Custom Search

Thursday, November 2, 2017

Why you should be afraid of the Internet of Things

I first became excited about what eventually became the Internet of Things (aka IoT) back in the early 90s, after I wrote my first web server. I realized it was no more complex than a telnet server, so could easily replace the telnet servers in the few networked devices we had then. So we'd have point and click web configuration for those devices that was friendly and easy to use and that idea was just cool. These days, I'm mostly afraid of it.


I'm not claiming any kind of special foresight here - I certainly didn't foresee all the automated sensors and programmable web services and other such things that are now part of the IoT. I wasn't any better at seeing the future security needs than anyone else, either. And that was pretty poor. Most of the standards from that era had security sections that consisted of one sentence along the lines of "The security implications of this standard are not discussed."

IoT security

Fast forward a quarter century, and network security is a hot topic, with breakins and leaks and the like happening on a monthly, if not weekly, basis. Some even involve IoT devices (though some IoT proponents try and disown them). But when I ask IoT companies about security, I get one of three responses.

They ignore me

This most likely means they haven't thought about security at all, and aren't willing to admit that or lie about it in public.

Slightly less likely is that they have thought about it, and would rather remain silent than release any information or say they can't release that information. More on that in the next section.

Security through obscurity

I often get an answer along the lines of "We can't release any details about our security features." This could mean they haven't thought about security, and are willing to lie about it.

More likely, it means they've implemented security that's so poor they're afraid that releasing any information about it will compromise it. This is known as "security through obscurity", and was already thoroughly discredited back in the 90s when I wrote that web server.

There are well-known - at least among people who know even a little about security - protocols and standards for security that have withstood concerted attacks by experts over extended periods. Letting the world know you're using those protocols isn't likely to make them more vulnerable to attack, or to make your product less secure. Companies selling security products typically tell you these things. In fact, they are selling points.

Companies that hide these things usually have good reason for doing so. Searching the web for "hacking" and their device name is likely to turn up instructions for breaking into that device.

Security through failure

The last standard response is that they don't expect to sell enough devices to attract attackers, and even if they do, they can add security later. Basically, they plan on failing as a business. If you ignore the obvious issue of who's going to provide security updates after they fail, there are two fallacies in the argument.

Everything you use is a target

The first is that it's the unique features of their devices that make them targets. The opposite is true: it's the features they have in common with other devices that makes them targets. For instance, if they use Linux and it's network software, then any attack on that software is an attack on their device. If that version of Linux gets broken into, then their devices get broken into.

But this applies to every piece of software and hardware in their device that touches data from the network. If they use a network chip that gets attacked, every attack on that chip is an attack on their device. If some string processing feature of the language they used in their device is attacked, their device is attacked.

Sure, these means those attackers can't take over the unique features of those devices, but that's not why most networked devices are attacked. They are attacked to use against more interesting targets. If they're in my house, they can scan my network for vulnerable computers. Even if they aren't on my network, they can be used by terrorists, governments and criminals to attack anyone or anything else on the internet. Those IoT companies may not care about that, but I do.

You won't add security later

The second fallacy is that they're going to add security later. All those standards I mentioned earlier that didn't deal with security? These days, those that have to have security are in one of two states.
Mostly, they've been replaced by new standards that had security designed in from the start. In some cases, the new standard is a secure wrapper around the old one. That wrapper means it uses a different port, a different URL schema, and clients and servers for the two don't talk to each other. It makes it easier for one application to implement both, so it's more common for them to wind up in one application, but that's about the only difference between this kind of wrapping and a complete replacement.

The others are standards that had to stay backwards compatible. There aren't many of them, and they're still security nightmares, in spite of decades of the experts trying to secure them. You really expect a startup to do in a product cycle or two what the experts have failed to do in decades?

Bottom line

The insecurity of these devices is something to worry about, but not for the obvious reasons. The most likely way for someone to gain control of your smart thermostat to make your life miserable isn't by breaking into it directly, but by breaking into your network via one of the other unsecured devices on it, and using that to take over something on your network that the thermostat depends on for proper operation - a desktop computer it trusts, a router it uses to get firmware updates, and so on. Every insecure device on your network makes every networked device in your house less secure, and there are a lot of IoT devices wanting to be on your network.

The nasty problem is when they get combined into botnets. These are collections of internet-capable devices that are controlled by a single entity, and used to attack - well, whatever they want. These have gone from hundreds of thousands to millions of 'bots in a net over the last decade, and new ones are using tens of millions of IoT devices. These are mostly the more popular, less smart devices like video cameras, DVR's and routers. That's why some people promoting the IoT try and claim they aren't IoT devices. But they are "smart" things, containing computers that can access, and be accessed from, the Internet. Those are the baseline requirements for being an IoT device. And for being incorporated into a botnet. It's expected that as IoT devices get smarter and more popular, the size and frequency of botnets will go up by another order of magnitude. These can be used to shut down network services, which these days are critical parts of our infrastructure. They can also be used to shut down other infrastructure elements - power generation, financial systems, these days nearly anything, as it's nearly everything is connected to the internet. This should scare you.

There are some companies that have been publicly burned a time or two, sell devices expensive enough to have a software update process in place, and enough backing to afford to replace their processes with ones that were designed to be secure. I'd hope they were exceptions.

But I've been disappointed so often I no longer go looking. If you really have to have an IoT device of some kind, do yourself and everyone else on the internet the favor of asking them about their security. If you get an answer that sounds like they actually know what they're talking about, instead of one of the three answers I outlined here, please let me know.