IoT devices pose a significant cybersecurity risk than most realize. Unsecured IoT devices provide an easy gateway for criminals looking to get inside a network. Danny Palmer discusses why businesses and consumers should think twice before connecting.
Security risks are increasing as more and more people connect using IoT devices. I talked with Danny Palmer about the threat facing consumers and businesses, the following is an edited transcript of our interview.
Danny: IoT devices are the new kid on the block when it comes to internet active products, and that goes back to 20 years to when people were first really connecting their computers, their desktops, their laptops to the internet. In many ways, it feels as though we’re at the same stage of IoT devices. A lot of people in their homes, a lot of organizations in their offices and other buildings are rushing in and applying these IoT devices to their network. These can include things like monitors, sensors, some of them are everyday products like your kettle.
These are providing benefits to employees and a lot of times they’re saving costs, they’re saving energy, and organizations really want to make efficiencies and make savings like that. But like every product on the internet, if it’s not secured properly it can mean a way in for attackers, and unfortunately, many IoT devices are built with almost no security at all. If the device is discoverable on the internet, and it’s connected to the rest of the network, it’s an easy to use gateway (node) for attackers.
Karen: Can you expand on any specific examples of this?
Danny: Yes, there’s an infamous example, which is spoken a lot about in the cybersecurity community about how an internet connected fish tank, served as an entry point for a cyber attack, which is basically … The attackers found the fish tank on the internet using a search engine called Showdown. It was basically a directory of every internet connected device out there. This cyber-connected fish tank was not properly secured, so the attackers could get into that.
What they did then is they used it as an entry point to the network, which because it was connected on the same network as computers and everything else you’d expect, they were able to move laterally into other parts of the network and find their way into the systems. Basically, because the fish tank was on the same network as the rest of their computers, it provided a gateway for the attackers to get in and do things. If this fish tank had been internet connected and on a separate network to everything else, it would have been fine but because it was a flat network with everything on the same internet connection, it provided an easy way in for the attackers.
That’s just one of many infamous examples of how the internet of things and cybersecurity issues are becoming more and more common. It’s things that might sound kind of far-fetched, but they’re becoming very real issues.
How the IoT is failing to learn the security lessons of the past (IoT devices pose a significant cybersecurity risk than most realize)
The massive cyberattacks which took down some of the most popular websites on the internet show that device manufacturers are not learning from the mistakes of the past.
A report examining the potential cybersecurity holes within an emerging connected technology notes that it’s “slowly becoming more popular but the security built into the specification is a cause for concern”.
Furthermore, the document details how the technology contains security risks including “loss of confidentiality”, which can stem from, among other things, “default configuration” and “person-in-the-middle” and “DoS [Denial of Service] attacks”.
It might sound like the recent warnings about the cybersecurity concerns facing the Internet of Things, but the text is in fact from a paper entitled ‘Bluetooth and Its Inherent Security Issues‘, which was published 14 years ago.
As Bluetooth developed, so its security improved — but the recent security problems with the Internet of Things suggests that the same issues have to be dealt with all over again. When it comes to tech security, we seem doomed to witness history repeating itself — over and over again.
“It’s almost like we’ve learned nothing from Bluetooth.” says Justin Dolly, CISO at cybersecurity firm Malwarebytes.
Unfortunately, this pattern has transferred to the Internet of Things devices. While the product builders might have a cavalier attitude towards ensuring their shiny new devices are protected from hacking and cyber attacks, cybersecurity professionals are looking on in disbelief.
“Seeing what these IoT vendors are doing, it just blows me away because they haven’t learned from history,” says Steve Manzuik, director of security research at Duo Security’s Duo Labs. “They’ve completely ignored everything that’s ever had bad vulnerabilities”.
Just look towards the massive cyber attack against Dyn, the domain name system provider for hundreds of major websites, which left many unable to access services including Twitter, Reddit, Spotify, and the PlayStation Network last week. The large scale DDoS attack was designed to overload systems and prevent people from accessing their chosen services — and it’s thought that the Mirai Internet of Things botnet was behind the whole thing.
Internet of Things devices such as web servers, routers, modems, network attached storage (NAS) devices, CCTV systems, and industrial control systems can all be recruited into botnets for the purpose of carrying out DDoS attacks.
Add to that services like Shodan, which allow anyone to search for IoT devices around the world. Many of those devices will still be using default login credentials — if they have passwords in the first place. Taking all these factors together, it’s obvious there’s a massive problem with malicious actors being able to easily recruit large swathes of devices into botnets, which they can turn against the targets of their choice.
But security doesn’t even seem to be a consideration for many connected device manufacturers, to such an extent that old vulnerabilities are reappearing. “We’re in the realm of the security issues we were dealing with for Windows 98 and Windows XP, like plain text credentials,” says James Lyne, global head of security research at Sophos.
Because security is so poor in IoT devices, finding vulnerabilities is like “shooting fish in a barrel”, says Duo Security’s Manzuik. “They’re easy to find and they’re easy to exploit. It’s like we’re just repeating the late ’90s and early ’00s all over again with those devices.”
It’s not that those building devices are just poorly implementing security, they’re just not even considering it as part of the design of whatever IoT products they’re building. “Most of these companies aren’t trying. It’s not that we’re talking about high-end exploits that are a by-product of writing code. It’s that they aren’t building security any way into that process,” says Sophos’s Lyne.
Why are lessons from the past being ignored? It’s simple. Companies just want to get their devices out to the public as quickly as possible, and at the cheapest cost to manufacture. Building in security takes time, effort, and — perhaps most importantly for some — money, so security is ignored in order to get a product out to market for a low price and before the market gets saturated with similar products.
“IoT products will have vulnerabilities because vendors want to get these devices out the door and for people to use them, and sometimes it flies in the face of security,” says Malwarebytes’s Dolly.
The second problem is that the Internet of Things devices represents a relatively new space. It’s only gone mainstream in the last two years or so, and thus the sector is filling up with organizations producing anything from connected kitchen appliances to interactive pet feeders to home assistants. In the rush to do so, carelessness, inexperience, or negligence can mean these young companies neglect security.
“A lot of these IoT companies are startups, so I don’t think they even realize until it’s too late when they get the security report from the researcher or someone posting about their vulnerabilities on Twitter, that it’s something they need to do,” says Manzuik.
It would only take a little bit of effort to boost the inherent cybersecurity of IoT devices.
“It doesn’t take a lot of work to prevent command injection attacks. It doesn’t take a lot of work to encrypt your secrets, and there are very standardized libraries that let you do that well,” says Lyne, who laments how he’d love to be in the position of dealing with “fascinating high-end zero-day exploits” but is instead “dealing with the password being ‘admin'”.
If stringent security regulations were applied to all Internet of Things devices, companies producing them would likely be quick to alter how they build their products.
“We’re going to get many more examples of vendors being held up as negligent because so many security flaws are in the camp of ‘didn’t even try’, not ‘high-end interesting bug'”, says Lyne.
“Something bad is going to happen and that’s going to make government step in with regulations,” says Manzuik.
Related Videos:
Related Links:
Russian hackers are eight times faster than North Korean groups
How to secure your Nest account and cameras and keep hackers at bay
How do I start a WordPress blog? (hosting WordPress)
Free online cybersecurity training resources
ATM hacking has gotten so easy, the malware’s a game
