The IoT is a step forward for convenience and efficiency, but is it a step back for security?
There’s an insidious invasion going on. Everyday devices are being supplanted by their ‘smart’ equivalents in a technical invasion of the body snatchers. Everything from lightbulbs to hairbrushes to kettles are now becoming part of the Internet of Things in a bid to make our lives easier. It’s a manufacturer’s dream, allowing them to reinvent the wheel.
The trouble is that this convenience comes at a cost and in the majority of cases that cost is security. In the rush to make delivery deadlines, keep down production costs and hit the shelves, IoT security is being sidelined.
Millions of devices are now sitting in homes and offices that could be used for snooping and data capture, to take control of the local network, or become part of a super botnet with the user none the wiser.
There’s the CCTV cameras that can be taken over and used to send live video feeds of your premises to the attacker’s server. There’s the WiFi kettle that, in an unconfigured state, can be persuaded to surrender the pre-shared key (PSK) for the local WiFi network, potentially giving the attacker control and access to account log-ins.
There’s the hairbrush that ‘listens’ to how you comb your hair. Hmmm, a recorder in a hairbrush, covert surveillance anyone? What next? A talking toaster?
One of the main problems is that often these devices have local web interfaces, supposedly to allow for future functionality, which increase the potential for attack. It was precisely one of these little used interfaces – Telnet – that saw thousands of IoT cameras recruited by a strain of malware called Mirai late last year.
This army of devices was used to power a botnet that carried out distributed denial of service attacks on an unprecedented scale.
The concern is that this is only the beginning of how IoT weaknesses will exploited. Consumer groups are now suggesting the IoT constitutes an invasion of privacy given that some can be hijacked to snoop on the user.
Approaches to data collection seem cavalier, with personal data sent in the clear. And there’s even the potential for ransomware over IoT devices. Threaten to cut off the heating or ramp it up and there’d be plenty of people out there who’d pay the fee to get back control of their smart thermostat.
Meanwhile, despite concerns, the rollout of insecure devices continues. There is currently no compulsion to adhere to any guidelines when it comes to IoT security and that means homes and businesses are now more vulnerable than they realise.
Even in those businesses where an IoT policy is on their ‘to do’ list, chances are they won’t factor in the lightbulbs or the humble kettle.
Such devices are ‘fit and forget’ and we’re unlikely to bother to update them. What’s needed is the automation of over-the-air updates but that again impacts the bottom line. Without regular patching, the device becomes ever more vulnerable over the lifetime of the product.
For now, IoT device insecurity is a problem we’re going to have to live with although there are some steps you can take to lessen the threat.
Firstly, don’t just plug and play. Take the time to configure your shiny new device. A product device set up using the default PIN is far more vulnerable to compromise because default credentials are often leaked.
Change the PIN on the device and if it talks to an app, make sure you use a personal PIN on the phone/tablet as well. And it may sound obvious but switch it off when not in use (if you’re a manufacturer reading this: please install a RF button! This would solve the issue of non-configuration over night).
If you can, disable any local web interfaces you don’t need. When it comes to IoT cameras, if you want to make sure you’re not a Mirai victim, restart the device. You only have a few minutes to prevent reinfection so disable port 23 at this point.
Try and change the default password (good luck with that as many of these cameras don’t allow access). If you want to make sure the camera is completely secure, disable remote access or route it over a VPN.
Do update your products. It may be tiresome but such updates are usually triggered by security flaws – not added functionality. It’s likely the patch addresses a real and pressing vulnerability so ignore it at your peril.
Finally, ask yourself the question do I really need that coffee maker which I can activate from across the office provided I have remembered to put my cup underneath?
Can I live without smart aircon? Is the remote access to my camera/doorbell/thermostat worth the compromise of my network and log-in details? Because at present the IoT is immature, insecure and in need of standardisation.
Ken Munro is an ethical hacker, partner in Pen Test Partners and sits on the executive steering board for the IoT Security Foundation.
Thanks for signing up to Minutehack alerts.
Brilliant editorials heading your way soon.
Okay, Thanks!