conjunction with network segmentation, and limit the access and permissions of apps that connect to the devices as much as possible.
- Replace the default password. Use unique and robust passwords, and make them different for each device. Don’t use a sequence of passwords like camera-1, camera-2.
- Use two-factor authentication if possible.
- Disable features you don’t need. If you don’t need all the functionality and it can be selectively restricted or turned off, turn it off.
- Only use the manufacturer’s app to talk to the device. Don’t use generic third-party ones.
- Do roll-calls. Regularly check the devices are operating as expected and that you can still connect to them and control them.
IoT devices are popular because they are cheap, and provide functionality that we want or need. What’s not to like? There’s no reason not to use them—just as long as they are manufactured, installed, and used securely.