I don’t believe the “Internet of Things” is a new technology. To me, “IoT” means the proliferation of Internet-connected embedded systems. This class of devices has been around for decades.
What is new, in my opinion, is the volume of innovation and new applications of this technology. Innovation is a good thing. Security and safety are good things, too. But security and safety are generally bolted on after we innovate. And when are we ever done innovating?
We can’t expect IooT vendors to produce 100% safe and secure devices.
But we should hold them accountable for striking an appropriate balance between effectiveness and safety. How about applying the 80/20 rule as a start?
If we assume that 80% of attacks will be “casual,” let’s stop those first. Stopping the casual/unsophisticated attacks first is important, because as we’ve seen in our last two years of private research, low-hanging fruit vulnerabilities can lead to severe compromise. Including the compromise of entire populations of devices (via insecure firmware update mechanisms, for example).
“We don’t do anything for security unless our customers ask us to.” - un-named IoT vendor/manufacturer
We’ve looked at consumer and enterprise grade devices from wearables and vehicle trackers, to cellular-enabled enterprise grade wireless routers. We’ve also had the opportunity to leverage our research during routine external network penetration tests we’ve performed for clients. In a few cases, low-hanging fruit IoT vulnerabilities have provided entry points for attacks that resulted in us gaining Domain Admin privs on enterprise networks.
We’re only disclosing a small portion of our work. Our first public disclosure was made by US-CERT last week: https://www.kb.cert.org/vuls/id/573848
Vulnerabilities described in the bulletin include:
- Use of Hard-Coded Cryptographic Keys
- Improper Verification of Cryptographic Signatures (on firmware updates)
- OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities (device runs Android OS 2.2.1)
I’ll end this post with a question: what economics are at play that result in embedded systems shipping with easily preventable “low hanging fruit” vulnerabilities?
Mike Zusman is the founder of Carve Systems, information security consultancy.