When Bluetooth technology first came on to the scene, security savvy 'killjoys' were quick to point out the potential downsides. Bluetooth technology was less secure than WiFi, unencrypted data was vulnerable to interception and there were even fears that Bluetooth devices could be used to hack smartphones and use them in DDoS attacks.
Their warnings were drowned out. Vendors shouted only about the benefits of Bluetooth-enabled devices and buyers were more concerned about what they could do with their device than about what could be done to them as soon as their Bluetooth was turned on and their device set to discoverable. The fears of the experts have since turned out to be completely founded in fact.
Many of the same issues are now being raised by security experts with respect to internet-connected devices – the building blocks of the expanding Internet of Things (IoT). Will vendors and consumers listen this time?
The number and type of devices that can be connected to the internet grow day by day. Cars, TVs, refrigerators, webcams, wearables, virtual assistants (Alexa, Google Assistant, etc.), modems, network attached storage (NAS), smart locks, connected doors, the list goes on. Then there are the wave of smart business-related devices designed to improve productivity.
Despite the fact that the IoT has already been harnessed in several cyber-attacks, it appears that vendors and buyers alike are still not appreciating the importance of security.
It's all About the Money
Why is it so difficult to secure the Internet of Things? The simple fact is that building security into devices costs more and takes longer. Mass producing a product with one username/password combination is much cheaper and easier than creating unique credentials for each item. Creating a user interface for changing security details also takes up development time.
Speed is everything when it comes to getting into a new market and the vendor who spends an extra week on adding end-to-end encryption is likely to lose their spot to an army of less conscientious competitors.
More expensive technology and development time also means that devices become more costly to produce and prices have to go up to compensate. Cash conscious buyers then opt for cheaper, less secure alternatives.
The inevitable result is a flood of devices which are all but unsecured.
A Boon for the Cyber Criminal
It is no surprise that hackers from throughout the world are rubbing their hands as they prepare to exploit this situation for their own ends. Cybercriminals from at home and around the globe can hack into internet-connected devices and use them to conceal their real identities (and even country of origin) as they prepare to steal data or launch damaging DDoS attacks by connecting hacked devices together in programmable botnets.
A big concern is that hackers rarely need to be particularly advanced to build the type of IoT botnets capable of causing mass disruption. The three students behind the infamous Mirai botnet which took the eastern United States offline in 2016 “didn’t do anything high level,” according to the FBI while the Canadian hacker behind the 2017 Satori botnet infected half a million routers throughout the world despite being a hacking 'newbie.'
The commoditization of hacking software has made it easier than ever for cybercriminals to scale up their operations and there is even an online tool, called Shoden, which is routinely used to track internet-connected devices around the world from routers and security systems to webcams. This enables hackers to search for vulnerabilities which they can use to exploit and add devices to their networks.
If taking control of impersonal devices isn't bad enough, tools like Shoden can also enable visitors to view video content streamed using real-time streaming protocol (RTSP). This can include footage from home security cameras, webcams and even smart baby monitors.
Hackers looking to build botnets quickly learn where the low-hanging fruit – popular devices with poor security – is to be found.
For example AVTECH, a Taiwanese firm specializing in CCTV equipment, including a range of IoT connected devices, have been targeted by a hacker known by the name 'EliteLands'. According to media reports, EliteLands is building a botnet named 'Death.' The hacker has yet to reveal what its purpose is.
Urgent Action is Needed
Governments will eventually bring in regulation to strengthen IoT security while the best tech companies will continue to improve native security, patching and device IT support. Los Angeles politician Ted Lieu and senator Edward Markey of Massachusetts, for example, have introduced a bill – the Cyber Shield Act of 2017 – calling for IoT devices to carry labels as part of a voluntary scheme. They warn that the network of interconnected devices could become an 'Internet of Threats' and harm economic prosperity unless security is taken seriously.
However, this scheme would still be driven by market forces, requiring customers to wake up to the potential threats and make the decision to buy labeled devices – even if they cost a little more.
Meanwhile, big players such as Intel and ARM are starting to work together on IoT security for the good of the industry.
While waiting for regulation and development to happen, smart vendors should be taking a longer-term view of the market and ensure security is built in to their devices even if this does delay time to market. Stealing a march on the competition may bring short-term wins but companies who fail to pay any attention to security could go out of business overnight if their products are exploited.
Consumers also have a big role to play. They need to stop blindly trusting in the inherent security of devices and approach the purchase of IoT devices and Related IT services in the same way as they would a car or other high value item. That is, they should check how safe and secure the device is and be wary if the vendors avoid the question or try to downplay their fears.
On the other hand, they should consider whether they really need that all-singing, all-dancing device. A camera-assisted, internet-connected baby monitor may impress friends and neighbors but if port 554 is open to the web, that monitor could be drawing less welcome attention.
Despite warnings from IT specialists, failure to prioritize security when producing and purchasing IoT devices is presenting hackers with opportunities to launch serious attacks on computer networks. Even cybercriminals with limited experience and skill can make use of easily available tools to locate and exploit vulnerable devices.
The rush to get products to market at competitive prices is a big factor in the spread of poorly secured IoT devices. Customers are also looking to get the most functionality at the lowest prices.
There are signs that politicians and the big players are beginning to address the issue of securing the IoT but will they move quickly and decisively enough? Unless security is placed at the heart of the IoT, we risk repeating the mistakes of the past – albeit on a much, much larger scale.
Brent Whitfield is the CEO of DCG Technical Solutions Inc. located in Los Angeles, CA since 1993. DCG provides IT Consulting for Los Angeles area businesses who need to remain competitive and productive, while being sensitive to limited IT budgets. Brent writes & blogs frequently and has been featured in Fast Company, CNBC, Network Computing, Reuters, and Yahoo Business. https://www.dcgla.com was recognized among the Top 10 Fastest Growing MSPs in North America by MSP Mentor. Because of Brent's experience as an MSP, he is actively serving on partner advisory councils for many of the major MSP vendors providing backup, RMM, and software to the market. He also leads SMBTN - Los Angeles, a MSP peer group that focuses on continuing education for MSP's and IT professionals.
On the Web
- The story of the hackers behind the Mirai botnet: https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/
- The story of the hacker behind the Satori botnet: https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/
- News report on the agreement made between Intel and ARM on IoT security: https://www.channelnewsasia.com/news/technology/rivals-arm-and-intel-make-peace-to-secure-internet-of-things-10830596
- News report on the proposed Cyber Shield Act of 2017: https://www.networkworld.com/article/3235518/internet-of-things/is-the-u-s-finally-about-to-take-iot-security-seriously.html