Securing the IoT is a nightmare

Spoiler alert: you’re not going to wake up from this nightmare anytime soon.

Currently, we have over 26-billion internet of things (IoT) devices running in our workplaces, offices and homes. Of those, I’d guess — let me think about this for a minute — none of them are really secure.

Why IoT security is such a mess

I make this claim because while IoT security is given a lot of lip service, the reality is it’s an afterthought. As Alan Grau, president and cofounder of embedded security firm Icon Labs, observed, “these devices are optimized to minimize processing cycles and memory usage and do not have extra processing resources available to support traditional security mechanisms.”

Another, non-technical reason, is to keep the short-term cost of IoT devices down, many  manufacturers haven’t bothered to build in security at all. As Josh Corman, industrial IoT company PTC‘s chief security officer, recently explained, the economy of consumer IoT devices don’t allow for a profit once the OEM factors in the cost of security updates and patches.

Or, more bluntly, as Matt Toomey of IT research company Aberdeen, put it, “IoT device manufacturers have not prioritized security to date, mostly because they are motivated by profit; they want to bring as many of these devices to market as quickly and as cheaply as possible.” Implementing security checks is expensive and time-consuming, so they don’t do anything like enough with security and, “therefore, the vulnerabilities proliferate.”

Another reason, as security maven Bruce Schneier recently observed about an especially egregious set of IoT holes, is that “These aren’t subtle vulnerabilities. These are stupid design decisions made by engineers who had no idea how to create a secure system. And this, in a nutshell, is the problem with the internet of things.”

It’s not much better outside the consumer space. While we expect security support for years from conventional technology hardware, many IoT devices still come without any support or come with only a few years of support.

Another reason we can’t have good things or IoT security is as Chris Lord, CTO and co-founder of security firm Armored Things, recently said, “When it comes to IoT devices, we have thousands of different operating systems and variants. That diversity creates all sorts of challenges — everyone has different configurations and different ways to patch and manage.”

Making matters even worse, since IoT products are embedded deep in our infrastructure, we don’t see them, we don’t think about them, and so we tend to forget about them. Thus, Lord said, “They sink into the environment, we no longer know they’re there. They get lost and neglected, but are still surfaces that can be attacked.”

OEMs far too often forget about these devices as well. For every Tesla, which automatically upgrades its electric cars’ software with over-the-air updates, there are a hundred other IoT companies that never patch their hardware.

But, wait! There’s more. Corman also observed our IoT devices, in which networks, software and hardware are all interwoven, tend to be pieced together from many different sources. All it takes is one vulnerability in the stack and the entire IoT device may be open to attack.

That’s not just a theoretical fear. A recent Bluetooth vulnerability made it possible to track Windows 10, iOS or macOS users.

Beyond the security issue, OEMs have a nasty habit of turning consumer-grade IoT gadgets into abandonware. For example, as technology journalist Jason Perlow, points out Aether’s smart speaker, the Cone; Google Revolv smart hub; NetGear’s connected home wireless security cameras, VueZone; and the Jibo cloud-connected robot have all been rendered useless junk because their vendors no longer support them.

Older IoT devices, which aren’t integrated into the cloud, may still be functioning, but they may not be getting needed available security patches even if they are available. For example, do your company routers automatically alert you when new firmware is ready? Many don’t.

The IoT disasters we know

The result has been one IoT security breach after another.

The one you all know is Stuxnet. This was a computer worm, which attacked Supervisory control and data acquisition (SCADA) systems. It successfully destroyed Iranian centrifuges used to produce enriched uranium for weapons. While Stuxnet itself, which used Windows 7 as a platform, is no longer viable, it was the first IoT malware to cause real-world damage. It won’t be the last.

The most damage from an industrial IoT (IIoT) attack came through from the BlackEnergy trojan. In 2015, it was used to briefly take down part of Ukraine’s power plants. IIoT attacks on the electrical grid are one of IoT’s nightmare scenarios. So far, there haven’t been any other major attacks on electrical systems. There will be.

Such attacks might not even need to be taken on utility systems themselves. Recent research shows that hacking home and office IoT-enabled HVAC systems might be enough to launch effective large-scale coordinated attacks on your local power grid.

Next, along came Mirai. This malware is still alive, well, and screwing people over who are foolish enough to run ARC processor-powered IoT devices with the default username and password. Typically, Mirai-infected devices, such as baby cameras and home routers coming from such mainstream companies as Hikvision, Samsung and Panasonic, were then used in Distributed Denial of Service (DDoS) attacks. So far, Mirai-powered assaults have taken down European hosting company, OVH; DNS provider DYN; and German telecom Deutsche Telekom. There were many others. There will be more.

[ Ebook: IoT security: IT’s biggest headache ]

These, at least, target devices we think of as being computers. But, refrigerators, door bells, vacuum cleaners, and all our new “smart” gadgets are fair game. Security firm Check Point recently found a security flaw in the LG Hom-Bot vacuum cleaner, which allowed a hacker to take control of it and use its built-in camera to snoop around your home.

Even after Mirai underlined just how stupid default usernames and passwords were, many vendors still use them. Israel’s Ben-Gurion University of the Negreb researchers reported in 2018 the easiest way to crack home IoT devices was just to use the publicly available default passwords. I doubt there’s been any improvements.

So, while some attacks like Stuxnet were highly sophisticated, others like Mirai were simple.

Simple is good if you’re a hacker.

Simple works. Security company Darktrace‘s CEO Nicole Eagan recently observed, “There’s a lot of IoT devices, everything from thermostats, refrigeration systems, HVAC  systems, to people who bring in their Alexa devices into the offices. There’s just a lot of IoT. It expands the attack surface and most of this isn’t covered by traditional defenses.”

Adding insult to injury, there’s even a search engine, Shodan, to track down online devices and equipment. While not a hacking tool in and of itself, hackers and script-kiddie cybercriminals alike use Shodan to find the low-hanging fruit of poorly secured IoT devices.

Saving yourself from IoT disaster

You can’t stop some IoT attacks. If your power goes out in your California office because someone forces a large number of “smart” air-conditioning systems to run on high some summer day there’s not a lot you can do.

[ More IoT coverage on Insider Pro ]

But, there are some things you can do to protect yourself. For one thing, you can simply not let IoT devices in your office. Or, at least you can minimize them. Do you really need a smart refrigerator in your break room? I don’t think so.

No device is too trivial to be potentially dangerous. Eagan has described how an aquarium thermostat with internet connectivity was used to pry into a casino’s database of high-rollers. As you should know from firewall 101 any open internet access can be used to attack your office. As Corman has said, “If you can’t afford to protect it, then you can’t afford to connect it.”

Essentially, any IoT devices in your business must be as secure as possible. At a minimum this means following these five practices:

1. The IoT vendor must provide security patches on a regular basis for years. These patches must be cryptographically signed so that the code can be verified and authenticated.
2. All communications from and to the device must be secured using encrypted protocols, such as SSL. Access by other methods (e.g. telnet) must be blocked.
3. Default usernames and passwords can only be used during setup. They must be changed before the device can be used in regular work.
4. All subsequent device control must be authenticated by a strong password, 509, or Kerberos.
5. Any but the most simple systems should include an embedded firewall. At a minimum it should limit communications to trusted hosts. It should also block simple DDoS and known protocol attacks.

It will be hard finding devices with these features. Some of it, such as the firewall, you can add within your own network. But, while you’re at it, look for IoT devices that support the following:

• Intrusion detection and logging. Most devices don’t even try to log, never mind stop, an endless stream of login attempts. This is not acceptable.
• Application programming interface (APIs) compatibility with security management systems. IoT needs to be brought under the corporate security umbrella.

The National Institute of Standards and Technology (NIST) Core Cybersecurity Feature Baseline for Securable IoT Devices, which was released in August 2019, may help with this. Still, there were recommendations, not regulations. I’d ask your vendors, for starters, to meet these guidelines.

Thanks to California’s IoT Device Security Act (SB-327), which started being implemented  on January 1, 2020, some of these features will become easier to find. This bill requires IoT device manufacturers to equip their gear with “reasonable security feature or features.” A similar IoT security Federal law is sitting in the Senate.

I wouldn’t count on any legislation protecting you in the next five years. It’s up to our vendors and the pressure we can put on them to properly secure their devices. 

In the meantime, one thing you can do is forbid users to bring their own IoT devices into the office. So, just say no to shadow IoT. If that’s hard to do — say for a user with a smartwatch — insist it connect to the internet via a guest network rather than the corporate LAN.

Even your best efforts won’t be enough. If 2020 IT was a ship it would be named the Titanic and the iceberg dead ahead is IoT insecurity.

There will be major IoT security breaches this year. The security holes are too big, there are too many insecure devices. We can only try our best to protect ourselves and our companies. There will be disasters, but with hard work and some luck, you and yours will avoid the worst of the IT fiascos to come.