What Makes IoT so Vulnerable to Attack?
Securing the Internet of Things is a major concern and a priority, but organizational capabilities to address the concerns aren't evolving as quickly as are connected products or the concerns themselves.
Let's review some of the main threats and why they're present in the first place.
Swiss Cheese Security
Companies are making connected devices fast, but they're leaving gaping holes in the form of default configuration, weak passwords and unidentified backdoors. Why? Says Yolonda Smith, director at Pwnie Express, an Outpost24 company, "These things are designed to be deployed quickly and security takes a backseat. Whoever makes it to market first wins the day." Cybersecurity Risks Intensify, a 2017 Forrester report, echoed that sentiment. "Firms are developing IoT firmware with open source components in a rush to market. Unfortunately, many are delivering these IoT solutions without good plans for updates, leaving them open to not only vulnerabilities but vulnerabilities security teams cannot remediate quickly. When smart thermostats alone exceed over 1 million devices, it’s not hard to imagine a vulnerability that easily exceeds the scale of Heartbleed, especially if multiple IoT solutions include the same open source component."
An inability to patch IoT firmware because the vendor didn't plan for over-the-air patching or because the device doesn't have reliable network connectivity is a serious cause for concern. And it's not just speed to market or the sheer number of devices that can lead to these holes being built right in, it's also regular old carelessness on the part of the manufacturer and the end user.
Rick Farina of Pwnie Express an Outpost24 company agrees. "Look at even non-intentional vulnerabilities. Look at Mirai, the big one. Here is, more or less, an SDK released for DVR and IP camera products, where people spent no effort to do silly things like change the default password. Even when people read the EULA for the smart TVs that said 'Don’t ever talk about anything private in front of this television, and please leave the room to do so, whether it’s on or off,' it had no effect on them.
"That's IoT in a nutshell. It's completed riddled with holes." And businesses are overlooking these vulnerabilities in exchange for the promise of accelerated business and market differentiation.
Default Configurations and Weak Encryption
In a 2017 Pwnie Express report, data culled from up to 74.5 million wireless devices and 86 million connections from different device types, total, told us what we already knew: companies have not stopped producing products with insecure default configurations. The default network from common routers “linksys” and “Netgear” were two of our top 10 most common “open default” wireless SSIDs (named networks), and the hotspot network built in for the configuration and setup of HP printers—“hpsetup”—is still near the top.
This lack of security is a true annoyance. As Sam Thielman wrote for The Guardian, referring to the Mirai botnet that brought about October 21 2016, "One frustration among researchers is that DDoS attacks such as the siege of the Dyn servers are digital warfare of the least intelligent kind. There’s no network breach, merely a host of insecure devices hijacked using simple methods such as scanning open networks for devices using factory-default passwords. The devices are then used to artificially increase traffic beyond a network’s capacity – the computer equivalent of calling every phone in an office building at once, repeatedly." In other words, simple attacks are enough, because these are simple vulnerabilities.
Aside from default configurations, inability to update and the ridiculous number of devices in the wild, vulnerabilities come from a variety of hidden areas, including:
- Stretched to the limit IT security teams
- Stretched to the limit budgets
- Lack of education for non-IT employees
- Poor encryption
The first three of these issues could be addressed by strong organizational direction, but the last is especially disconcerting, because the responsibility for IoT security it doesn't necessarily lie with your enterprise. Poor encryption is a massive and widespread issue.
Finally, though some manufacturers actually do manage to produce systems and devices which come off the production line with adequate security, that security doesn’t last forever. As we have seen with attacks such as WannaCry — where SMB version 1 was exploited — or with vulnerabilities such Heartbleed and ShellShock in which SSL and SSH were found to have lacking protections, security, like milk, rots. And like milk, measures taken for security purposes have an expiration date. Unlike milk, though, that expiration date isn’t taken into account when you purchase. This rot means that as security models evolve, so must the underlying supporting architecture. Devices that were meant to last for decades aren’t coming off of the line architected in a way that will allow them to remain secure for decades. This is particularly true for large, complex systems such as those found in industrial and medical environments.
With this information in mind, it's easy to see why vulnerabilities abound. And it's not just the presence of vulnerabilities that matters, but also the actual parts of your business that these vulnerabilities expose — parts that were never connected before. When budget and internal action doesn't match up to the fears of security professionals or the increase in product development as manufacturers race to market, there are more likely to be more security gaps in every organization — and those gaps will be of greater significance. They simply can't be covered by current spend.
What can happen, then, if the gap isn't closed? Read part 4 of our series here.