They say everything comes with a price. When it comes to the internet of things (IoT), the cost of convenience promised by these smart devices could be more than many users bargained for. The home network, router, online accounts and passwords… all are potentially vulnerable due to the lax security measures employed by many devices. Added to that, many of these devices are now being compromised and used to carry out large-scale web attacks. And yet if IoT manufacturers adopted better security practices, there’s no reason why the ‘internet of threats’ couldn’t be substantially reduced.
There are a number of ways these devices can be compromised. A common issue is poor configuration. Many vendors’ security designs rely on the assumption that the user will change the default security settings on their device. But often the user won’t bother at all. It’s here where the attacker has the advantage and can use the device to hop onto the home network. Products like the wi-fi kettle and coffee machine which can ‘leak’ the wi-fi pre-shared key (PSK), allowing the attacker to potentially take over the local network and access user data such as email addresses and account log-ins.
Then there’s the mobile app itself used to control the device. Mobile app problems include no SSL encryption, passwords hardcoded within the app, or insecure storage in the app, any of which can enable the IoT device to be compromised. If that mobile app talks to the manufacturer’s web service and the connection is not properly secured, an attacker can intercept user data. For example, it’s common for manufacturers to deploy encryption to make it harder to access their database but if the key for the encryption is included in plain text within the app, this security mechanism can be bypassed and the traffic decrypted.
When it comes to web services, IoT devices can also be targeted using cross-site forgery requests (CSRF); these make the device do something by making the user’s browser do something because both the browser and the device are sitting on the same local network. This might be changing a setting on the device if it’s sitting on the LAN or running some code on that device if there’s a code-injection vulnerability. A number of webcams, CCTV and DVR devices have been shown to be vulnerable to this attack, in some cases allowing cyber-criminals to harvest real-time images from inside the home.
When it comes to the hardware and firmware itself, there are often functions left in place that users will never use such as Telnet or hidden functionality in a web interface, and malware such as Mirai has been written to exploit these. Such ports offer a convenient stepping point onto the device as they are often available to anyone on the LAN (which is why flaws in web interfaces can be exploited with CSRF because the browser is simultaneously on the internet and the LAN). Firmware is often not encrypted or signed so the attacker can simply download it, unpack the firmware and repack it enabling the attacker to compel the device to download their evil firmware.
Within the confines of the home, IoT devices communicate over radio-frequency protocols such as wi-fi, Bluetooth, Zigbee and Z-Wave, all of which, while secure, can be abused if poorly implemented. If the device uses Bluetooth and has a default PIN (or no PIN at all), it’s possible to gain access and control of the device. For example, both the My Friend Freddy Bear and My Friend Cayla interactive toys have no pairing PIN, making them susceptible to attack.
At this point, we’ve largely confined ourselves to consumer goods but other smart systems are also vulnerable. For example, smart thermostats that allow heating and cooling appliances to be activated remotely by the user can also be taken over. A recent proof-of-concept showed how a smart thermostat could be loaded with ransomware, effectively forcing the user to pay up a bitcoin ransom or see their heating bill soar. Another smart thermostat has an insecure update mechanism that allows an attack to be carried out remotely, with over 300,000 of that particular brand deployed.
Large IoT deployments are attracting the interest of cyber-criminals intent on harnessing that collective power. Several large-scale DoS attacks identified in the latter part of 2016 were traced to IoT-powered botnet cannons which had become infected through exposed Telnet ports, which used the devices’ default credentials. These were used to carry out DDoS attacks on websites and internet companies, from Krebs Security to OVH and Dyn, resulting in some web services such as Amazon and Twitter becoming inaccessible. These attacks were unprecedented, with over one terabit per second (1Tbps) of data being used to bombard the targets at their peak; power that came from an army of IoT devices harvested using Mirai malware.
It doesn’t take a great stretch of the imagination to conceive how IoT devices could be used to carry out widespread attacks in the future, with the end-game no longer being user credentials but mass extortion using ransomware or perhaps orchestrated blackouts using thermostats to ramp up power consumption. Addressing these security issues is therefore of the utmost urgency and yet the rollout of IoT devices continues unabated.
There is a complacency within the industry which is under the misguided assumption that any anomalies can be fixed through over-the-air (OTA) updates. This assumes the user will either comply and download the update or that an automatic update mechanism is in place. It doesn’t allow for the ‘fit and forget’ devices such as lightbulbs, thermostats and burglar alarms which will either be deemed too low cost to warrant support or remain unpatched due to inertia.
Neglect could see IoT manufacturers held to account by consumer groups and even sued. Lobbyists in several countries across Europe are criticising the My Friend Cayla doll, which is alleged to have compromised children’s privacy, for example. The question is whether culpability will stop there. How far down the chain will responsibility go for breaches of user privacy and user data? Could housing providers that rollout smart home-heating systems, for example, also be seen as culpable and be held to account? The only way to safeguard against this is to ensure cyber-liability insurance is in place to covers these contingencies and to demonstrate that due diligence was undertaken before the deployment of these technologies. Otherwise, that roll out of smart IoT systems could cost you in the long run.
Ken Munro is a partner in Pen Test Partners.